|
0
|
1 # Source: cert-manager/templates/crd-templates.yaml
|
|
|
2 apiVersion: apiextensions.k8s.io/v1
|
|
|
3 kind: CustomResourceDefinition
|
|
|
4 metadata:
|
|
|
5 name: certificaterequests.cert-manager.io
|
|
|
6 labels:
|
|
|
7 app: 'cert-manager'
|
|
|
8 app.kubernetes.io/name: 'cert-manager'
|
|
|
9 app.kubernetes.io/instance: 'cert-manager'
|
|
|
10 spec:
|
|
|
11 group: cert-manager.io
|
|
|
12 names:
|
|
|
13 kind: CertificateRequest
|
|
|
14 listKind: CertificateRequestList
|
|
|
15 plural: certificaterequests
|
|
|
16 shortNames:
|
|
|
17 - cr
|
|
|
18 - crs
|
|
|
19 singular: certificaterequest
|
|
|
20 categories:
|
|
|
21 - cert-manager
|
|
|
22 scope: Namespaced
|
|
|
23 versions:
|
|
|
24 - name: v1
|
|
|
25 subresources:
|
|
|
26 status: {}
|
|
|
27 additionalPrinterColumns:
|
|
|
28 - jsonPath: .status.conditions[?(@.type=="Approved")].status
|
|
|
29 name: Approved
|
|
|
30 type: string
|
|
|
31 - jsonPath: .status.conditions[?(@.type=="Denied")].status
|
|
|
32 name: Denied
|
|
|
33 type: string
|
|
|
34 - jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
|
35 name: Ready
|
|
|
36 type: string
|
|
|
37 - jsonPath: .spec.issuerRef.name
|
|
|
38 name: Issuer
|
|
|
39 type: string
|
|
|
40 - jsonPath: .spec.username
|
|
|
41 name: Requestor
|
|
|
42 type: string
|
|
|
43 - jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
|
44 name: Status
|
|
|
45 priority: 1
|
|
|
46 type: string
|
|
|
47 - jsonPath: .metadata.creationTimestamp
|
|
|
48 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
|
49 name: Age
|
|
|
50 type: date
|
|
|
51 schema:
|
|
|
52 openAPIV3Schema:
|
|
|
53 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
|
|
|
54 type: object
|
|
|
55 required:
|
|
|
56 - spec
|
|
|
57 properties:
|
|
|
58 apiVersion:
|
|
|
59 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
60 type: string
|
|
|
61 kind:
|
|
|
62 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
63 type: string
|
|
|
64 metadata:
|
|
|
65 type: object
|
|
|
66 spec:
|
|
|
67 description: Desired state of the CertificateRequest resource.
|
|
|
68 type: object
|
|
|
69 required:
|
|
|
70 - issuerRef
|
|
|
71 - request
|
|
|
72 properties:
|
|
|
73 duration:
|
|
|
74 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
|
|
|
75 type: string
|
|
|
76 extra:
|
|
|
77 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
|
|
|
78 type: object
|
|
|
79 additionalProperties:
|
|
|
80 type: array
|
|
|
81 items:
|
|
|
82 type: string
|
|
|
83 groups:
|
|
|
84 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
|
|
|
85 type: array
|
|
|
86 items:
|
|
|
87 type: string
|
|
|
88 x-kubernetes-list-type: atomic
|
|
|
89 isCA:
|
|
|
90 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
|
|
|
91 type: boolean
|
|
|
92 issuerRef:
|
|
|
93 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
|
|
|
94 type: object
|
|
|
95 required:
|
|
|
96 - name
|
|
|
97 properties:
|
|
|
98 group:
|
|
|
99 description: Group of the resource being referred to.
|
|
|
100 type: string
|
|
|
101 kind:
|
|
|
102 description: Kind of the resource being referred to.
|
|
|
103 type: string
|
|
|
104 name:
|
|
|
105 description: Name of the resource being referred to.
|
|
|
106 type: string
|
|
|
107 request:
|
|
|
108 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
|
|
|
109 type: string
|
|
|
110 format: byte
|
|
|
111 uid:
|
|
|
112 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
|
|
|
113 type: string
|
|
|
114 usages:
|
|
|
115 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
|
|
|
116 type: array
|
|
|
117 items:
|
|
|
118 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
|
|
|
119 type: string
|
|
|
120 enum:
|
|
|
121 - signing
|
|
|
122 - digital signature
|
|
|
123 - content commitment
|
|
|
124 - key encipherment
|
|
|
125 - key agreement
|
|
|
126 - data encipherment
|
|
|
127 - cert sign
|
|
|
128 - crl sign
|
|
|
129 - encipher only
|
|
|
130 - decipher only
|
|
|
131 - any
|
|
|
132 - server auth
|
|
|
133 - client auth
|
|
|
134 - code signing
|
|
|
135 - email protection
|
|
|
136 - s/mime
|
|
|
137 - ipsec end system
|
|
|
138 - ipsec tunnel
|
|
|
139 - ipsec user
|
|
|
140 - timestamping
|
|
|
141 - ocsp signing
|
|
|
142 - microsoft sgc
|
|
|
143 - netscape sgc
|
|
|
144 username:
|
|
|
145 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
|
|
|
146 type: string
|
|
|
147 status:
|
|
|
148 description: Status of the CertificateRequest. This is set and managed automatically.
|
|
|
149 type: object
|
|
|
150 properties:
|
|
|
151 ca:
|
|
|
152 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
|
|
|
153 type: string
|
|
|
154 format: byte
|
|
|
155 certificate:
|
|
|
156 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
|
|
|
157 type: string
|
|
|
158 format: byte
|
|
|
159 conditions:
|
|
|
160 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
|
|
|
161 type: array
|
|
|
162 items:
|
|
|
163 description: CertificateRequestCondition contains condition information for a CertificateRequest.
|
|
|
164 type: object
|
|
|
165 required:
|
|
|
166 - status
|
|
|
167 - type
|
|
|
168 properties:
|
|
|
169 lastTransitionTime:
|
|
|
170 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
|
|
|
171 type: string
|
|
|
172 format: date-time
|
|
|
173 message:
|
|
|
174 description: Message is a human readable description of the details of the last transition, complementing reason.
|
|
|
175 type: string
|
|
|
176 reason:
|
|
|
177 description: Reason is a brief machine readable explanation for the condition's last transition.
|
|
|
178 type: string
|
|
|
179 status:
|
|
|
180 description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|
|
181 type: string
|
|
|
182 enum:
|
|
|
183 - "True"
|
|
|
184 - "False"
|
|
|
185 - Unknown
|
|
|
186 type:
|
|
|
187 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
|
|
|
188 type: string
|
|
|
189 x-kubernetes-list-map-keys:
|
|
|
190 - type
|
|
|
191 x-kubernetes-list-type: map
|
|
|
192 failureTime:
|
|
|
193 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
|
|
|
194 type: string
|
|
|
195 format: date-time
|
|
|
196 served: true
|
|
|
197 storage: true
|
|
|
198 ---
|
|
|
199 # Source: cert-manager/templates/crd-templates.yaml
|
|
|
200 apiVersion: apiextensions.k8s.io/v1
|
|
|
201 kind: CustomResourceDefinition
|
|
|
202 metadata:
|
|
|
203 name: certificates.cert-manager.io
|
|
|
204 labels:
|
|
|
205 app: 'cert-manager'
|
|
|
206 app.kubernetes.io/name: 'cert-manager'
|
|
|
207 app.kubernetes.io/instance: 'cert-manager'
|
|
|
208 # Generated labels
|
|
8
|
209 app.kubernetes.io/version: "v1.10.1"
|
|
0
|
210 spec:
|
|
|
211 group: cert-manager.io
|
|
|
212 names:
|
|
|
213 kind: Certificate
|
|
|
214 listKind: CertificateList
|
|
|
215 plural: certificates
|
|
|
216 shortNames:
|
|
|
217 - cert
|
|
|
218 - certs
|
|
|
219 singular: certificate
|
|
|
220 categories:
|
|
|
221 - cert-manager
|
|
|
222 scope: Namespaced
|
|
|
223 versions:
|
|
|
224 - name: v1
|
|
|
225 subresources:
|
|
|
226 status: {}
|
|
|
227 additionalPrinterColumns:
|
|
|
228 - jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
|
229 name: Ready
|
|
|
230 type: string
|
|
|
231 - jsonPath: .spec.secretName
|
|
|
232 name: Secret
|
|
|
233 type: string
|
|
|
234 - jsonPath: .spec.issuerRef.name
|
|
|
235 name: Issuer
|
|
|
236 priority: 1
|
|
|
237 type: string
|
|
|
238 - jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
|
239 name: Status
|
|
|
240 priority: 1
|
|
|
241 type: string
|
|
|
242 - jsonPath: .metadata.creationTimestamp
|
|
|
243 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
|
244 name: Age
|
|
|
245 type: date
|
|
|
246 schema:
|
|
|
247 openAPIV3Schema:
|
|
|
248 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
|
|
|
249 type: object
|
|
|
250 required:
|
|
|
251 - spec
|
|
|
252 properties:
|
|
|
253 apiVersion:
|
|
|
254 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
255 type: string
|
|
|
256 kind:
|
|
|
257 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
258 type: string
|
|
|
259 metadata:
|
|
|
260 type: object
|
|
|
261 spec:
|
|
|
262 description: Desired state of the Certificate resource.
