From c21b66166a66a4f481712fd5b29a7cbc5dfc0b61 Mon Sep 17 00:00:00 2001 From: codegold79 <17328443+codegold79@users.noreply.github.com> Date: Thu, 17 Jun 2021 10:50:59 -0700 Subject: [PATCH] API groups e2e tests remove controllers (#3564) * Remove controllers and sleeps in API groups e2e tests Signed-off-by: F. Gold * Print command in AfterEach(...) and check error Signed-off-by: F. Gold * Make change ahead of PR3764 changes in main Signed-off-by: F. Gold * Update go.{mod,sum} files Signed-off-by: F. Gold * Run make update Signed-off-by: F. Gold --- go.mod | 2 +- go.sum | 11 +- test/e2e/README.md | 4 +- test/e2e/enable_api_group_versions_test.go | 376 +- .../enable_api_group_versions/README.md | 8 +- .../case-a-source.yaml | 441 +- .../case-a-target.yaml | 449 +- ...ase-b-source-manually-added-mutations.yaml | 342 - ...ase-b-target-manually-added-mutations.yaml | 324 - ...ase-c-target-manually-added-mutations.yaml | 323 - ...ase-d-target-manually-added-mutations.yaml | 343 - .../cert-manager.yaml | 29227 ---------------- .../music_v1_rockband.yaml | 4 +- .../music_v1alpha1_rockband.yaml | 4 +- .../music_v2_rockband.yaml | 7 +- .../music_v2beta1_rockband.yaml | 6 +- .../music_v2beta2_rockband.yaml | 6 +- 17 files changed, 286 insertions(+), 31591 deletions(-) delete mode 100644 test/e2e/testdata/enable_api_group_versions/cert-manager.yaml diff --git a/go.mod b/go.mod index fd02ae00b..242028484 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/hashicorp/go-plugin v0.0.0-20190610192547-a1bc61569a26 github.com/joho/godotenv v1.3.0 github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0 - github.com/onsi/ginkgo v1.16.2 + github.com/onsi/ginkgo v1.16.4 github.com/onsi/gomega v1.10.2 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.7.1 diff --git a/go.sum b/go.sum index 73239795f..1600dbcf2 100644 --- a/go.sum +++ b/go.sum @@ -214,7 +214,6 @@ github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+ github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/gobuffalo/flect v0.2.2 h1:PAVD7sp0KOdfswjAw9BpLCU9hXo7wFSzgpQ+zNeks/A= github.com/gobuffalo/flect v0.2.2/go.mod h1:vmkQwuZYhN5Pc4ljYQZzP+1sq+NEkK+lh20jmEmX3jc= @@ -419,7 +418,6 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/naoina/go-stringutil v0.1.0/go.mod h1:XJ2SJL9jCtBh+P9q5btrd/Ylo8XwT/h1USek5+NqSA0= github.com/naoina/toml v0.1.1/go.mod h1:NBIhNtsFMo3G2szEBne+bO4gS192HuIYRqfvOWb4i1E= -github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -433,8 +431,8 @@ github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo v1.16.2 h1:HFB2fbVIlhIfCfOW81bZFbiC/RvnpXSdhbF2/DJr134= -github.com/onsi/ginkgo v1.16.2/go.mod h1:CObGmKUOKaSC0RjmoAK7tKyn4Azo5P2IWuoMnvwxz1E= +github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -630,7 +628,6 @@ golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME= @@ -687,7 +684,6 @@ golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY= golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091 h1:DMyOG0U+gKfu8JZzg2UQe9MeaC1X+xQWlAKcRnjxjCw= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -734,13 +730,11 @@ golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200616133436-c1934b75d054 h1:HHeAlu5H9b71C+Fx0K+1dGgVFN1DM1/wz4aoGOA5qS8= golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e h1:4nW4NLDYnU28ojHaHO8OVxFHk/aQ33U01a9cjED+pzE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -821,7 +815,6 @@ gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/test/e2e/README.md b/test/e2e/README.md index 4f147b97b..223a7d0c3 100644 --- a/test/e2e/README.md +++ b/test/e2e/README.md @@ -88,9 +88,9 @@ For example, E2E tests can be run from Velero repository roots using the command BSL_CONFIG="resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,storageAccount=$AZURE_STORAGE_ACCOUNT_ID,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID" BSL_BUCKET= CREDS_FILE=/path/to/azure-creds CLOUD_PROVIDER=azure make test-e2e ``` Please refer to `velero-plugin-for-microsoft-azure` documentation for instruction to [set up permissions for Velero](https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure#set-permissions-for-velero) and to [set up azure storage account and blob container](https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure#setup-azure-storage-account-and-blob-container) -1. Run Ginko-focused Restore Multi-API Groups tests using an image built for PR #3133 and Minio as the backup storage location: +1. Run Ginko-focused Restore Multi-API Groups tests using Minio as the backup storage location: ```bash - BSL_CONFIG="region=minio,s3ForcePathStyle=\"true\",s3Url=http://192.168.1.124:9000" BSL_PREFIX=veldat BSL_BUCKET=velero CREDS_FILE=~/go/src/github.com/vmware-tanzu/velero/frankie-secrets/credentials-minio PLUGIN_PROVIDER=aws VELERO_IMAGE=projects.registry.vmware.com/tanzu_migrator/velero-pr3133:0.0.5 GINKGO_FOCUS="API group versions" make test-e2e + BSL_CONFIG="region=minio,s3ForcePathStyle=\"true\",s3Url=:9000" BSL_PREFIX= BSL_BUCKET= CREDS_FILE= CLOUD_PROVIDER=kind OBJECT_STORE_PROVIDER=aws VELERO_NAMESPACE="velero" GINKGO_FOCUS="API group versions" make test-e2e ``` 1. Run Velero tests in a kind cluster with AWS (or Minio) as the storage provider and use Microsoft Azure as the storage provider for an additional Backup Storage Location: ```bash diff --git a/test/e2e/enable_api_group_versions_test.go b/test/e2e/enable_api_group_versions_test.go index c06659eb7..b0913a54e 100644 --- a/test/e2e/enable_api_group_versions_test.go +++ b/test/e2e/enable_api_group_versions_test.go @@ -21,19 +21,16 @@ import ( "encoding/json" "fmt" "os/exec" - "regexp" "strconv" "strings" "time" "github.com/google/uuid" - . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" "github.com/pkg/errors" corev1api "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/wait" "github.com/vmware-tanzu/velero/pkg/builder" veleroexec "github.com/vmware-tanzu/velero/pkg/util/exec" @@ -42,7 +39,6 @@ import ( var _ = Describe("[APIGroup] Velero tests with various CRD API group versions", func() { var ( resource, group string - certMgrCRD map[string]string err error ctx = context.Background() ) @@ -53,26 +49,44 @@ var _ = Describe("[APIGroup] Velero tests with various CRD API group versions", BeforeEach(func() { resource = "rockbands" group = "music.example.io" - certMgrCRD = map[string]string{ - "url": "testdata/enable_api_group_versions/cert-manager.yaml", - "namespace": "cert-manager", - } - - err = installCRD(ctx, certMgrCRD["url"], certMgrCRD["namespace"]) - Expect(err).NotTo(HaveOccurred()) uuidgen, err = uuid.NewRandom() Expect(err).NotTo(HaveOccurred()) + + // TODO: install Velero once for the test suite once feature flag is + // removed and velero installation becomes the same as other e2e tests. + if installVelero { + err = veleroInstall( + context.Background(), + veleroImage, + veleroNamespace, + cloudProvider, + objectStoreProvider, + false, + cloudCredentialsFile, + bslBucket, + bslPrefix, + bslConfig, + vslConfig, + "EnableAPIGroupVersions", // TODO: remove when feature flag is removed + ) + Expect(err).NotTo(HaveOccurred()) + } }) AfterEach(func() { - cmd := exec.CommandContext(ctx, "kubectl", "delete", "namespace", "music-system") - _, _, _ = veleroexec.RunCommand(cmd) + fmt.Printf("Clean up resource: kubectl delete crd %s.%s\n", resource, group) + cmd := exec.CommandContext(ctx, "kubectl", "delete", "crd", resource+"."+group) + _, stderr, err := veleroexec.RunCommand(cmd) + if strings.Contains(stderr, "NotFound") { + fmt.Printf("Ignore error: %v\n", stderr) + err = nil + } + Expect(err).NotTo(HaveOccurred()) - cmd = exec.CommandContext(ctx, "kubectl", "delete", "crd", "rockbands.music.example.io") - _, _, _ = veleroexec.RunCommand(cmd) + err = veleroUninstall(ctx, client.kubebuilder, installVelero, veleroNamespace) + Expect(err).NotTo(HaveOccurred()) - _ = deleteCRD(ctx, certMgrCRD["url"], certMgrCRD["namespace"]) }) Context("When EnableAPIGroupVersions flag is set", func() { @@ -91,102 +105,75 @@ func runEnableAPIGroupVersionsTests(ctx context.Context, client testClient, reso tests := []struct { name string namespaces []string - srcCRD map[string]string + srcCrdYaml string srcCRs map[string]string - tgtCRD map[string]string + tgtCrdYaml string tgtVer string cm *corev1api.ConfigMap gvs map[string][]string want map[string]map[string]string }{ { - name: "Target and source cluster preferred versions match; Preferred version v1 is restored (Priority 1, Case A).", - srcCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-a-source.yaml", - "namespace": "music-system", - }, + name: "Target and source cluster preferred versions match; Preferred version v1 is restored (Priority 1, Case A).", + srcCrdYaml: "testdata/enable_api_group_versions/case-a-source.yaml", srcCRs: map[string]string{ "v1": "testdata/enable_api_group_versions/music_v1_rockband.yaml", "v1alpha1": "testdata/enable_api_group_versions/music_v1alpha1_rockband.yaml", }, - tgtCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-a-target.yaml", - "namespace": "music-system", - }, - tgtVer: "v1", - cm: nil, + tgtCrdYaml: "testdata/enable_api_group_versions/case-a-target.yaml", + tgtVer: "v1", + cm: nil, want: map[string]map[string]string{ - "annotations": { "rockbands.music.example.io/originalVersion": "v1", }, "specs": { - "leadSinger": "John Lennon", + "genre": "60s rock", }, }, }, { - name: "Latest common non-preferred supported version v2beta2 is restored (Priority 3, Case D).", - srcCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml", - "namespace": "music-system", - }, + name: "Latest common non-preferred supported version v2beta2 is restored (Priority 3, Case D).", + srcCrdYaml: "testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml", srcCRs: map[string]string{ "v2beta2": "testdata/enable_api_group_versions/music_v2beta2_rockband.yaml", "v2beta1": "testdata/enable_api_group_versions/music_v2beta1_rockband.yaml", "v1": "testdata/enable_api_group_versions/music_v1_rockband.yaml", }, - tgtCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml", - "namespace": "music-system", - }, - tgtVer: "v2beta2", - cm: nil, + tgtCrdYaml: "testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml", + tgtVer: "v2beta2", + cm: nil, want: map[string]map[string]string{ "annotations": { "rockbands.music.example.io/originalVersion": "v2beta2", }, "specs": { - "leadSinger": "John Lennon", - "leadGuitar": "George Harrison", - "drummer": "Ringo Starr", + "genre": "60s rock", }, }, }, { - name: "No common supported versions means no rockbands custom resource is restored.", - srcCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-a-source.yaml", - "namespace": "music-system", - }, + name: "No common supported versions means no rockbands custom resource is restored.", + srcCrdYaml: "testdata/enable_api_group_versions/case-a-source.yaml", srcCRs: map[string]string{ "v1": "testdata/enable_api_group_versions/music_v1_rockband.yaml", "v1alpha1": "testdata/enable_api_group_versions/music_v1alpha1_rockband.yaml", }, - tgtCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-b-target-manually-added-mutations.yaml", - "namespace": "music-system", - }, - tgtVer: "", - cm: nil, - want: nil, + tgtCrdYaml: "testdata/enable_api_group_versions/case-b-target-manually-added-mutations.yaml", + tgtVer: "", + cm: nil, + want: nil, }, { - name: "User config map overrides Priority 3, Case D and restores v2beta1", - srcCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml", - "namespace": "music-system", - }, + name: "User config map overrides Priority 3, Case D and restores v2beta1", + srcCrdYaml: "testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml", srcCRs: map[string]string{ "v2beta2": "testdata/enable_api_group_versions/music_v2beta2_rockband.yaml", "v2beta1": "testdata/enable_api_group_versions/music_v2beta1_rockband.yaml", "v1": "testdata/enable_api_group_versions/music_v1_rockband.yaml", }, - tgtCRD: map[string]string{ - "url": "testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml", - "namespace": "music-system", - }, - tgtVer: "v2beta1", + tgtCrdYaml: "testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml", + tgtVer: "v2beta1", cm: builder.ForConfigMap(veleroNamespace, "enableapigroupversions").Data( "restoreResourcesVersionPriority", `rockbands.music.example.io=v2beta1,v2beta2,v2`, @@ -196,44 +183,41 @@ func runEnableAPIGroupVersionsTests(ctx context.Context, client testClient, reso "rockbands.music.example.io/originalVersion": "v2beta1", }, "specs": { - "leadSinger": "John Lennon", - "leadGuitar": "George Harrison", - "genre": "60s