|
|
|
263 type: object
|
|
|
264 required:
|
|
|
265 - issuerRef
|
|
|
266 - secretName
|
|
|
267 properties:
|
|
|
268 additionalOutputFormats:
|
|
|
269 description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components.
|
|
|
270 type: array
|
|
|
271 items:
|
|
|
272 description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
|
|
|
273 type: object
|
|
|
274 required:
|
|
|
275 - type
|
|
|
276 properties:
|
|
|
277 type:
|
|
|
278 description: Type is the name of the format type that should be written to the Certificate's target Secret.
|
|
|
279 type: string
|
|
|
280 enum:
|
|
|
281 - DER
|
|
|
282 - CombinedPEM
|
|
|
283 commonName:
|
|
|
284 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
|
|
285 type: string
|
|
|
286 dnsNames:
|
|
|
287 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
|
|
|
288 type: array
|
|
|
289 items:
|
|
|
290 type: string
|
|
|
291 duration:
|
|
|
292 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
|
|
293 type: string
|
|
|
294 emailAddresses:
|
|
|
295 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
|
|
|
296 type: array
|
|
|
297 items:
|
|
|
298 type: string
|
|
|
299 encodeUsagesInRequest:
|
|
|
300 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
|
|
|
301 type: boolean
|
|
|
302 ipAddresses:
|
|
|
303 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
|
|
|
304 type: array
|
|
|
305 items:
|
|
|
306 type: string
|
|
|
307 isCA:
|
|
|
308 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
|
|
|
309 type: boolean
|
|
|
310 issuerRef:
|
|
|
311 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
|
|
|
312 type: object
|
|
|
313 required:
|
|
|
314 - name
|
|
|
315 properties:
|
|
|
316 group:
|
|
|
317 description: Group of the resource being referred to.
|
|
|
318 type: string
|
|
|
319 kind:
|
|
|
320 description: Kind of the resource being referred to.
|
|
|
321 type: string
|
|
|
322 name:
|
|
|
323 description: Name of the resource being referred to.
|
|
|
324 type: string
|
|
|
325 keystores:
|
|
|
326 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
|
|
|
327 type: object
|
|
|
328 properties:
|
|
|
329 jks:
|
|
|
330 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
|
|
|
331 type: object
|
|
|
332 required:
|
|
|
333 - create
|
|
|
334 - passwordSecretRef
|
|
|
335 properties:
|
|
|
336 create:
|
|
|
337 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
|
|
|
338 type: boolean
|
|
|
339 passwordSecretRef:
|
|
|
340 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
|
|
|
341 type: object
|
|
|
342 required:
|
|
|
343 - name
|
|
|
344 properties:
|
|
|
345 key:
|
|
|
346 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
347 type: string
|
|
|
348 name:
|
|
|
349 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
350 type: string
|
|
|
351 pkcs12:
|
|
|
352 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
|
|
|
353 type: object
|
|
|
354 required:
|
|
|
355 - create
|
|
|
356 - passwordSecretRef
|
|
|
357 properties:
|
|
|
358 create:
|
|
|
359 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
|
|
|
360 type: boolean
|
|
|
361 passwordSecretRef:
|
|
|
362 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
|
|
|
363 type: object
|
|
|
364 required:
|
|
|
365 - name
|
|
|
366 properties:
|
|
|
367 key:
|
|
|
368 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
369 type: string
|
|
|
370 name:
|
|
|
371 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
372 type: string
|
|
|
373 literalSubject:
|
|
|
374 description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.
|
|
|
375 type: string
|
|
|
376 privateKey:
|
|
|
377 description: Options to control private keys used for the Certificate.
|
|
|
378 type: object
|
|
|
379 properties:
|
|
|
380 algorithm:
|
|
|
381 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
|
|
|
382 type: string
|
|
|
383 enum:
|
|
|
384 - RSA
|
|
|
385 - ECDSA
|
|
|
386 - Ed25519
|
|
|
387 encoding:
|
|
|
388 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
|
|
|
389 type: string
|
|
|
390 enum:
|
|
|
391 - PKCS1
|
|
|
392 - PKCS8
|
|
|
393 rotationPolicy:
|
|
|
394 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
|
|
|
395 type: string
|
|
|
396 enum:
|
|
|
397 - Never
|
|
|
398 - Always
|
|
|
399 size:
|
|
|
400 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
|
|
|
401 type: integer
|
|
|
402 renewBefore:
|
|
|
403 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
|
|
404 type: string
|
|
|
405 revisionHistoryLimit:
|
|
|
406 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
|
|
|
407 type: integer
|
|
|
408 format: int32
|
|
|
409 secretName:
|
|
|
410 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
|
|
|
411 type: string
|
|
|
412 secretTemplate:
|
|
|
413 description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
|
|
|
414 type: object
|
|
|
415 properties:
|
|
|
416 annotations:
|
|
|
417 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
|
|
|
418 type: object
|
|
|
419 additionalProperties:
|
|
|
420 type: string
|
|
|
421 labels:
|
|
|
422 description: Labels is a key value map to be copied to the target Kubernetes Secret.
|
|
|
423 type: object
|
|
|
424 additionalProperties:
|
|
|
425 type: string
|
|
|
426 subject:
|
|
|
427 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
|
|
428 type: object
|
|
|
429 properties:
|
|
|
430 countries:
|
|
|
431 description: Countries to be used on the Certificate.
|
|
|
432 type: array
|
|
|
433 items:
|
|
|
434 type: string
|
|
|
435 localities:
|
|
|
436 description: Cities to be used on the Certificate.
|
|
|
437 type: array
|
|
|
438 items:
|
|
|
439 type: string
|
|
|
440 organizationalUnits:
|
|
|
441 description: Organizational Units to be used on the Certificate.
|
|
|
442 type: array
|
|
|
443 items:
|
|
|
444 type: string
|
|
|
445 organizations:
|
|
|
446 description: Organizations to be used on the Certificate.
|
|
|
447 type: array
|
|
|
448 items:
|
|
|
449 type: string
|
|
|
450 postalCodes:
|
|
|
451 description: Postal codes to be used on the Certificate.
|
|
|
452 type: array
|
|
|
453 items:
|
|
|
454 type: string
|
|
|
455 provinces:
|
|
|
456 description: State/Provinces to be used on the Certificate.
|
|
|
457 type: array
|
|
|
458 items:
|
|
|
459 type: string
|
|
|
460 serialNumber:
|
|
|
461 description: Serial number to be used on the Certificate.
|
|
|
462 type: string
|
|
|
463 streetAddresses:
|
|
|
464 description: Street addresses to be used on the Certificate.
|
|
|
465 type: array
|
|
|
466 items:
|
|
|
467 type: string
|
|
|
468 uris:
|
|
|
469 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
|
|
|
470 type: array
|
|
|
471 items:
|
|
|
472 type: string
|
|
|
473 usages:
|
|
|
474 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
|
|
|
475 type: array
|
|
|
476 items:
|
|
|
477 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
|
|
|
478 type: string
|
|
|
479 enum:
|
|
|
480 - signing
|
|
|
481 - digital signature
|
|
|
482 - content commitment
|
|
|
483 - key encipherment
|
|
|
484 - key agreement
|
|
|
485 - data encipherment
|
|
|
486 - cert sign
|
|
|
487 - crl sign
|
|
|
488 - encipher only
|
|
|
489 - decipher only
|
|
|
490 - any
|
|
|
491 - server auth
|
|
|
492 - client auth
|
|
|
493 - code signing
|
|
|
494 - email protection
|
|
|
495 - s/mime
|
|
|
496 - ipsec end system
|
|
|
497 - ipsec tunnel
|
|
|
498 - ipsec user
|
|
|
499 - timestamping
|
|
|
500 - ocsp signing
|
|
|
501 - microsoft sgc
|
|
|
502 - netscape sgc
|
|
|
503 status:
|
|
|
504 description: Status of the Certificate. This is set and managed automatically.
|
|
|
505 type: object
|
|
|
506 properties:
|
|
|
507 conditions:
|
|
|
508 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
|
|
|
509 type: array
|
|
|
510 items:
|
|
|
511 description: CertificateCondition contains condition information for an Certificate.
|
|
|
512 type: object
|
|
|
513 required:
|
|
|
514 - status
|
|
|
515 - type
|
|
|
516 properties:
|
|
|
517 lastTransitionTime:
|
|
|
518 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
|
|
|
519 type: string
|
|
|
520 format: date-time
|
|
|
521 message:
|
|
|
522 description: Message is a human readable description of the details of the last transition, complementing reason.
|
|
|
523 type: string
|
|
|
524 observedGeneration:
|
|
|
525 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
|
|
|
526 type: integer
|
|
|
527 format: int64
|
|
|
528 reason:
|
|
|
529 description: Reason is a brief machine readable explanation for the condition's last transition.
|
|
|
530 type: string
|
|
|
531 status:
|
|
|
532 description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|
|
533 type: string
|
|
|
534 enum:
|
|
|
535 - "True"
|
|
|
536 - "False"
|
|
|
537 - Unknown
|
|
|
538 type:
|
|
|
539 description: Type of the condition, known values are (`Ready`, `Issuing`).
|
|
|
540 type: string
|
|
|
541 x-kubernetes-list-map-keys:
|
|
|
542 - type
|
|
|
543 x-kubernetes-list-type: map
|
|
|
544 failedIssuanceAttempts:
|
|
|
545 description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
|
|
|
546 type: integer
|
|
|
547 lastFailureTime:
|
|
|
548 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
|
|
|
549 type: string
|
|
|
550 format: date-time
|
|
|
551 nextPrivateKeySecretName:
|
|
|
552 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
|
|
|
553 type: string
|
|
|
554 notAfter:
|
|
|
555 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
|
|
|
556 type: string
|
|
|
557 format: date-time
|
|
|
558 notBefore:
|
|
|
559 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
|
|
|
560 type: string
|
|
|
561 format: date-time
|
|
|
562 renewalTime:
|
|
|
563 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
|
|
|
564 type: string
|
|
|
565 format: date-time
|
|
|
566 revision:
|
|
|
567 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
|
|
|
568 type: integer
|
|
|
569 served: true
|
|
|
570 storage: true
|
|
|
571 ---
|
|
|
572 # Source: cert-manager/templates/crd-templates.yaml
|
|
|
573 apiVersion: apiextensions.k8s.io/v1
|
|
|
574 kind: CustomResourceDefinition
|
|
|
575 metadata:
|
|
|
576 name: challenges.acme.cert-manager.io
|
|
|
577 labels:
|
|
|
578 app: 'cert-manager'
|
|
|
579 app.kubernetes.io/name: 'cert-manager'
|
|
|
580 app.kubernetes.io/instance: 'cert-manager'
|
|
|
581 # Generated labels
|
|
8
|
582 app.kubernetes.io/version: "v1.10.1"
|
|
0
|
583 spec:
|
|
|
584 group: acme.cert-manager.io
|
|
|
585 names:
|
|
|
586 kind: Challenge
|
|
|
587 listKind: ChallengeList
|
|
|
588 plural: challenges
|
|
|
589 singular: challenge
|
|
|
590 categories:
|
|
|
591 - cert-manager
|
|
|
592 - cert-manager-acme
|
|
|
593 scope: Namespaced
|
|
|
594 versions:
|
|
|
595 - additionalPrinterColumns:
|
|
|
596 - jsonPath: .status.state
|
|
|
597 name: State
|
|
|
598 type: string
|
|
|
599 - jsonPath: .spec.dnsName
|
|
|
600 name: Domain
|
|
|
601 type: string
|
|
|
602 - jsonPath: .status.reason
|
|
|
603 name: Reason
|
|
|
604 priority: 1
|
|
|
605 type: string
|
|
|
606 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
|
607 jsonPath: .metadata.creationTimestamp
|
|
|
608 name: Age
|
|
|
609 type: date
|
|
|
610 name: v1
|
|
|
611 schema:
|
|
|
612 openAPIV3Schema:
|
|
|
613 description: Challenge is a type to represent a Challenge request with an ACME server
|
|
|
614 type: object
|
|
|
615 required:
|
|
|
616 - metadata
|
|
|
617 - spec
|
|
|
618 properties:
|
|
|
619 apiVersion:
|
|
|
620 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
621 type: string
|
|
|
622 kind:
|
|
|
623 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
624 type: string
|
|
|
625 metadata:
|
|
|
626 type: object
|
|
|
627 spec:
|
|
|
628 type: object
|
|
|
629 required:
|
|
|
630 - authorizationURL
|
|
|
631 - dnsName
|
|
|
632 - issuerRef
|
|
|
633 - key
|
|
|
634 - solver
|
|
|
635 - token
|
|
|
636 - type
|
|
|
637 - url
|
|
|
638 properties:
|
|
|
639 authorizationURL:
|
|
|
640 description: The URL to the ACME Authorization resource that this challenge is a part of.
|
|
|
641 type: string
|
|
|
642 dnsName:
|
|
|
643 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
|
|
|
644 type: string
|
|
|
645 issuerRef:
|
|
|
646 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
|
|
|
647 type: object
|
|
|
648 required:
|
|
|
649 - name
|
|
|
650 properties:
|
|
|
651 group:
|
|
|
652 description: Group of the resource being referred to.
|
|
|
653 type: string
|
|
|
654 kind:
|
|
|
655 description: Kind of the resource being referred to.
|
|
|
656 type: string
|
|
|
657 name:
|
|
|
658 description: Name of the resource being referred to.
|
|
|
659 type: string
|
|
|
660 key:
|
|
|
661 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
|
|
|
662 type: string
|
|
|
663 solver:
|
|
|
664 description: Contains the domain solving configuration that should be used to solve this challenge resource.
|
|
|
665 type: object
|
|
|
666 properties:
|
|
|
667 dns01:
|
|
|
668 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
|
|
|
669 type: object
|
|
|
670 properties:
|
|
|
671 acmeDNS:
|
|
|
672 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
|
|
|
673 type: object
|
|
|
674 required:
|
|
|
675 - accountSecretRef
|
|
|
676 - host
|
|
|
677 properties:
|
|
|
678 accountSecretRef:
|
|
|
679 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
680 type: object
|
|
|
681 required:
|
|
|
682 - name
|
|
|
683 properties:
|
|
|
684 key:
|
|
|
685 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
686 type: string
|
|
|
687 name:
|
|
|
688 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
689 type: string
|
|
|
690 host:
|
|
|
691 type: string
|
|
|
692 akamai:
|
|
|
693 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
|
|
|
694 type: object
|
|
|
695 required:
|
|
|
696 - accessTokenSecretRef
|
|
|
697 - clientSecretSecretRef
|
|
|
698 - clientTokenSecretRef
|
|
|
699 - serviceConsumerDomain
|
|
|
700 properties:
|
|
|
701 accessTokenSecretRef:
|
|
|
702 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
703 type: object
|
|
|
704 required:
|
|
|
705 - name
|
|
|
706 properties:
|
|
|
707 key:
|
|
|
708 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
709 type: string
|
|
|
710 name:
|
|
|
711 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
712 type: string
|
|
|
713 clientSecretSecretRef:
|
|
|
714 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
715 type: object
|
|
|
716 required:
|
|
|
717 - name
|
|
|
718 properties:
|
|
|
719 key:
|
|
|
720 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
721 type: string
|
|
|
722 name:
|
|
|
723 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
724 type: string
|
|
|
725 clientTokenSecretRef:
|
|
|
726 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
727 type: object
|
|
|
728 required:
|
|
|
729 - name
|
|
|
730 properties:
|
|
|
731 key:
|
|
|
732 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
733 type: string
|
|
|
734 name:
|
|
|
735 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
736 type: string
|
|
|
737 serviceConsumerDomain:
|
|
|
738 type: string
|
|
|
739 azureDNS:
|
|
|
740 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
|
|
|
741 type: object
|
|
|
742 required:
|
|
|
743 - resourceGroupName
|
|
|
744 - subscriptionID
|
|
|
745 properties:
|
|
|
746 clientID:
|
|
|
747 description: if both this and ClientSecret are left unset MSI will be used
|
|
|
748 type: string
|
|
|
749 clientSecretSecretRef:
|
|
|
750 description: if both this and ClientID are left unset MSI will be used
|
|
|
751 type: object
|
|
|
752 required:
|
|
|
753 - name
|
|
|
754 properties:
|
|
|
755 key:
|
|
|
756 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
757 type: string
|
|
|
758 name:
|
|
|
759 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
760 type: string
|
|
|
761 environment:
|
|
|
762 description: name of the Azure environment (default AzurePublicCloud)
|
|
|
763 type: string
|
|
|
764 enum:
|
|
|
765 - AzurePublicCloud
|
|
|
766 - AzureChinaCloud
|
|
|
767 - AzureGermanCloud
|
|
|
768 - AzureUSGovernmentCloud
|
|
|
769 hostedZoneName:
|
|
|
770 description: name of the DNS zone that should be used
|
|
|
771 type: string
|
|
|
772 managedIdentity:
|
|
|
773 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
|
|
|
774 type: object
|
|
|
775 properties:
|
|
|
776 clientID:
|
|
|
777 description: client ID of the managed identity, can not be used at the same time as resourceID
|
|
|
778 type: string
|
|
|
779 resourceID:
|
|
|
780 description: resource ID of the managed identity, can not be used at the same time as clientID
|
|
|
781 type: string
|
|
|
782 resourceGroupName:
|
|
|
783 description: resource group the DNS zone is located in
|
|
|
784 type: string
|
|
|
785 subscriptionID:
|
|
|
786 description: ID of the Azure subscription
|
|
|
787 type: string
|
|
|
788 tenantID:
|
|
|
789 description: when specifying ClientID and ClientSecret then this field is also needed
|
|
|
790 type: string
|
|
|
791 cloudDNS:
|
|
|
792 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
|
|
|
793 type: object
|
|
|
794 required:
|
|
|
795 - project
|
|
|
796 properties:
|
|
|
797 hostedZoneName:
|
|
|
798 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
|
|
|
799 type: string
|
|
|
800 project:
|
|
|
801 type: string
|
|
|
802 serviceAccountSecretRef:
|
|
|
803 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
804 type: object
|
|
|
805 required:
|
|
|
806 - name
|
|
|
807 properties:
|
|
|
808 key:
|
|
|
809 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
810 type: string
|
|
|
811 name:
|
|
|
812 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
813 type: string
|
|
|
814 cloudflare:
|
|
|
815 description: Use the Cloudflare API to manage DNS01 challenge records.