rock", + "genre": "60s rock", }, }, }, } for i, tc := range tests { - fmt.Printf("\n====== Test Case %d ======\n", i) + fmt.Printf("\n====== Test Case %d: %s ======\n", i, tc.name) - err := installCRD(ctx, tc.srcCRD["url"], tc.srcCRD["namespace"]) + err := installCRD(ctx, tc.srcCrdYaml) if err != nil { - return errors.Wrap(err, "installing music-system CRD for source cluster") + return errors.Wrap(err, "install music-system CRD on source cluster") } for version, cr := range tc.srcCRs { ns := resource + "-src-" + version if err := createNamespace(ctx, client, ns); err != nil { - return errors.Wrapf(err, "creating %s namespace", ns) + return errors.Wrapf(err, "create %s namespace", ns) } if err := installCR(ctx, cr, ns); err != nil { - return errors.Wrapf(err, "installing %s custom resource on source cluster namespace %s", cr, ns) + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "install %s custom resource on source cluster in namespace %s", cr, ns) } tc.namespaces = append(tc.namespaces, ns) } - // TODO - Velero needs to be installed AFTER CRDs are installed because of https://github.com/vmware-tanzu/velero/issues/3471 - // Once that issue is fixed, we should install Velero once for the test suite - if installVelero { - veleroInstall(context.Background(), veleroImage, veleroNamespace, cloudProvider, objectStoreProvider, false, - cloudCredentialsFile, bslBucket, bslPrefix, bslConfig, vslConfig, - "EnableAPIGroupVersions" /* TODO - remove this when the feature flag is removed */) - fmt.Println("Sleep 20s to wait for Velero to stabilize after install.") - time.Sleep(time.Second * 20) + // Restart Velero pods in order to recognize music-system CRD right away + // instead of waiting for discovery helper to refresh. See + // https://github.com/vmware-tanzu/velero/issues/3471. + if err := restartPods(ctx, veleroNamespace); err != nil { + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "restart Velero pods") } backup := "backup-rockbands-" + uuidgen.String() + "-" + strconv.Itoa(i) @@ -242,55 +226,55 @@ func runEnableAPIGroupVersionsTests(ctx context.Context, client testClient, reso err = veleroBackupNamespace(ctx, veleroCLI, veleroNamespace, backup, namespacesStr, "", false) if err != nil { veleroBackupLogs(ctx, veleroCLI, veleroNamespace, backup) - return errors.Wrapf(err, "backing up %s namespaces on source cluster", namespacesStr) + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "back up %s namespaces on source cluster", namespacesStr) } - // Delete music-system CRD and controllers installed on source cluster. - if err := deleteCRD(ctx, tc.srcCRD["url"], tc.srcCRD["namespace"]); err != nil { - return errors.Wrapf(err, "deleting music-system CRD from source cluster") + if err := deleteCRD(ctx, tc.srcCrdYaml); err != nil { + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "delete music-system CRD from source cluster") } for _, ns := range tc.namespaces { - if err := client.clientGo.CoreV1().Namespaces().Delete(ctx, ns, metav1.DeleteOptions{}); err != nil { - return errors.Wrapf(err, "deleting %s namespace from source cluster", ns) - } - - if err := waitNamespaceDelete(ctx, ns); err != nil { - return errors.Wrapf(err, "deleting %s namespace from source cluster", ns) + if err := deleteNamespace(ctx, ns); err != nil { + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "delete %s namespace from source cluster", ns) } } - // Install music-system CRD for target cluster. - if err := installCRD(ctx, tc.tgtCRD["url"], tc.tgtCRD["namespace"]); err != nil { - return errors.Wrapf(err, "installing music-system CRD for target cluster") + if err := installCRD(ctx, tc.tgtCrdYaml); err != nil { + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "install music-system CRD on target cluster") } // Apply config map if there is one. if tc.cm != nil { _, err := client.clientGo.CoreV1().ConfigMaps(veleroNamespace).Create(ctx, tc.cm, metav1.CreateOptions{}) if err != nil { - return errors.Wrap(err, "creating config map with user version priorities") + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrap(err, "create config map with user version priorities") } } // Reset Velero to recognize music-system CRD. if err := restartPods(ctx, veleroNamespace); err != nil { - return errors.Wrapf(err, "restarting Velero pods") + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "restart Velero pods") } - fmt.Println("Sleep 20s to wait for Velero to stabilize after restart.") - time.Sleep(time.Second * 20) - // Restore rockbands namespace. + // Restore rockbands namespaces. restore := "restore-rockbands-" + uuidgen.String() + "-" + strconv.Itoa(i) if tc.want != nil { if err := veleroRestore(ctx, veleroCLI, veleroNamespace, restore, backup); err != nil { veleroRestoreLogs(ctx, veleroCLI, veleroNamespace, restore) - return errors.Wrapf(err, "restoring %s namespaces on target cluster", namespacesStr) + deleteNamespacesOnErr(ctx, tc.namespaces) + return errors.Wrapf(err, "restore %s namespaces on target cluster", namespacesStr) } annoSpec, err := resourceInfo(ctx, group, tc.tgtVer, resource) if err != nil { + deleteNamespacesOnErr(ctx, tc.namespaces) return errors.Wrapf( err, "get annotation and spec from %s.%s/%s object", @@ -307,6 +291,7 @@ func runEnableAPIGroupVersionsTests(ctx context.Context, client testClient, reso annoSpec["annotations"], tc.want["annotations"], ) + deleteNamespacesOnErr(ctx, tc.namespaces) return errors.New(msg) } @@ -317,174 +302,99 @@ func runEnableAPIGroupVersionsTests(ctx context.Context, client testClient, reso annoSpec["specs"], tc.want["specs"], ) + deleteNamespacesOnErr(ctx, tc.namespaces) return errors.New(msg) } + } else { // No custom resource should have been restored. Expect "no resource found" // error during restore. err := veleroRestore(ctx, veleroCLI, veleroNamespace, restore, backup) if err.Error() != "Unexpected restore phase got PartiallyFailed, expecting Completed" { + deleteNamespacesOnErr(ctx, tc.namespaces) return errors.New("expected error but not none") } } - // Delete namespaces created for CRs + // Clean up. for _, ns := range tc.namespaces { fmt.Println("Delete namespace", ns) - _ = client.clientGo.CoreV1().Namespaces().Delete(ctx, ns, metav1.DeleteOptions{}) - _ = waitNamespaceDelete(ctx, ns) - } - - // Delete source cluster music-system CRD - _ = deleteCRD( - ctx, - tc.srcCRD["url"], - tc.srcCRD["namespace"], - ) - - // Delete target cluster music-system CRD - _ = deleteCRD( - ctx, - tc.tgtCRD["url"], - tc.srcCRD["namespace"], - ) - - err = veleroUninstall(context.Background(), client.kubebuilder, installVelero, veleroNamespace) - if err != nil { - return err + deleteNamespace(ctx, ns) } + _ = deleteCRD(ctx, tc.srcCrdYaml) + _ = deleteCRD(ctx, tc.tgtCrdYaml) } return nil } -func installVeleroForAPIGroups(ctx context.Context) error { - if err := ensureClusterExists(ctx); err != nil { - return errors.Wrap(err, "check cluster exists") - } +func installCRD(ctx context.Context, yaml string) error { + fmt.Printf("Install CRD with %s.\n", yaml) + cmd := exec.CommandContext(ctx, "kubectl", "apply", "-f", yaml) - // Pass global variables to option parameters. - options, err := getProviderVeleroInstallOptions( - cloudProvider, - cloudCredentialsFile, - bslBucket, - bslPrefix, - bslConfig, - vslConfig, - getProviderPlugins(cloudProvider), - "EnableAPIGroupVersions", - ) - if err != nil { - return errors.Wrap(err, "get velero install options") - } - - options.UseRestic = false - options.Features = "EnableAPIGroupVersions" - options.Image = veleroImage - - if err := installVeleroServer(options); err != nil { - return errors.Wrap(err, "install velero server") - } - - return nil -} - -func installCRD(ctx context.Context, crdFile, ns string) error { - fmt.Printf("Install CRD %s.\n", crdFile) - - cmd := exec.CommandContext(ctx, "kubectl", "apply", "-f", crdFile) _, stderr, err := veleroexec.RunCommand(cmd) if err != nil { return errors.Wrap(err, stderr) } - fmt.Println("Wait for CRD to be ready.") - if err := waitForPodContainers(ctx, ns); err != nil { - return err - } - - return err + return nil } -// waitForPodContainers will get the pods and container status in a namespace. -// If the ratio of the number of containers running to total in a pod is not 1, -// it is not ready. Otherwise, if all container ratios are 1, the pod is running. -func waitForPodContainers(ctx context.Context, ns string) error { - err := wait.Poll(3*time.Second, 4*time.Minute, func() (bool, error) { - cmd := exec.CommandContext(ctx, "kubectl", "get", "pods", "-n", ns) - stdout, stderr, err := veleroexec.RunCommand(cmd) - - if err != nil { - return false, errors.Wrap(err, stderr) - } - - re := regexp.MustCompile(`(\d)/(\d)\s+Running`) - - // Default allRunning needs to be false for when no match is found. - var allRunning bool - for i, v := range re.FindAllStringSubmatch(stdout, -1) { - if i == 0 { - allRunning = true - } - allRunning = v[1] == v[2] && allRunning - } - return allRunning, nil - }) - - if err == nil { - fmt.Println("Sleep for 20s for cluster to stabilize.") - time.Sleep(time.Second * 20) - } - - return err -} - -func deleteCRD(ctx context.Context, crdFile, ns string) error { - fmt.Println("Delete CRD", crdFile) - cmd := exec.CommandContext(ctx, "kubectl", "delete", "-f", crdFile, "--wait") +func deleteCRD(ctx context.Context, yaml string) error { + fmt.Println("Delete CRD", yaml) + cmd := exec.CommandContext(ctx, "kubectl", "delete", "-f", yaml, "--wait") _, stderr, err := veleroexec.RunCommand(cmd) if strings.Contains(stderr, "not found") { return nil } - if err != nil { return errors.Wrap(err, stderr) } - err = wait.Poll(1*time.Second, 3*time.Minute, func() (bool, error) { - cmd := exec.CommandContext(ctx, "kubectl", "get", "namespace", ns) - stdout, stderr, err := veleroexec.RunCommand(cmd) - - if strings.Contains(stderr, "not found") { - return true, nil - } - - if err != nil { - return false, errors.Wrap(err, stderr) - } - - re := regexp.MustCompile(ns) - return re.MatchString(stdout), nil - }) - return err + return nil } func restartPods(ctx context.Context, ns string) error { fmt.Printf("Restart pods in %s namespace.\n", ns) + cmd := exec.CommandContext(ctx, "kubectl", "delete", "pod", "--all", "-n", ns, "--wait=true") - cmd := exec.CommandContext(ctx, "kubectl", "delete", "pod", "--all", "-n", ns) - _, _, err := veleroexec.RunCommand(cmd) + _, stderr, err := veleroexec.RunCommand(cmd) + if strings.Contains(stderr, "not found") { + return nil + } + if err != nil { + return errors.Wrap(err, stderr) + } + return nil +} - if err == nil { - fmt.Println("Wait for pods to be ready.") - if err := waitForPodContainers(ctx, ns); err != nil { - return err - } +func deleteNamespace(ctx context.Context, ns string) error { + fmt.Println("Delete namespace", ns) + cmd := exec.CommandContext(ctx, "kubectl", "delete", "ns", ns, "--wait") + + _, stderr, err := veleroexec.RunCommand(cmd) + if strings.Contains(stderr, "not found") { + return nil + } + if err != nil { + return errors.Wrap(err, stderr) } - return err + return nil +} + +// DeleteNamespacesOnErr cleans up the namespaces created for a test cast after an +// error interrupts a test case. +func deleteNamespacesOnErr(ctx context.Context, namespaces []string) { + if len(namespaces) > 0 { + fmt.Println("An error has occurred. Cleaning up test case namespaces.") + } + + for _, ns := range namespaces { + deleteNamespace(ctx, ns) + } } func installCR(ctx context.Context, crFile, ns string) error { @@ -507,22 +417,6 @@ func installCR(ctx context.Context, crFile, ns string) error { return errors.Wrap(err, stderr) } -func waitNamespaceDelete(ctx context.Context, ns string) error { - err := wait.Poll(1*time.Second, 3*time.Minute, func() (bool, error) { - cmd := exec.CommandContext(ctx, "kubectl", "get", "namespace", ns) - - stdout, stderr, err := veleroexec.RunCommand(cmd) - if err != nil { - return false, errors.Wrap(err, stderr) - } - - re := regexp.MustCompile(ns) - return re.MatchString(stdout), nil - }) - - return err -} - func resourceInfo(ctx context.Context, g, v, r string) (map[string]map[string]string, error) { rvg := r + "." + v + "." + g ns := r + "-src-" + v diff --git a/test/e2e/testdata/enable_api_group_versions/README.md b/test/e2e/testdata/enable_api_group_versions/README.md index f9a03dbff..0b58dce08 100644 --- a/test/e2e/testdata/enable_api_group_versions/README.md +++ b/test/e2e/testdata/enable_api_group_versions/README.md @@ -4,18 +4,12 @@ This directory contains Kubernetes manifests that are used for the enable API gr ## Documentation -Read more about cert-manager in the [Jet Stack repo](https://github.com/jetstack/cert-manager/blob/master/README.md). Read more about the music-system custom resource definitions and rockbands custom resources created for Velero tests at [@brito-rafa's repo](https://github.com/brito-rafa/k8s-webhooks/blob/master/examples-for-projectvelero/README.md). ## Reference -These manifests, listed below, come from two different sources: github.com/jetstack/cert-manager and github.com/brito-rafa/k8s-webhooks: - -cert-manager.yaml - -- source: https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml -- license: https://github.com/jetstack/cert-manager/blob/master/LICENSE +These manifests, listed below, come from github.com/brito-rafa/k8s-webhooks: case-a-source.yaml diff --git a/test/e2e/testdata/enable_api_group_versions/case-a-source.yaml b/test/e2e/testdata/enable_api_group_versions/case-a-source.yaml index e6f2cb719..42dcb6978 100644 --- a/test/e2e/testdata/enable_api_group_versions/case-a-source.yaml +++ b/test/e2e/testdata/enable_api_group_versions/case-a-source.