|
|
|
816 type: object
|
|
|
817 properties:
|
|
|
818 apiKeySecretRef:
|
|
|
819 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
|
|
|
820 type: object
|
|
|
821 required:
|
|
|
822 - name
|
|
|
823 properties:
|
|
|
824 key:
|
|
|
825 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
826 type: string
|
|
|
827 name:
|
|
|
828 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
829 type: string
|
|
|
830 apiTokenSecretRef:
|
|
|
831 description: API token used to authenticate with Cloudflare.
|
|
|
832 type: object
|
|
|
833 required:
|
|
|
834 - name
|
|
|
835 properties:
|
|
|
836 key:
|
|
|
837 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
838 type: string
|
|
|
839 name:
|
|
|
840 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
841 type: string
|
|
|
842 email:
|
|
|
843 description: Email of the account, only required when using API key based authentication.
|
|
|
844 type: string
|
|
|
845 cnameStrategy:
|
|
|
846 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
|
|
|
847 type: string
|
|
|
848 enum:
|
|
|
849 - None
|
|
|
850 - Follow
|
|
|
851 digitalocean:
|
|
|
852 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
|
|
|
853 type: object
|
|
|
854 required:
|
|
|
855 - tokenSecretRef
|
|
|
856 properties:
|
|
|
857 tokenSecretRef:
|
|
|
858 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
859 type: object
|
|
|
860 required:
|
|
|
861 - name
|
|
|
862 properties:
|
|
|
863 key:
|
|
|
864 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
865 type: string
|
|
|
866 name:
|
|
|
867 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
868 type: string
|
|
|
869 rfc2136:
|
|
|
870 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
|
|
|
871 type: object
|
|
|
872 required:
|
|
|
873 - nameserver
|
|
|
874 properties:
|
|
|
875 nameserver:
|
|
|
876 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
|
|
|
877 type: string
|
|
|
878 tsigAlgorithm:
|
|
|
879 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
|
880 type: string
|
|
|
881 tsigKeyName:
|
|
|
882 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
|
|
|
883 type: string
|
|
|
884 tsigSecretSecretRef:
|
|
|
885 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
|
|
|
886 type: object
|
|
|
887 required:
|
|
|
888 - name
|
|
|
889 properties:
|
|
|
890 key:
|
|
|
891 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
892 type: string
|
|
|
893 name:
|
|
|
894 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
895 type: string
|
|
|
896 route53:
|
|
|
897 description: Use the AWS Route53 API to manage DNS01 challenge records.
|
|
|
898 type: object
|
|
|
899 required:
|
|
|
900 - region
|
|
|
901 properties:
|
|
|
902 accessKeyID:
|
|
|
903 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
904 type: string
|
|
|
905 accessKeyIDSecretRef:
|
|
|
906 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
907 type: object
|
|
|
908 required:
|
|
|
909 - name
|
|
|
910 properties:
|
|
|
911 key:
|
|
|
912 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
913 type: string
|
|
|
914 name:
|
|
|
915 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
916 type: string
|
|
|
917 hostedZoneID:
|
|
|
918 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
|
|
|
919 type: string
|
|
|
920 region:
|
|
|
921 description: Always set the region when using AccessKeyID and SecretAccessKey
|
|
|
922 type: string
|
|
|
923 role:
|
|
|
924 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
|
|
|
925 type: string
|
|
|
926 secretAccessKeySecretRef:
|
|
|
927 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
928 type: object
|
|
|
929 required:
|
|
|
930 - name
|
|
|
931 properties:
|
|
|
932 key:
|
|
|
933 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
934 type: string
|
|
|
935 name:
|
|
|
936 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
937 type: string
|
|
|
938 webhook:
|
|
|
939 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
|
|
|
940 type: object
|
|
|
941 required:
|
|
|
942 - groupName
|
|
|
943 - solverName
|
|
|
944 properties:
|
|
|
945 config:
|
|
|
946 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
|
|
|
947 x-kubernetes-preserve-unknown-fields: true
|
|
|
948 groupName:
|
|
|
949 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
|
|
|
950 type: string
|
|
|
951 solverName:
|
|
|
952 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
|
|
|
953 type: string
|
|
|
954 http01:
|
|
|
955 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
|
|
|
956 type: object
|
|
|
957 properties:
|
|
|
958 gatewayHTTPRoute:
|
|
|
959 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
|
|
|
960 type: object
|
|
|
961 properties:
|
|
|
962 labels:
|
|
|
963 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
|
|
|
964 type: object
|
|
|
965 additionalProperties:
|
|
|
966 type: string
|
|
|
967 parentRefs:
|
|
|
968 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
|
|
|
969 type: array
|
|
|
970 items:
|
|
|
971 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
|
|
|
972 type: object
|
|
|
973 required:
|
|
|
974 - name
|
|
|
975 properties:
|
|
|
976 group:
|
|
|
977 description: "Group is the group of the referent. \n Support: Core"
|
|
|
978 type: string
|
|
|
979 default: gateway.networking.k8s.io
|
|
|
980 maxLength: 253
|
|
|
981 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
982 kind:
|
|
|
983 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
|
|
|
984 type: string
|
|
|
985 default: Gateway
|
|
|
986 maxLength: 63
|
|
|
987 minLength: 1
|
|
|
988 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
|
989 name:
|
|
|
990 description: "Name is the name of the referent. \n Support: Core"
|
|
|
991 type: string
|
|
|
992 maxLength: 253
|
|
|
993 minLength: 1
|
|
|
994 namespace:
|
|
|
995 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
|
|
|
996 type: string
|
|
|
997 maxLength: 63
|
|
|
998 minLength: 1
|
|
|
999 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
1000 sectionName:
|
|
|
1001 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
|
|
|
1002 type: string
|
|
|
1003 maxLength: 253
|
|
|
1004 minLength: 1
|
|
|
1005 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
1006 serviceType:
|
|
|
1007 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|
|
1008 type: string
|
|
|
1009 ingress:
|
|
|
1010 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
|
|
|
1011 type: object
|
|
|
1012 properties:
|
|
|
1013 class:
|
|
|
1014 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
|
|
|
1015 type: string
|
|
|
1016 ingressTemplate:
|
|
|
1017 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
|
|
|
1018 type: object
|
|
|
1019 properties:
|
|
|
1020 metadata:
|
|
|
1021 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
|
|
|
1022 type: object
|
|
|
1023 properties:
|
|
|
1024 annotations:
|
|
|
1025 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
|
|
|
1026 type: object
|
|
|
1027 additionalProperties:
|
|
|
1028 type: string
|
|
|
1029 labels:
|
|
|
1030 description: Labels that should be added to the created ACME HTTP01 solver ingress.
|
|
|
1031 type: object
|
|
|
1032 additionalProperties:
|
|
|
1033 type: string
|
|
|
1034 name:
|
|
|
1035 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
|
|
|
1036 type: string
|
|
|
1037 podTemplate:
|
|
|
1038 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
|
|
|
1039 type: object
|
|
|
1040 properties:
|
|
|
1041 metadata:
|
|
|
1042 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
|
|
|
1043 type: object
|
|
|
1044 properties:
|
|
|
1045 annotations:
|
|
|
1046 description: Annotations that should be added to the create ACME HTTP01 solver pods.
|
|
|
1047 type: object
|
|
|
1048 additionalProperties:
|
|
|
1049 type: string
|
|
|
1050 labels:
|
|
|
1051 description: Labels that should be added to the created ACME HTTP01 solver pods.
|
|
|
1052 type: object
|
|
|
1053 additionalProperties:
|
|
|
1054 type: string
|
|
|
1055 spec:
|
|
|
1056 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
|
|
|
1057 type: object
|
|
|
1058 properties:
|
|
|
1059 affinity:
|
|
|
1060 description: If specified, the pod's scheduling constraints
|
|
|
1061 type: object
|
|
|
1062 properties:
|
|
|
1063 nodeAffinity:
|
|
|
1064 description: Describes node affinity scheduling rules for the pod.
|
|
|
1065 type: object
|
|
|
1066 properties:
|
|
|
1067 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
1068 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
|
|
|
1069 type: array
|
|
|
1070 items:
|
|
|
1071 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|
|
1072 type: object
|
|
|
1073 required:
|
|
|
1074 - preference
|
|
|
1075 - weight
|
|
|
1076 properties:
|
|
|
1077 preference:
|
|
|
1078 description: A node selector term, associated with the corresponding weight.
|
|
|
1079 type: object
|
|
|
1080 properties:
|
|
|
1081 matchExpressions:
|
|
|
1082 description: A list of node selector requirements by node's labels.
|
|
|
1083 type: array
|
|
|
1084 items:
|
|
|
1085 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1086 type: object
|
|
|
1087 required:
|
|
|
1088 - key
|
|
|
1089 - operator
|
|
|
1090 properties:
|
|
|
1091 key:
|
|
|
1092 description: The label key that the selector applies to.
|
|
|
1093 type: string
|
|
|
1094 operator:
|
|
|
1095 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
1096 type: string
|
|
|
1097 values:
|
|
|
1098 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
1099 type: array
|
|
|
1100 items:
|
|
|
1101 type: string
|
|
|
1102 matchFields:
|
|
|
1103 description: A list of node selector requirements by node's fields.
|
|
|
1104 type: array
|
|
|
1105 items:
|
|
|
1106 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1107 type: object
|
|
|
1108 required:
|
|
|
1109 - key
|
|
|
1110 - operator
|
|
|
1111 properties:
|
|
|
1112 key:
|
|
|
1113 description: The label key that the selector applies to.
|
|
|
1114 type: string
|
|
|
1115 operator:
|
|
|
1116 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
1117 type: string
|
|
|
1118 values:
|
|
|
1119 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
1120 type: array
|
|
|
1121 items:
|
|
|
1122 type: string
|
|
|
1123 weight:
|
|
|
1124 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
|
|
|
1125 type: integer
|
|
|
1126 format: int32
|
|
|
1127 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
1128 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
|
|
|
1129 type: object
|
|
|
1130 required:
|
|
|
1131 - nodeSelectorTerms
|
|
|
1132 properties:
|
|
|
1133 nodeSelectorTerms:
|
|
|
1134 description: Required. A list of node selector terms. The terms are ORed.
|
|
|
1135 type: array
|
|
|
1136 items:
|
|
|
1137 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|
|
1138 type: object
|
|
|
1139 properties:
|
|
|
1140 matchExpressions:
|
|
|
1141 description: A list of node selector requirements by node's labels.
|
|
|
1142 type: array
|
|
|
1143 items:
|
|
|
1144 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1145 type: object
|
|
|
1146 required:
|
|
|
1147 - key
|
|
|
1148 - operator
|
|
|
1149 properties:
|
|
|
1150 key:
|
|
|
1151 description: The label key that the selector applies to.
|
|
|
1152 type: string
|
|
|
1153 operator:
|
|
|
1154 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
1155 type: string
|
|
|
1156 values:
|
|
|
1157 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
1158 type: array
|
|
|
1159 items:
|
|
|
1160 type: string
|
|
|
1161 matchFields:
|
|
|
1162 description: A list of node selector requirements by node's fields.
|
|
|
1163 type: array
|
|
|
1164 items:
|
|
|
1165 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1166 type: object
|
|
|
1167 required:
|
|
|
1168 - key
|
|
|
1169 - operator
|
|
|
1170 properties:
|
|
|
1171 key:
|
|
|
1172 description: The label key that the selector applies to.
|
|
|
1173 type: string
|
|
|
1174 operator:
|
|
|
1175 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
1176 type: string
|
|
|
1177 values:
|
|
|
1178 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
1179 type: array
|
|
|
1180 items:
|
|
|
1181 type: string
|
|
|
1182 podAffinity:
|
|
|
1183 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
1184 type: object
|
|
|
1185 properties:
|
|
|
1186 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
1187 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
|
|
|
1188 type: array
|
|
|
1189 items:
|
|
|
1190 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
1191 type: object
|
|
|
1192 required:
|
|
|
1193 - podAffinityTerm
|
|
|
1194 - weight
|
|
|
1195 properties:
|
|
|
1196 podAffinityTerm:
|
|
|
1197 description: Required. A pod affinity term, associated with the corresponding weight.
|
|
|
1198 type: object
|
|
|
1199 required:
|
|
|
1200 - topologyKey
|
|
|
1201 properties:
|
|
|
1202 labelSelector:
|
|
|
1203 description: A label query over a set of resources, in this case pods.
|
|
|
1204 type: object
|
|
|
1205 properties:
|
|
|
1206 matchExpressions:
|
|
|
1207 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1208 type: array
|
|
|
1209 items:
|
|
|
1210 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1211 type: object
|
|
|
1212 required:
|
|
|
1213 - key
|
|
|
1214 - operator
|
|
|
1215 properties:
|
|
|
1216 key:
|
|
|
1217 description: key is the label key that the selector applies to.
|
|
|
1218 type: string
|
|
|
1219 operator:
|
|
|
1220 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1221 type: string
|
|
|
1222 values:
|
|
|
1223 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1224 type: array
|
|
|
1225 items:
|
|
|
1226 type: string
|
|
|
1227 matchLabels:
|
|
|
1228 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1229 type: object
|
|
|
1230 additionalProperties:
|
|
|
1231 type: string
|
|
|
1232 namespaceSelector:
|
|
|
1233 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
1234 type: object
|
|
|
1235 properties:
|
|
|
1236 matchExpressions:
|
|
|
1237 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1238 type: array
|
|
|
1239 items:
|
|
|
1240 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1241 type: object
|
|
|
1242 required:
|
|
|
1243 - key
|
|
|
1244 - operator
|
|
|
1245 properties:
|
|
|
1246 key:
|
|
|
1247 description: key is the label key that the selector applies to.
|
|
|
1248 type: string
|
|
|
1249 operator:
|
|
|
1250 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1251 type: string
|
|
|
1252 values:
|
|
|
1253 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1254 type: array
|
|
|
1255 items:
|
|
|
1256 type: string
|
|
|
1257 matchLabels:
|
|
|
1258 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1259 type: object
|
|
|
1260 additionalProperties:
|
|
|
1261 type: string
|
|
|
1262 namespaces:
|
|
|
1263 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
1264 type: array
|
|
|
1265 items:
|
|
|
1266 type: string
|
|
|
1267 topologyKey:
|
|
|
1268 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
1269 type: string
|
|
|
1270 weight:
|
|
|
1271 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
|
|
|
1272 type: integer
|
|
|
1273 format: int32
|
|
|
1274 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
1275 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|
|
1276 type: array
|
|
|
1277 items:
|
|
|
1278 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
|
|
|
1279 type: object
|
|
|
1280 required:
|
|
|
1281 - topologyKey
|
|
|
1282 properties:
|
|
|
1283 labelSelector:
|
|
|
1284 description: A label query over a set of resources, in this case pods.
|
|
|
1285 type: object
|
|
|
1286 properties:
|
|
|
1287 matchExpressions:
|
|
|
1288 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1289 type: array
|
|
|
1290 items:
|
|
|
1291 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1292 type: object
|
|
|
1293 required:
|
|
|
1294 - key
|
|
|
1295 - operator
|
|
|
1296 properties:
|
|
|
1297 key:
|
|
|
1298 description: key is the label key that the selector applies to.
|
|
|
1299 type: string
|
|
|
1300 operator:
|
|
|
1301 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1302 type: string
|
|
|
1303 values:
|
|
|
1304 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1305 type: array
|
|
|
1306 items:
|
|
|
1307 type: string
|
|
|
1308 matchLabels:
|
|
|
1309 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1310 type: object
|
|
|
1311 additionalProperties:
|
|
|
1312 type: string
|
|
|
1313 namespaceSelector:
|
|
|
1314 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
1315 type: object
|
|
|
1316 properties:
|
|
|
1317 matchExpressions:
|
|
|
1318 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1319 type: array
|
|
|
1320 items:
|
|
|
1321 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1322 type: object
|
|
|
1323 required:
|
|
|
1324 - key
|
|
|
1325 - operator
|
|
|
1326 properties:
|
|
|
1327 key:
|
|
|
1328 description: key is the label key that the selector applies to.