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: music-system ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,18 +6,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.2.5 name: rockbands.music.example.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /convert - conversionReviewVersions: - - v1 - - v1alpha1 group: music.example.io names: kind: RockBand @@ -33,363 +14,77 @@ spec: singular: rockband scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: RockBand is the Schema for the rockbands API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RockBandSpec defines the desired state of RockBand - properties: - genre: - type: string - leadSinger: - type: string - numberComponents: - format: int32 - type: integer - type: object - status: - description: RockBandStatus defines the observed state of RockBand - properties: - lastPlayed: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RockBand is the Schema for the rockbands API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RockBandSpec defines the desired state of RockBand - properties: - genre: - type: string - numberComponents: - format: int32 - type: integer - type: object - status: - description: RockBandStatus defines the observed state of RockBand - properties: - lastPlayed: - type: string - required: - - lastPlayed - type: object - type: object - served: true - storage: false + - name: v1 + schema: + openAPIV3Schema: + description: RockBand is the Schema for the rockbands API + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: RockBandSpec defines the desired state of RockBand + properties: + genre: + type: string + leadSinger: + type: string + numberComponents: + format: int32 + type: integer + type: object + status: + description: RockBandStatus defines the observed state of RockBand + properties: + lastPlayed: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RockBand is the Schema for the rockbands API + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: RockBandSpec defines the desired state of RockBand + properties: + genre: + type: string + numberComponents: + format: int32 + type: integer + type: object + status: + description: RockBandStatus defines the observed state of RockBand + properties: + lastPlayed: + type: string + required: + - lastPlayed + type: object + type: object + served: true + storage: false status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: music-leader-election-role - namespace: music-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: music-manager-role -rules: -- apiGroups: - - music.example.io - resources: - - rockbands - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - music.example.io - resources: - - rockbands/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: music-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: music-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: music-leader-election-rolebinding - namespace: music-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: music-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager-metrics-service - namespace: music-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: music-webhook-service - namespace: music-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager - namespace: music-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/brito_rafa/music-controller:case-a-source-v0.1 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: music-serving-cert - namespace: music-system -spec: - dnsNames: - - music-webhook-service.music-system.svc - - music-webhook-service.music-system.svc.cluster.local - issuerRef: - kind: Issuer - name: music-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: music-selfsigned-issuer - namespace: music-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-mutating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rockbands ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /validate-music-example-io-v1-rockband - failurePolicy: Fail - name: vrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rockbands diff --git a/test/e2e/testdata/enable_api_group_versions/case-a-target.yaml b/test/e2e/testdata/enable_api_group_versions/case-a-target.yaml index b9634e0ea..3cf0baf2c 100644 --- a/test/e2e/testdata/enable_api_group_versions/case-a-target.yaml +++ b/test/e2e/testdata/enable_api_group_versions/case-a-target.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: music-system ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,18 +6,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.2.5 name: rockbands.music.example.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /convert - conversionReviewVersions: - - v1 - - v1alpha1 group: music.example.io names: kind: RockBand @@ -33,367 +14,81 @@ spec: singular: rockband scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: RockBand is the Schema for the rockbands API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RockBandSpec defines the desired state of RockBand - properties: - genre: - type: string - leadSinger: - type: string - numberComponents: - format: int32 - type: integer - type: object - status: - description: RockBandStatus defines the observed state of RockBand - properties: - lastPlayed: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v2beta1 - schema: - openAPIV3Schema: - description: RockBand is the Schema for the rockbands API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RockBandSpec defines the desired state of RockBand - properties: - genre: - type: string - leadGuitar: - type: string - leadSinger: - type: string - numberComponents: - format: int32 - type: integer - type: object - status: - description: RockBandStatus defines the observed state of RockBand - properties: - lastPlayed: - type: string - required: - - lastPlayed - type: object - type: object - served: true - storage: false + - name: v1 + schema: + openAPIV3Schema: + description: RockBand is the Schema for the rockbands API + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: RockBandSpec defines the desired state of RockBand + properties: + genre: + type: string + leadSinger: + type: string + numberComponents: + format: int32 + type: integer + type: object + status: + description: RockBandStatus defines the observed state of RockBand + properties: + lastPlayed: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v2beta1 + schema: + openAPIV3Schema: + description: RockBand is the Schema for the rockbands API + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: RockBandSpec defines the desired state of RockBand + properties: + genre: + type: string + leadGuitar: + type: string + leadSinger: + type: string + numberComponents: + format: int32 + type: integer + type: object + status: + description: RockBandStatus defines the observed state of RockBand + properties: + lastPlayed: + type: string + required: + - lastPlayed + type: object + type: object + served: true + storage: false status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: music-leader-election-role - namespace: music-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: music-manager-role -rules: -- apiGroups: - - music.example.io - resources: - - rockbands - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - music.example.io - resources: - - rockbands/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: music-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: music-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: music-leader-election-rolebinding - namespace: music-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: music-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager-metrics-service - namespace: music-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: music-webhook-service - namespace: music-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager - namespace: music-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/brito_rafa/music-controller:case-a-target-v0.2 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: music-serving-cert - namespace: music-system -spec: - dnsNames: - - music-webhook-service.music-system.svc - - music-webhook-service.music-system.svc.cluster.local - issuerRef: - kind: Issuer - name: music-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: music-selfsigned-issuer - namespace: music-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-mutating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta1 - operations: - - CREATE - - UPDATE - resources: - - rockbands ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /validate-music-example-io-v1-rockband - failurePolicy: Fail - name: vrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rockbands diff --git a/test/e2e/testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml b/test/e2e/testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml index cf877e938..881c640b2 100644 --- a/test/e2e/testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml +++ b/test/e2e/testdata/enable_api_group_versions/case-b-source-manually-added-mutations.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: music-system ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,19 +6,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.2.5 name: rockbands.music.example.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /convert - conversionReviewVersions: - - v1 - - v2beta1 - - v2beta2 group: music.example.io names: kind: RockBand @@ -151,325 +131,3 @@ status: plural: "" conditions: [] storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: music-leader-election-role - namespace: music-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: music-manager-role -rules: -- apiGroups: - - music.example.io - resources: - - rockbands - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - music.example.io - resources: - - rockbands/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: music-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: music-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: music-leader-election-rolebinding - namespace: music-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: music-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager-metrics-service - namespace: music-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: music-webhook-service - namespace: music-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager - namespace: music-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/brito_rafa/music-controller:case-b-source-v0.1 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: music-serving-cert - namespace: music-system -spec: - dnsNames: - - music-webhook-service.music-system.svc - - music-webhook-service.music-system.svc.cluster.local - issuerRef: - kind: Issuer - name: music-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: music-selfsigned-issuer - namespace: music-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-mutating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta2-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta2 - operations: - - CREATE - - UPDATE - resources: - - rockbands -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta1 - operations: - - CREATE - - UPDATE - resources: - - rockbands -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rockbands ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /validate-music-example-io-v2beta2-rockband - failurePolicy: Fail - name: vrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta2 - operations: - - CREATE - - UPDATE - resources: - - rockbands diff --git a/test/e2e/testdata/enable_api_group_versions/case-b-target-manually-added-mutations.yaml b/test/e2e/testdata/enable_api_group_versions/case-b-target-manually-added-mutations.yaml index e8417176f..428843483 100644 --- a/test/e2e/testdata/enable_api_group_versions/case-b-target-manually-added-mutations.yaml +++ b/test/e2e/testdata/enable_api_group_versions/case-b-target-manually-added-mutations.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: music-system ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,19 +6,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.2.5 name: rockbands.music.example.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /convert - conversionReviewVersions: - - v2beta2 - - v2beta1 - - v1 group: music.example.io names: kind: RockBand @@ -116,307 +96,3 @@ status: plural: "" conditions: [] storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: music-leader-election-role - namespace: music-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: music-manager-role -rules: -- apiGroups: - - music.example.io - resources: - - rockbands - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - music.example.io - resources: - - rockbands/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: music-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: music-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: music-leader-election-rolebinding - namespace: music-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: music-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager-metrics-service - namespace: music-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: music-webhook-service - namespace: music-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager - namespace: music-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/brito_rafa/music-controller:case-b-target-v0.1 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: music-serving-cert - namespace: music-system -spec: - dnsNames: - - music-webhook-service.music-system.svc - - music-webhook-service.music-system.svc.cluster.local - issuerRef: - kind: Issuer - name: music-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: music-selfsigned-issuer - namespace: music-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-mutating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta1 - operations: - - CREATE - - UPDATE - resources: - - rockbands -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta2-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta2 - operations: - - CREATE - - UPDATE - resources: - - rockbands ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /validate-music-example-io-v2beta2-rockband - failurePolicy: Fail - name: vrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta2 - operations: - - CREATE - - UPDATE - resources: - - rockbands diff --git a/test/e2e/testdata/enable_api_group_versions/case-c-target-manually-added-mutations.yaml b/test/e2e/testdata/enable_api_group_versions/case-c-target-manually-added-mutations.yaml index d4bb64b61..73bb0883e 100644 --- a/test/e2e/testdata/enable_api_group_versions/case-c-target-manually-added-mutations.yaml +++ b/test/e2e/testdata/enable_api_group_versions/case-c-target-manually-added-mutations.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: music-system ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,18 +6,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.2.5 name: rockbands.music.example.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /convert - conversionReviewVersions: - - v2 - - v1 group: music.example.io names: kind: RockBand @@ -115,307 +96,3 @@ status: plural: "" conditions: [] storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: music-leader-election-role - namespace: music-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: music-manager-role -rules: -- apiGroups: - - music.example.io - resources: - - rockbands - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - music.example.io - resources: - - rockbands/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: music-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: music-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: music-leader-election-rolebinding - namespace: music-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: music-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager-metrics-service - namespace: music-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: music-webhook-service - namespace: music-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager - namespace: music-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/brito_rafa/music-controller:case-c-target-v0.1 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: music-serving-cert - namespace: music-system -spec: - dnsNames: - - music-webhook-service.music-system.svc - - music-webhook-service.music-system.svc.cluster.local - issuerRef: - kind: Issuer - name: music-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: music-selfsigned-issuer - namespace: music-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-mutating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rockbands -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2 - operations: - - CREATE - - UPDATE - resources: - - rockbands ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /validate-music-example-io-v1-rockband - failurePolicy: Fail - name: vrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - rockbands diff --git a/test/e2e/testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml b/test/e2e/testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml index 086ece7f9..7f3c56aa4 100644 --- a/test/e2e/testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml +++ b/test/e2e/testdata/enable_api_group_versions/case-d-target-manually-added-mutations.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: music-system ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,20 +6,6 @@ metadata: controller-gen.kubebuilder.io/version: v0.2.5 name: rockbands.music.example.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /convert - conversionReviewVersions: - - v2 - - v2beta2 - - v2beta1 - - v1 group: music.example.io names: kind: RockBand @@ -158,325 +137,3 @@ status: plural: "" conditions: [] storedVersions: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: music-leader-election-role - namespace: music-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: music-manager-role -rules: -- apiGroups: - - music.example.io - resources: - - rockbands - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - music.example.io - resources: - - rockbands/status - verbs: - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: music-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: music-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: music-leader-election-rolebinding - namespace: music-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: music-leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-manager-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: music-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: music-proxy-role -subjects: -- kind: ServiceAccount - name: default - namespace: music-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager-metrics-service - namespace: music-system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - name: music-webhook-service - namespace: music-system -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - control-plane: controller-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - name: music-controller-manager - namespace: music-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - - args: - - --metrics-addr=127.0.0.1:8080 - - --enable-leader-election - command: - - /manager - image: quay.io/brito_rafa/music-controller:case-d-target-v0.1 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - resources: - limits: - cpu: 100m - memory: 30Mi - requests: - cpu: 100m - memory: 20Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: music-serving-cert - namespace: music-system -spec: - dnsNames: - - music-webhook-service.music-system.svc - - music-webhook-service.music-system.svc.cluster.local - issuerRef: - kind: Issuer - name: music-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer -metadata: - name: music-selfsigned-issuer - namespace: music-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-mutating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta2-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta2 - operations: - - CREATE - - UPDATE - resources: - - rockbands -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2beta1-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta1 - operations: - - CREATE - - UPDATE - resources: - - rockbands -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /mutate-music-example-io-v2-rockband - failurePolicy: Fail - name: mrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2 - operations: - - CREATE - - UPDATE - resources: - - rockbands ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: music-system/music-serving-cert - name: music-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: music-webhook-service - namespace: music-system - path: /validate-music-example-io-v2beta2-rockband - failurePolicy: Fail - name: vrockband.kb.io - rules: - - apiGroups: - - music.example.io - apiVersions: - - v2beta2 - operations: - - CREATE - - UPDATE - resources: - - rockbands diff --git a/test/e2e/testdata/enable_api_group_versions/cert-manager.yaml b/test/e2e/testdata/enable_api_group_versions/cert-manager.yaml deleted file mode 100644 index c95cc8842..000000000 --- a/test/e2e/testdata/enable_api_group_versions/cert-manager.yaml +++ /dev/null @@ -1,29227 +0,0 @@ -# Copyright YEAR The Jetstack cert-manager contributors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: certificaterequests.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: cert-manager.io - names: - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: - "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - csr: - description: - The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: - IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - csr - - issuerRef - type: object - status: - description: - Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: - The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: - The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: - CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type - type: object - type: array - failureTime: - description: - FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: - "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - csr: - description: - The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: - IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - csr - - issuerRef - type: object - status: - description: - Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: - The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: - The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: - CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type - type: object - type: array - failureTime: - description: - FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: - "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: - IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: - The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - request - type: object - status: - description: - Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: - The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: - The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: - CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type - type: object - type: array - failureTime: - description: - FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: - "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: - IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: - The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. If usages are set they SHOULD be encoded inside - the CSR spec Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - request - type: object - status: - description: - Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: - The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: - The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: - CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type - type: object - type: array - failureTime: - description: - FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: certificates.