|
|
|
1329 type: string
|
|
|
1330 operator:
|
|
|
1331 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1332 type: string
|
|
|
1333 values:
|
|
|
1334 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1335 type: array
|
|
|
1336 items:
|
|
|
1337 type: string
|
|
|
1338 matchLabels:
|
|
|
1339 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1340 type: object
|
|
|
1341 additionalProperties:
|
|
|
1342 type: string
|
|
|
1343 namespaces:
|
|
|
1344 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
1345 type: array
|
|
|
1346 items:
|
|
|
1347 type: string
|
|
|
1348 topologyKey:
|
|
|
1349 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
1350 type: string
|
|
|
1351 podAntiAffinity:
|
|
|
1352 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
1353 type: object
|
|
|
1354 properties:
|
|
|
1355 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
1356 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
|
|
|
1357 type: array
|
|
|
1358 items:
|
|
|
1359 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
1360 type: object
|
|
|
1361 required:
|
|
|
1362 - podAffinityTerm
|
|
|
1363 - weight
|
|
|
1364 properties:
|
|
|
1365 podAffinityTerm:
|
|
|
1366 description: Required. A pod affinity term, associated with the corresponding weight.
|
|
|
1367 type: object
|
|
|
1368 required:
|
|
|
1369 - topologyKey
|
|
|
1370 properties:
|
|
|
1371 labelSelector:
|
|
|
1372 description: A label query over a set of resources, in this case pods.
|
|
|
1373 type: object
|
|
|
1374 properties:
|
|
|
1375 matchExpressions:
|
|
|
1376 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1377 type: array
|
|
|
1378 items:
|
|
|
1379 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1380 type: object
|
|
|
1381 required:
|
|
|
1382 - key
|
|
|
1383 - operator
|
|
|
1384 properties:
|
|
|
1385 key:
|
|
|
1386 description: key is the label key that the selector applies to.
|
|
|
1387 type: string
|
|
|
1388 operator:
|
|
|
1389 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1390 type: string
|
|
|
1391 values:
|
|
|
1392 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1393 type: array
|
|
|
1394 items:
|
|
|
1395 type: string
|
|
|
1396 matchLabels:
|
|
|
1397 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1398 type: object
|
|
|
1399 additionalProperties:
|
|
|
1400 type: string
|
|
|
1401 namespaceSelector:
|
|
|
1402 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
1403 type: object
|
|
|
1404 properties:
|
|
|
1405 matchExpressions:
|
|
|
1406 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1407 type: array
|
|
|
1408 items:
|
|
|
1409 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1410 type: object
|
|
|
1411 required:
|
|
|
1412 - key
|
|
|
1413 - operator
|
|
|
1414 properties:
|
|
|
1415 key:
|
|
|
1416 description: key is the label key that the selector applies to.
|
|
|
1417 type: string
|
|
|
1418 operator:
|
|
|
1419 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1420 type: string
|
|
|
1421 values:
|
|
|
1422 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1423 type: array
|
|
|
1424 items:
|
|
|
1425 type: string
|
|
|
1426 matchLabels:
|
|
|
1427 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1428 type: object
|
|
|
1429 additionalProperties:
|
|
|
1430 type: string
|
|
|
1431 namespaces:
|
|
|
1432 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
1433 type: array
|
|
|
1434 items:
|
|
|
1435 type: string
|
|
|
1436 topologyKey:
|
|
|
1437 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
1438 type: string
|
|
|
1439 weight:
|
|
|
1440 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
|
|
|
1441 type: integer
|
|
|
1442 format: int32
|
|
|
1443 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
1444 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|
|
1445 type: array
|
|
|
1446 items:
|
|
|
1447 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
|
|
|
1448 type: object
|
|
|
1449 required:
|
|
|
1450 - topologyKey
|
|
|
1451 properties:
|
|
|
1452 labelSelector:
|
|
|
1453 description: A label query over a set of resources, in this case pods.
|
|
|
1454 type: object
|
|
|
1455 properties:
|
|
|
1456 matchExpressions:
|
|
|
1457 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1458 type: array
|
|
|
1459 items:
|
|
|
1460 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1461 type: object
|
|
|
1462 required:
|
|
|
1463 - key
|
|
|
1464 - operator
|
|
|
1465 properties:
|
|
|
1466 key:
|
|
|
1467 description: key is the label key that the selector applies to.
|
|
|
1468 type: string
|
|
|
1469 operator:
|
|
|
1470 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1471 type: string
|
|
|
1472 values:
|
|
|
1473 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1474 type: array
|
|
|
1475 items:
|
|
|
1476 type: string
|
|
|
1477 matchLabels:
|
|
|
1478 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1479 type: object
|
|
|
1480 additionalProperties:
|
|
|
1481 type: string
|
|
|
1482 namespaceSelector:
|
|
|
1483 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
1484 type: object
|
|
|
1485 properties:
|
|
|
1486 matchExpressions:
|
|
|
1487 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
1488 type: array
|
|
|
1489 items:
|
|
|
1490 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
1491 type: object
|
|
|
1492 required:
|
|
|
1493 - key
|
|
|
1494 - operator
|
|
|
1495 properties:
|
|
|
1496 key:
|
|
|
1497 description: key is the label key that the selector applies to.
|
|
|
1498 type: string
|
|
|
1499 operator:
|
|
|
1500 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
1501 type: string
|
|
|
1502 values:
|
|
|
1503 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
1504 type: array
|
|
|
1505 items:
|
|
|
1506 type: string
|
|
|
1507 matchLabels:
|
|
|
1508 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
1509 type: object
|
|
|
1510 additionalProperties:
|
|
|
1511 type: string
|
|
|
1512 namespaces:
|
|
|
1513 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
1514 type: array
|
|
|
1515 items:
|
|
|
1516 type: string
|
|
|
1517 topologyKey:
|
|
|
1518 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
1519 type: string
|
|
|
1520 nodeSelector:
|
|
|
1521 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
|
1522 type: object
|
|
|
1523 additionalProperties:
|
|
|
1524 type: string
|
|
|
1525 priorityClassName:
|
|
|
1526 description: If specified, the pod's priorityClassName.
|
|
|
1527 type: string
|
|
|
1528 serviceAccountName:
|
|
|
1529 description: If specified, the pod's service account
|
|
|
1530 type: string
|
|
|
1531 tolerations:
|
|
|
1532 description: If specified, the pod's tolerations.
|
|
|
1533 type: array
|
|
|
1534 items:
|
|
|
1535 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
|
|
|
1536 type: object
|
|
|
1537 properties:
|
|
|
1538 effect:
|
|
|
1539 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
|
|
1540 type: string
|
|
|
1541 key:
|
|
|
1542 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
|
|
1543 type: string
|
|
|
1544 operator:
|
|
|
1545 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
|
|
|
1546 type: string
|
|
|
1547 tolerationSeconds:
|
|
|
1548 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
|
|
|
1549 type: integer
|
|
|
1550 format: int64
|
|
|
1551 value:
|
|
|
1552 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
|
|
|
1553 type: string
|
|
|
1554 serviceType:
|
|
|
1555 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|
|
1556 type: string
|
|
|
1557 selector:
|
|
|
1558 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
|
|
|
1559 type: object
|
|
|
1560 properties:
|
|
|
1561 dnsNames:
|
|
|
1562 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
|
|
|
1563 type: array
|
|
|
1564 items:
|
|
|
1565 type: string
|
|
|
1566 dnsZones:
|
|
|
1567 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
|
|
|
1568 type: array
|
|
|
1569 items:
|
|
|
1570 type: string
|
|
|
1571 matchLabels:
|
|
|
1572 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
|
|
|
1573 type: object
|
|
|
1574 additionalProperties:
|
|
|
1575 type: string
|
|
|
1576 token:
|
|
|
1577 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
|
|
|
1578 type: string
|
|
|
1579 type:
|
|
|
1580 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
|
|
|
1581 type: string
|
|
|
1582 enum:
|
|
|
1583 - HTTP-01
|
|
|
1584 - DNS-01
|
|
|
1585 url:
|
|
|
1586 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
|
|
|
1587 type: string
|
|
|
1588 wildcard:
|
|
|
1589 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
|
|
|
1590 type: boolean
|
|
|
1591 status:
|
|
|
1592 type: object
|
|
|
1593 properties:
|
|
|
1594 presented:
|
|
|
1595 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
|
|
|
1596 type: boolean
|
|
|
1597 processing:
|
|
|
1598 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
|
|
|
1599 type: boolean
|
|
|
1600 reason:
|
|
|
1601 description: Contains human readable information on why the Challenge is in the current state.
|
|
|
1602 type: string
|
|
|
1603 state:
|
|
|
1604 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
|
|
|
1605 type: string
|
|
|
1606 enum:
|
|
|
1607 - valid
|
|
|
1608 - ready
|
|
|
1609 - pending
|
|
|
1610 - processing
|
|
|
1611 - invalid
|
|
|
1612 - expired
|
|
|
1613 - errored
|
|
|
1614 served: true
|
|
|
1615 storage: true
|
|
|
1616 subresources:
|
|
|
1617 status: {}
|
|
|
1618 ---
|
|
|
1619 # Source: cert-manager/templates/crd-templates.yaml
|
|
|
1620 apiVersion: apiextensions.k8s.io/v1
|
|
|
1621 kind: CustomResourceDefinition
|
|
|
1622 metadata:
|
|
|
1623 name: clusterissuers.cert-manager.io
|
|
|
1624 labels:
|
|
|
1625 app: 'cert-manager'
|
|
|
1626 app.kubernetes.io/name: 'cert-manager'
|
|
|
1627 app.kubernetes.io/instance: 'cert-manager'
|
|
|
1628 # Generated labels
|
|
8
|
1629 app.kubernetes.io/version: "v1.10.1"
|
|
0
|
1630 spec:
|
|
|
1631 group: cert-manager.io
|
|
|
1632 names:
|
|
|
1633 kind: ClusterIssuer
|
|
|
1634 listKind: ClusterIssuerList
|
|
|
1635 plural: clusterissuers
|
|
|
1636 singular: clusterissuer
|
|
|
1637 categories:
|
|
|
1638 - cert-manager
|
|
|
1639 scope: Cluster
|
|
|
1640 versions:
|
|
|
1641 - name: v1
|
|
|
1642 subresources:
|
|
|
1643 status: {}
|
|
|
1644 additionalPrinterColumns:
|
|
|
1645 - jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
|
1646 name: Ready
|
|
|
1647 type: string
|
|
|
1648 - jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
|
1649 name: Status
|
|
|
1650 priority: 1
|
|
|
1651 type: string
|
|
|
1652 - jsonPath: .metadata.creationTimestamp
|
|
|
1653 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
|
1654 name: Age
|
|
|
1655 type: date
|
|
|
1656 schema:
|
|
|
1657 openAPIV3Schema:
|
|
|
1658 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
|
|
|
1659 type: object
|
|
|
1660 required:
|
|
|
1661 - spec
|
|
|
1662 properties:
|
|
|
1663 apiVersion:
|
|
|
1664 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
1665 type: string
|
|
|
1666 kind:
|
|
|
1667 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
1668 type: string
|
|
|
1669 metadata:
|
|
|
1670 type: object
|
|
|
1671 spec:
|
|
|
1672 description: Desired state of the ClusterIssuer resource.
|
|
|
1673 type: object
|
|
|
1674 properties:
|
|
|
1675 acme:
|
|
|
1676 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
|
|
|
1677 type: object
|
|
|
1678 required:
|
|
|
1679 - privateKeySecretRef
|
|
|
1680 - server
|
|
|
1681 properties:
|
|
|
1682 disableAccountKeyGeneration:
|
|
|
1683 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
|
|
|
1684 type: boolean
|
|
|
1685 email:
|
|
|
1686 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
|
|
|
1687 type: string
|
|
|
1688 enableDurationFeature:
|
|
|
1689 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
|
|
|
1690 type: boolean
|
|
|
1691 externalAccountBinding:
|
|
|
1692 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
|
|
|
1693 type: object
|
|
|
1694 required:
|
|
|
1695 - keyID
|
|
|
1696 - keySecretRef
|
|
|
1697 properties:
|
|
|
1698 keyAlgorithm:
|
|
|
1699 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
|
|
|
1700 type: string
|
|
|
1701 enum:
|
|
|
1702 - HS256
|
|
|
1703 - HS384
|
|
|
1704 - HS512
|
|
|
1705 keyID:
|
|
|
1706 description: keyID is the ID of the CA key that the External Account is bound to.
|
|
|
1707 type: string
|
|
|
1708 keySecretRef:
|
|
|
1709 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
|
|
|
1710 type: object
|
|
|
1711 required:
|
|
|
1712 - name
|
|
|
1713 properties:
|
|
|
1714 key:
|
|
|
1715 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1716 type: string
|
|
|
1717 name:
|
|
|
1718 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1719 type: string
|
|
|
1720 preferredChain:
|
|
|
1721 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
|
|
|
1722 type: string
|
|
|
1723 maxLength: 64
|
|
|
1724 privateKeySecretRef:
|
|
|
1725 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
|
|
|
1726 type: object
|
|
|
1727 required:
|
|
|
1728 - name
|
|
|
1729 properties:
|
|
|
1730 key:
|
|
|
1731 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1732 type: string
|
|
|
1733 name:
|
|
|
1734 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1735 type: string
|
|
|
1736 server:
|
|
|
1737 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
|
|
1738 type: string
|
|
|
1739 skipTLSVerify:
|
|
|
1740 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
|
|
|
1741 type: boolean
|
|
|
1742 solvers:
|
|
|
1743 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
|
|
1744 type: array
|
|
|
1745 items:
|
|
|
1746 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
|
|
|
1747 type: object
|
|
|
1748 properties:
|
|
|
1749 dns01:
|
|
|
1750 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
|
|
|
1751 type: object
|
|
|
1752 properties:
|
|
|
1753 acmeDNS:
|
|
|
1754 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
|
|
|
1755 type: object
|
|
|
1756 required:
|
|
|
1757 - accountSecretRef
|
|
|
1758 - host
|
|
|
1759 properties:
|
|
|
1760 accountSecretRef:
|
|
|
1761 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
1762 type: object
|
|
|
1763 required:
|
|
|
1764 - name
|
|
|
1765 properties:
|
|
|
1766 key:
|
|
|
1767 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1768 type: string
|
|
|
1769 name:
|
|
|
1770 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1771 type: string
|
|
|
1772 host:
|
|
|
1773 type: string
|
|
|
1774 akamai:
|
|
|
1775 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
|
|
|
1776 type: object
|
|
|
1777 required:
|
|
|
1778 - accessTokenSecretRef
|
|
|
1779 - clientSecretSecretRef
|
|
|
1780 - clientTokenSecretRef
|
|
|
1781 - serviceConsumerDomain
|
|
|
1782 properties:
|
|
|
1783 accessTokenSecretRef:
|
|
|
1784 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
1785 type: object
|
|
|
1786 required:
|
|
|
1787 - name
|
|
|
1788 properties:
|
|
|
1789 key:
|
|
|
1790 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1791 type: string
|
|
|
1792 name:
|
|
|
1793 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1794 type: string
|
|
|
1795 clientSecretSecretRef:
|
|
|
1796 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
1797 type: object
|
|
|
1798 required:
|
|
|
1799 - name
|
|
|
1800 properties:
|
|
|
1801 key:
|
|
|
1802 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1803 type: string
|
|
|
1804 name:
|
|
|
1805 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1806 type: string
|
|
|
1807 clientTokenSecretRef:
|
|
|
1808 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
1809 type: object
|
|
|
1810 required:
|
|
|
1811 - name
|
|
|
1812 properties:
|
|
|
1813 key:
|
|
|
1814 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1815 type: string
|
|
|
1816 name:
|
|
|
1817 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1818 type: string
|
|
|
1819 serviceConsumerDomain:
|
|
|
1820 type: string
|
|
|
1821 azureDNS:
|
|
|
1822 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
|
|
|
1823 type: object
|
|
|
1824 required:
|
|
|
1825 - resourceGroupName
|
|
|
1826 - subscriptionID
|
|
|
1827 properties:
|
|
|
1828 clientID:
|
|
|
1829 description: if both this and ClientSecret are left unset MSI will be used
|
|
|
1830 type: string
|
|
|
1831 clientSecretSecretRef:
|
|
|
1832 description: if both this and ClientID are left unset MSI will be used
|
|
|
1833 type: object
|
|
|
1834 required:
|
|
|
1835 - name
|
|
|
1836 properties:
|
|
|
1837 key:
|
|
|
1838 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1839 type: string
|
|
|
1840 name:
|
|
|
1841 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1842 type: string
|
|
|
1843 environment:
|
|
|
1844 description: name of the Azure environment (default AzurePublicCloud)
|
|
|
1845 type: string
|
|
|
1846 enum:
|
|
|
1847 - AzurePublicCloud
|
|
|
1848 - AzureChinaCloud
|
|
|
1849 - AzureGermanCloud
|
|
|
1850 - AzureUSGovernmentCloud
|
|
|
1851 hostedZoneName:
|
|
|
1852 description: name of the DNS zone that should be used
|
|
|
1853 type: string
|
|
|
1854 managedIdentity:
|
|
|
1855 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
|
|
|
1856 type: object
|
|
|
1857 properties:
|
|
|
1858 clientID:
|
|
|
1859 description: client ID of the managed identity, can not be used at the same time as resourceID
|
|
|
1860 type: string
|
|
|
1861 resourceID:
|
|
|
1862 description: resource ID of the managed identity, can not be used at the same time as clientID
|
|
|
1863 type: string
|
|
|
1864 resourceGroupName:
|
|
|
1865 description: resource group the DNS zone is located in
|
|
|
1866 type: string
|
|
|
1867 subscriptionID:
|
|
|
1868 description: ID of the Azure subscription
|
|
|
1869 type: string
|
|
|
1870 tenantID:
|
|
|
1871 description: when specifying ClientID and ClientSecret then this field is also needed
|
|
|
1872 type: string
|
|
|
1873 cloudDNS:
|
|
|
1874 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
|
|
|
1875 type: object
|
|
|
1876 required:
|
|
|
1877 - project
|
|
|
1878 properties:
|
|
|
1879 hostedZoneName:
|
|
|
1880 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
|
|
|
1881 type: string
|
|
|
1882 project:
|
|
|
1883 type: string
|
|
|
1884 serviceAccountSecretRef:
|
|
|
1885 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
1886 type: object
|
|
|
1887 required:
|
|
|
1888 - name
|
|
|
1889 properties:
|
|
|
1890 key:
|
|
|
1891 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1892 type: string
|
|
|
1893 name:
|
|
|
1894 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1895 type: string
|
|
|
1896 cloudflare:
|
|
|
1897 description: Use the Cloudflare API to manage DNS01 challenge records.