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: cert-manager.io - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: - "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: - "CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4" - type: string - dnsNames: - description: - DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailSANs: - description: - EmailSANs is a list of email subjectAltNames to be set - on the Certificate. - items: - type: string - type: array - ipAddresses: - description: - IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: - type: string - type: array - isCA: - description: - IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keyAlgorithm: - description: - KeyAlgorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values are - either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` - is not provided, key size of 256 will be used for "ecdsa" key algorithm - and key size of 2048 will be used for "rsa" key algorithm. - enum: - - rsa - - ecdsa - type: string - keyEncoding: - description: - KeyEncoding is the private key cryptography standards - (PKCS) for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, - respectively. If KeyEncoding is not specified, then PKCS#1 will - be used by default. - enum: - - pkcs1 - - pkcs8 - type: string - keySize: - description: - KeySize is the key bit size of the corresponding private - key for this certificate. If `keyAlgorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not specified. - No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - keystores: - description: - Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: - JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - pkcs12: - description: - PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - type: object - organization: - description: - Organization is a list of organizations to be used on - the Certificate. - items: - type: string - type: array - privateKey: - description: Options to control private keys used for the Certificate. - properties: - rotationPolicy: - description: - RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - type: object - renewBefore: - description: - The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: - SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uriSANs: - description: - URISANs is a list of URI subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: - List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: - CertificateCondition contains condition information - for an Certificate. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: - LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: - The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: - The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: - The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: - RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: - "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: - "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: - "CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4" - type: string - dnsNames: - description: - DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailSANs: - description: - EmailSANs is a list of email subjectAltNames to be set - on the Certificate. - items: - type: string - type: array - ipAddresses: - description: - IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: - type: string - type: array - isCA: - description: - IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keyAlgorithm: - description: - KeyAlgorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values are - either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` - is not provided, key size of 256 will be used for "ecdsa" key algorithm - and key size of 2048 will be used for "rsa" key algorithm. - enum: - - rsa - - ecdsa - type: string - keyEncoding: - description: - KeyEncoding is the private key cryptography standards - (PKCS) for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, - respectively. If KeyEncoding is not specified, then PKCS#1 will - be used by default. - enum: - - pkcs1 - - pkcs8 - type: string - keySize: - description: - KeySize is the key bit size of the corresponding private - key for this certificate. If `keyAlgorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not specified. - No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - keystores: - description: - Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: - JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - pkcs12: - description: - PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - rotationPolicy: - description: - RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - type: object - renewBefore: - description: - The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: - SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uriSANs: - description: - URISANs is a list of URI subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: - List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: - CertificateCondition contains condition information - for an Certificate. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: - LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: - The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: - The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: - The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: - RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: - "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: - "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: - "CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4" - type: string - dnsNames: - description: - DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailSANs: - description: - EmailSANs is a list of email subjectAltNames to be set - on the Certificate. - items: - type: string - type: array - ipAddresses: - description: - IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: - type: string - type: array - isCA: - description: - IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keystores: - description: - Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: - JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - pkcs12: - description: - PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - algorithm: - description: - Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either "rsa" or "ecdsa" If `algorithm` is specified and - `size` is not provided, key size of 256 will be used for "ecdsa" - key algorithm and key size of 2048 will be used for "rsa" key - algorithm. - enum: - - RSA - - ECDSA - type: string - encoding: - description: - The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and - PKCS#8, respectively. Defaults to PKCS#1 if not specified. - enum: - - PKCS1 - - PKCS8 - type: string - rotationPolicy: - description: - RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - size: - description: - Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - type: object - renewBefore: - description: - The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: - SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uriSANs: - description: - URISANs is a list of URI subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: - List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: - CertificateCondition contains condition information - for an Certificate. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: - LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: - The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: - The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: - The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: - RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: - "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: - "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: - "CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4" - type: string - dnsNames: - description: - DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: - The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailAddresses: - description: - EmailAddresses is a list of email subjectAltNames to - be set on the Certificate. - items: - type: string - type: array - ipAddresses: - description: - IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: - type: string - type: array - isCA: - description: - IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: - IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keystores: - description: - Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: - JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - pkcs12: - description: - PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: - Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: - PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - algorithm: - description: - Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either "rsa" or "ecdsa" If `algorithm` is specified and - `size` is not provided, key size of 256 will be used for "ecdsa" - key algorithm and key size of 2048 will be used for "rsa" key - algorithm. - enum: - - RSA - - ECDSA - type: string - encoding: - description: - The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and - PKCS#8, respectively. Defaults to PKCS#1 if not specified. - enum: - - PKCS1 - - PKCS8 - type: string - rotationPolicy: - description: - RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - size: - description: - Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - type: object - renewBefore: - description: - The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: - SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uris: - description: - URIs is a list of URI subjectAltNames to be set on the - Certificate. - items: - type: string - type: array - usages: - description: - Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: - 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: - List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: - CertificateCondition contains condition information - for an Certificate. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: - Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: - LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: - The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: - The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: - The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: - RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: - "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: challenges.acme.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: acme.cert-manager.io - names: - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: - Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - authzURL: - description: - AuthzURL is the URL to the ACME Authorization resource - that this challenge is a part of. - type: string - dnsName: - description: - DNSName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: - IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Challenge. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Challenge will - be marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: - "Key is the ACME challenge key for this challenge For - HTTP01 challenges, this is the value that must be responded with - to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, - this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content." - type: string - solver: - description: - Solver contains the domain solving configuration that - should be used to solve this challenge resource. - properties: - dns01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmedns: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: - Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left unset - MSI will be used - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: - Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions." - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: - Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity scheduling - rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: - An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list of node - selector terms. The terms are ORed. - items: - description: - A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node's labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: - Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: - Token is the ACME challenge token for this challenge. - This is the raw value returned from the ACME server. - type: string - type: - description: - Type is the type of ACME challenge this resource represents. - One of "http-01" or "dns-01". - enum: - - http-01 - - dns-01 - type: string - url: - description: - URL is the URL of the ACME Challenge resource for this - challenge. This can be used to lookup details about the status of - this challenge. - type: string - wildcard: - description: - Wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authzURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: - Presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: - Processing is used to denote whether this challenge should - be processed or not. This field will only be set to true by the - 'scheduling' component. It will only be set to false by the 'challenges' - controller, after the challenge has reached a final state or timed - out. If this field is set to false, the challenge controller will - not take any more action. - type: boolean - reason: - description: - Reason contains human readable information on why the - Challenge is in the current state. - type: string - state: - description: - State contains the current 'state' of the challenge. - If not set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: - Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - authzURL: - description: - AuthzURL is the URL to the ACME Authorization resource - that this challenge is a part of. - type: string - dnsName: - description: - DNSName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: - IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Challenge. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Challenge will - be marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: - "Key is the ACME challenge key for this challenge For - HTTP01 challenges, this is the value that must be responded with - to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, - this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content." - type: string - solver: - description: - Solver contains the domain solving configuration that - should be used to solve this challenge resource. - properties: - dns01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmedns: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: - Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left unset - MSI will be used - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: - Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions." - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: - Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity scheduling - rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: - An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list of node - selector terms. The terms are ORed. - items: - description: - A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node's labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: - Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: - Token is the ACME challenge token for this challenge. - This is the raw value returned from the ACME server. - type: string - type: - description: - Type is the type of ACME challenge this resource represents. - One of "http-01" or "dns-01". - enum: - - http-01 - - dns-01 - type: string - url: - description: - URL is the URL of the ACME Challenge resource for this - challenge. This can be used to lookup details about the status of - this challenge. - type: string - wildcard: - description: - Wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authzURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: - Presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: - Processing is used to denote whether this challenge should - be processed or not. This field will only be set to true by the - 'scheduling' component. It will only be set to false by the 'challenges' - controller, after the challenge has reached a final state or timed - out. If this field is set to false, the challenge controller will - not take any more action. - type: boolean - reason: - description: - Reason contains human readable information on why the - Challenge is in the current state. - type: string - state: - description: - State contains the current 'state' of the challenge. - If not set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: - Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - authorizationURL: - description: - The URL to the ACME Authorization resource that this - challenge is a part of. - type: string - dnsName: - description: - dnsName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: - References a properly configured ACME-type Issuer which - should be used to create this Challenge. If the Issuer does not - exist, processing will be retried. If the Issuer is not an 'ACME' - Issuer, an error will be returned and the Challenge will be marked - as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: - "The ACME challenge key for this challenge For HTTP01 - challenges, this is the value that must be responded with to complete - the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is - the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content." - type: string - solver: - description: - Contains the domain solving configuration that should - be used to solve this challenge resource. - properties: - dns01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: - Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left unset - MSI will be used - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: - Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions." - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: - Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity scheduling - rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: - An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list of node - selector terms. The terms are ORed. - items: - description: - A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node's labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: - Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: - The ACME challenge token for this challenge. This is - the raw value returned from the ACME server. - type: string - type: - description: - The type of ACME challenge this resource represents. - One of "HTTP-01" or "DNS-01". - enum: - - HTTP-01 - - DNS-01 - type: string - url: - description: - The URL of the ACME Challenge resource for this challenge. - This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: - wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: - presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: - Used to denote whether this challenge should be processed - or not. This field will only be set to true by the 'scheduling' - component. It will only be set to false by the 'challenges' controller, - after the challenge has reached a final state or timed out. If this - field is set to false, the challenge controller will not take any - more action. - type: boolean - reason: - description: - Contains human readable information on why the Challenge - is in the current state. - type: string - state: - description: - Contains the current 'state' of the challenge. If not - set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: - Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - authorizationURL: - description: - The URL to the ACME Authorization resource that this - challenge is a part of. - type: string - dnsName: - description: - dnsName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: - References a properly configured ACME-type Issuer which - should be used to create this Challenge. If the Issuer does not - exist, processing will be retried. If the Issuer is not an 'ACME' - Issuer, an error will be returned and the Challenge will be marked - as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: - "The ACME challenge key for this challenge For HTTP01 - challenges, this is the value that must be responded with to complete - the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is - the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content." - type: string - solver: - description: - Contains the domain solving configuration that should - be used to solve this challenge resource. - properties: - dns01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: - Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left unset - MSI will be used - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: - Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions." - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: - Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity scheduling - rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: - An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list of node - selector terms. The terms are ORed. - items: - description: - A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of node - selector requirements by node's - labels. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of node - selector requirements by node's - fields. - items: - description: - A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - The label - key that the selector - applies to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: - The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: - A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: - key is - the label key that - the selector applies - to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: - values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: - A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: - key is the - label key that the selector - applies to. - type: string - operator: - description: - operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node's labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: - Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: - The ACME challenge token for this challenge. This is - the raw value returned from the ACME server. - type: string - type: - description: - The type of ACME challenge this resource represents. - One of "HTTP-01" or "DNS-01". - enum: - - HTTP-01 - - DNS-01 - type: string - url: - description: - The URL of the ACME Challenge resource for this challenge. - This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: - wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: - presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: - Used to denote whether this challenge should be processed - or not. This field will only be set to true by the 'scheduling' - component. It will only be set to false by the 'challenges' controller, - after the challenge has reached a final state or timed out. If this - field is set to false, the challenge controller will not take any - more action. - type: boolean - reason: - description: - Contains human readable information on why the Challenge - is in the current state. - type: string - state: - description: - Contains the current 'state' of the challenge. If not - set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: clusterissuers.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: cert-manager.io - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: - A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: - A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: - A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: - A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: issuers.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: cert-manager.io - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: - An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: - An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: - An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: - An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: - ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: - Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: - Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: - ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: - keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: - keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: - keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: - 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: - PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - server: - description: - 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: - Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: - "Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/" - items: - description: - Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: - Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: - Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientSecretSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - clientTokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: - Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: - if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: - if both this and ClientID are left - unset MSI will be used - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: - when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: - Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: - HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: - Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: - "API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions." - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - apiTokenSecretRef: - description: - API token used to authenticate with - Cloudflare. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - email: - description: - Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: - CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: - Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: - A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: - Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: - The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: - "The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``." - type: string - tsigKeyName: - description: - The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: - The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: - Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: - "The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials" - type: string - hostedZoneID: - description: - If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: - Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: - Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: - The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: - The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: - Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: - Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: - The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: - The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: - Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: - The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: - The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: - Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: - The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: - Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: - ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: - Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: - Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: - PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: - If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: - Describes node affinity - scheduling rules for the pod. - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: - An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: - A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: - Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: - Required. A list - of node selector terms. The - terms are ORed. - items: - description: - A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: - A list of - node selector requirements - by node's labels. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: - A list of - node selector requirements - by node's fields. - items: - description: - A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - The - label key that - the selector applies - to. - type: string - operator: - description: - Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: - An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: - Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - ? preferredDuringSchedulingIgnoredDuringExecution - : description: - The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: - The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - ? matchExpressions - : description: - matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - ? description - : key - is the label - key that the - selector applies - to. - type: string - operator: - ? description - : operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - ? description - : values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - ? requiredDuringSchedulingIgnoredDuringExecution - : description: - If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: - Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: - A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: - A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: - key - is the label key - that the selector - applies to. - type: string - operator: - description: - operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: - values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - ? additionalProperties - : type: string - description: - matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node's labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: - If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: - Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: - Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: - Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: - Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: - Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: - Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: - List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: - List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: - A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: - CA configures this issuer to sign certificates using - a signing CA key pair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: - SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: - SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: - The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: - Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: - Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: - AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: - 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: - RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: - Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: - Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: - The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: - A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: - The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: - TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - type: object - caBundle: - description: - PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: - 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: - 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: - 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: - Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: - Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: - APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: - The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: - TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: - CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: - CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: - "Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" - type: string - required: - - name - type: object - url: - description: - 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: - Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: - ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: - LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: - URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: - List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: - IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: - LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: - Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: - Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: - Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: orders.acme.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: acme.cert-manager.io - names: - kind: Order - listKind: OrderList - plural: orders - singular: order - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - commonName: - description: - CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - csr: - description: - Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - dnsNames: - description: - DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: - type: string - type: array - issuerRef: - description: - IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - required: - - csr - - dnsNames - - issuerRef - type: object - status: - properties: - authorizations: - description: - Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: - ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: - Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: - Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: - Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: - Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: - URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: - Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: - InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: - Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - certificate: - description: - Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: - FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: - FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: - Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: - State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - commonName: - description: - CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - csr: - description: - Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - dnsNames: - description: - DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: - type: string - type: array - issuerRef: - description: - IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - required: - - csr - - dnsNames - - issuerRef - type: object - status: - properties: - authorizations: - description: - Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: - ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: - Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: - Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: - Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: - Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: - URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: - Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: - InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: - Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - certificate: - description: - Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: - FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: - FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: - Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: - State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - commonName: - description: - CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - dnsNames: - description: - DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: - type: string - type: array - issuerRef: - description: - IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: - Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - required: - - dnsNames - - issuerRef - - request - type: object - status: - properties: - authorizations: - description: - Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: - ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: - Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: - Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: - Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: - Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: - URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: - Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: - InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: - Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - certificate: - description: - Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: - FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: - FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: - Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: - State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: - CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - metadata: - type: object - spec: - properties: - commonName: - description: - CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - dnsNames: - description: - DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: - type: string - type: array - issuerRef: - description: - IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: - Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - required: - - dnsNames - - issuerRef - - request - type: object - status: - properties: - authorizations: - description: - Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: - ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: - Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: - Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: - Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: - Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: - URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: - Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: - InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: - Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - certificate: - description: - Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: - FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: - FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: - Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: - State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: - URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector - namespace: cert-manager ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager - namespace: cert-manager ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector -rules: - - apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - get - - create - - update - - patch - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: - - get - - list - - watch - - update - - apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - watch - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - update - - apiGroups: - - auditregistration.k8s.io - resources: - - auditsinks - verbs: - - get - - list - - watch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-issuers -rules: - - apiGroups: - - cert-manager.io - resources: - - issuers - - issuers/status - verbs: - - update - - apiGroups: - - cert-manager.io - resources: - - issuers - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-clusterissuers -rules: - - apiGroups: - - cert-manager.io - resources: - - clusterissuers - - clusterissuers/status - verbs: - - update - - apiGroups: - - cert-manager.io - resources: - - clusterissuers - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-certificates -rules: - - apiGroups: - - cert-manager.io - resources: - - certificates - - certificates/status - - certificaterequests - - certificaterequests/status - verbs: - - update - - apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - clusterissuers - - issuers - verbs: - - get - - list - - watch - - apiGroups: - - cert-manager.io - resources: - - certificates/finalizers - - certificaterequests/finalizers - verbs: - - update - - apiGroups: - - acme.cert-manager.io - resources: - - orders - verbs: - - create - - delete - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-orders -rules: - - apiGroups: - - acme.cert-manager.io - resources: - - orders - - orders/status - verbs: - - update - - apiGroups: - - acme.cert-manager.io - resources: - - orders - - challenges - verbs: - - get - - list - - watch - - apiGroups: - - cert-manager.io - resources: - - clusterissuers - - issuers - verbs: - - get - - list - - watch - - apiGroups: - - acme.cert-manager.io - resources: - - challenges - verbs: - - create - - delete - - apiGroups: - - acme.cert-manager.io - resources: - - orders/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-challenges -rules: - - apiGroups: - - acme.cert-manager.io - resources: - - challenges - - challenges/status - verbs: - - update - - apiGroups: - - acme.cert-manager.io - resources: - - challenges - verbs: - - get - - list - - watch - - apiGroups: - - cert-manager.io - resources: - - issuers - - clusterissuers - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "" - resources: - - pods - - services - verbs: - - get - - list - - watch - - create - - delete - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - create - - delete - - update - - apiGroups: - - route.openshift.io - resources: - - routes/custom-host - verbs: - - create - - apiGroups: - - acme.cert-manager.io - resources: - - challenges/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-ingress-shim -rules: - - apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - verbs: - - create - - update - - delete - - apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - issuers - - clusterissuers - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: cert-manager-view -rules: - - apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - issuers - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: cert-manager-edit -rules: - - apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - issuers - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-cainjector -subjects: - - kind: ServiceAccount - name: cert-manager-cainjector - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-issuers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-issuers -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-clusterissuers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-clusterissuers -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-certificates -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-certificates -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-orders -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-orders -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-challenges -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-challenges -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager-controller-ingress-shim -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-ingress-shim -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector:leaderelection - namespace: kube-system -rules: - - apiGroups: - - "" - resourceNames: - - cert-manager-cainjector-leader-election - - cert-manager-cainjector-leader-election-core - resources: - - configmaps - verbs: - - get - - update - - patch - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager:leaderelection - namespace: kube-system -rules: - - apiGroups: - - "" - resourceNames: - - cert-manager-controller - resources: - - configmaps - verbs: - - get - - update - - patch - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook:dynamic-serving - namespace: cert-manager -rules: - - apiGroups: - - "" - resourceNames: - - cert-manager-webhook-ca - resources: - - secrets - verbs: - - get - - list - - watch - - update - - apiGroups: - - "" - resources: - - secrets - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector:leaderelection - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-cainjector:leaderelection -subjects: - - kind: ServiceAccount - name: cert-manager-cainjector - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager:leaderelection - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager:leaderelection -subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager - namespace: cert-manager ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook:dynamic-serving - namespace: cert-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-webhook:dynamic-serving -subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook - namespace: cert-manager ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager - namespace: cert-manager -spec: - ports: - - port: 9402 - protocol: TCP - targetPort: 9402 - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook - namespace: cert-manager -spec: - ports: - - name: https - port: 443 - targetPort: 10250 - selector: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector - namespace: cert-manager -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - template: - metadata: - labels: - app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - spec: - containers: - - args: - - --v=2 - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.0.3 - imagePullPolicy: IfNotPresent - name: cert-manager - resources: {} - serviceAccountName: cert-manager-cainjector ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: cert-manager - namespace: cert-manager -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - template: - metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "9402" - prometheus.io/scrape: "true" - labels: - app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - spec: - containers: - - args: - - --v=2 - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-controller:v1.0.3 - imagePullPolicy: IfNotPresent - name: cert-manager - ports: - - containerPort: 9402 - protocol: TCP - resources: {} - serviceAccountName: cert-manager ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook - namespace: cert-manager -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - template: - metadata: - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - spec: - containers: - - args: - - --v=2 - - --secure-port=10250 - - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.0.3 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /livez - port: 6080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: cert-manager - ports: - - containerPort: 10250 - name: https - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 6080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: {} - serviceAccountName: cert-manager-webhook ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /mutate - failurePolicy: Fail - name: webhook.cert-manager.io - rules: - - apiGroups: - - cert-manager.io - - acme.cert-manager.io - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /validate - failurePolicy: Fail - name: webhook.cert-manager.io - namespaceSelector: - matchExpressions: - - key: cert-manager.io/disable-validation - operator: NotIn - values: - - "true" - - key: name - operator: NotIn - values: - - cert-manager - rules: - - apiGroups: - - cert-manager.io - - acme.cert-manager.io - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - sideEffects: None diff --git a/test/e2e/testdata/enable_api_group_versions/music_v1_rockband.yaml b/test/e2e/testdata/enable_api_group_versions/music_v1_rockband.yaml index 05a329665..f9e7263f5 100644 --- a/test/e2e/testdata/enable_api_group_versions/music_v1_rockband.yaml +++ b/test/e2e/testdata/enable_api_group_versions/music_v1_rockband.yaml @@ -5,7 +5,5 @@ metadata: annotations: rockbands.music.example.io/originalVersion: v1 spec: - # Add fields here - genre: '60s rock' + genre: "60s rock" numberComponents: 4 - leadSinger: John diff --git a/test/e2e/testdata/enable_api_group_versions/music_v1alpha1_rockband.yaml b/test/e2e/testdata/enable_api_group_versions/music_v1alpha1_rockband.yaml index 6d72c3e58..addab20e5 100644 --- a/test/e2e/testdata/enable_api_group_versions/music_v1alpha1_rockband.yaml +++ b/test/e2e/testdata/enable_api_group_versions/music_v1alpha1_rockband.yaml @@ -5,7 +5,5 @@ metadata: annotations: rockbands.music.example.io/originalVersion: v1alpha1 spec: - # Add fields here - genre: '60s rock' + genre: "60s rock" numberComponents: 4 - diff --git a/test/e2e/testdata/enable_api_group_versions/music_v2_rockband.yaml b/test/e2e/testdata/enable_api_group_versions/music_v2_rockband.yaml index 3c6eff04a..a3489c2fb 100644 --- a/test/e2e/testdata/enable_api_group_versions/music_v2_rockband.yaml +++ b/test/e2e/testdata/enable_api_group_versions/music_v2_rockband.yaml @@ -3,10 +3,5 @@ kind: RockBand metadata: name: beatles spec: - # Add fields here - genre: '60s rock' + genre: "60s rock" numberComponents: 4 - leadSinger: John - leadGuitar: George - drummer: Ringo - bass: Paul diff --git a/test/e2e/testdata/enable_api_group_versions/music_v2beta1_rockband.yaml b/test/e2e/testdata/enable_api_group_versions/music_v2beta1_rockband.yaml index f17848319..1664d2d2a 100644 --- a/test/e2e/testdata/enable_api_group_versions/music_v2beta1_rockband.yaml +++ b/test/e2e/testdata/enable_api_group_versions/music_v2beta1_rockband.yaml @@ -5,9 +5,5 @@ metadata: annotations: rockbands.music.example.io/originalVersion: v2beta1 spec: - # Add fields here - genre: '60s rock' + genre: "60s rock" numberComponents: 4 - leadSinger: John - leadGuitar: George - diff --git a/test/e2e/testdata/enable_api_group_versions/music_v2beta2_rockband.yaml b/test/e2e/testdata/enable_api_group_versions/music_v2beta2_rockband.yaml index 42f2342ae..eb0c92084 100644 --- a/test/e2e/testdata/enable_api_group_versions/music_v2beta2_rockband.yaml +++ b/test/e2e/testdata/enable_api_group_versions/music_v2beta2_rockband.yaml @@ -5,9 +5,5 @@ metadata: annotations: rockbands.music.example.io/originalVersion: v2beta2 spec: - # Add fields here - genre: '60s rock' + genre: "60s rock" numberComponents: 4 - leadSinger: John - leadGuitar: George - drummer: Ringo