|
|
|
1898 type: object
|
|
|
1899 properties:
|
|
|
1900 apiKeySecretRef:
|
|
|
1901 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
|
|
|
1902 type: object
|
|
|
1903 required:
|
|
|
1904 - name
|
|
|
1905 properties:
|
|
|
1906 key:
|
|
|
1907 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1908 type: string
|
|
|
1909 name:
|
|
|
1910 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1911 type: string
|
|
|
1912 apiTokenSecretRef:
|
|
|
1913 description: API token used to authenticate with Cloudflare.
|
|
|
1914 type: object
|
|
|
1915 required:
|
|
|
1916 - name
|
|
|
1917 properties:
|
|
|
1918 key:
|
|
|
1919 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1920 type: string
|
|
|
1921 name:
|
|
|
1922 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1923 type: string
|
|
|
1924 email:
|
|
|
1925 description: Email of the account, only required when using API key based authentication.
|
|
|
1926 type: string
|
|
|
1927 cnameStrategy:
|
|
|
1928 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
|
|
|
1929 type: string
|
|
|
1930 enum:
|
|
|
1931 - None
|
|
|
1932 - Follow
|
|
|
1933 digitalocean:
|
|
|
1934 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
|
|
|
1935 type: object
|
|
|
1936 required:
|
|
|
1937 - tokenSecretRef
|
|
|
1938 properties:
|
|
|
1939 tokenSecretRef:
|
|
|
1940 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
1941 type: object
|
|
|
1942 required:
|
|
|
1943 - name
|
|
|
1944 properties:
|
|
|
1945 key:
|
|
|
1946 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1947 type: string
|
|
|
1948 name:
|
|
|
1949 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1950 type: string
|
|
|
1951 rfc2136:
|
|
|
1952 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
|
|
|
1953 type: object
|
|
|
1954 required:
|
|
|
1955 - nameserver
|
|
|
1956 properties:
|
|
|
1957 nameserver:
|
|
|
1958 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
|
|
|
1959 type: string
|
|
|
1960 tsigAlgorithm:
|
|
|
1961 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
|
1962 type: string
|
|
|
1963 tsigKeyName:
|
|
|
1964 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
|
|
|
1965 type: string
|
|
|
1966 tsigSecretSecretRef:
|
|
|
1967 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
|
|
|
1968 type: object
|
|
|
1969 required:
|
|
|
1970 - name
|
|
|
1971 properties:
|
|
|
1972 key:
|
|
|
1973 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1974 type: string
|
|
|
1975 name:
|
|
|
1976 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1977 type: string
|
|
|
1978 route53:
|
|
|
1979 description: Use the AWS Route53 API to manage DNS01 challenge records.
|
|
|
1980 type: object
|
|
|
1981 required:
|
|
|
1982 - region
|
|
|
1983 properties:
|
|
|
1984 accessKeyID:
|
|
|
1985 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
1986 type: string
|
|
|
1987 accessKeyIDSecretRef:
|
|
|
1988 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
1989 type: object
|
|
|
1990 required:
|
|
|
1991 - name
|
|
|
1992 properties:
|
|
|
1993 key:
|
|
|
1994 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
1995 type: string
|
|
|
1996 name:
|
|
|
1997 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
1998 type: string
|
|
|
1999 hostedZoneID:
|
|
|
2000 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
|
|
|
2001 type: string
|
|
|
2002 region:
|
|
|
2003 description: Always set the region when using AccessKeyID and SecretAccessKey
|
|
|
2004 type: string
|
|
|
2005 role:
|
|
|
2006 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
|
|
|
2007 type: string
|
|
|
2008 secretAccessKeySecretRef:
|
|
|
2009 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
2010 type: object
|
|
|
2011 required:
|
|
|
2012 - name
|
|
|
2013 properties:
|
|
|
2014 key:
|
|
|
2015 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2016 type: string
|
|
|
2017 name:
|
|
|
2018 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2019 type: string
|
|
|
2020 webhook:
|
|
|
2021 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
|
|
|
2022 type: object
|
|
|
2023 required:
|
|
|
2024 - groupName
|
|
|
2025 - solverName
|
|
|
2026 properties:
|
|
|
2027 config:
|
|
|
2028 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
|
|
|
2029 x-kubernetes-preserve-unknown-fields: true
|
|
|
2030 groupName:
|
|
|
2031 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
|
|
|
2032 type: string
|
|
|
2033 solverName:
|
|
|
2034 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
|
|
|
2035 type: string
|
|
|
2036 http01:
|
|
|
2037 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
|
|
|
2038 type: object
|
|
|
2039 properties:
|
|
|
2040 gatewayHTTPRoute:
|
|
|
2041 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
|
|
|
2042 type: object
|
|
|
2043 properties:
|
|
|
2044 labels:
|
|
|
2045 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
|
|
|
2046 type: object
|
|
|
2047 additionalProperties:
|
|
|
2048 type: string
|
|
|
2049 parentRefs:
|
|
|
2050 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
|
|
|
2051 type: array
|
|
|
2052 items:
|
|
|
2053 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
|
|
|
2054 type: object
|
|
|
2055 required:
|
|
|
2056 - name
|
|
|
2057 properties:
|
|
|
2058 group:
|
|
|
2059 description: "Group is the group of the referent. \n Support: Core"
|
|
|
2060 type: string
|
|
|
2061 default: gateway.networking.k8s.io
|
|
|
2062 maxLength: 253
|
|
|
2063 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
2064 kind:
|
|
|
2065 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
|
|
|
2066 type: string
|
|
|
2067 default: Gateway
|
|
|
2068 maxLength: 63
|
|
|
2069 minLength: 1
|
|
|
2070 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
|
2071 name:
|
|
|
2072 description: "Name is the name of the referent. \n Support: Core"
|
|
|
2073 type: string
|
|
|
2074 maxLength: 253
|
|
|
2075 minLength: 1
|
|
|
2076 namespace:
|
|
|
2077 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
|
|
|
2078 type: string
|
|
|
2079 maxLength: 63
|
|
|
2080 minLength: 1
|
|
|
2081 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
2082 sectionName:
|
|
|
2083 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
|
|
|
2084 type: string
|
|
|
2085 maxLength: 253
|
|
|
2086 minLength: 1
|
|
|
2087 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
2088 serviceType:
|
|
|
2089 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|
|
2090 type: string
|
|
|
2091 ingress:
|
|
|
2092 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
|
|
|
2093 type: object
|
|
|
2094 properties:
|
|
|
2095 class:
|
|
|
2096 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
|
|
|
2097 type: string
|
|
|
2098 ingressTemplate:
|
|
|
2099 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
|
|
|
2100 type: object
|
|
|
2101 properties:
|
|
|
2102 metadata:
|
|
|
2103 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
|
|
|
2104 type: object
|
|
|
2105 properties:
|
|
|
2106 annotations:
|
|
|
2107 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
|
|
|
2108 type: object
|
|
|
2109 additionalProperties:
|
|
|
2110 type: string
|
|
|
2111 labels:
|
|
|
2112 description: Labels that should be added to the created ACME HTTP01 solver ingress.
|
|
|
2113 type: object
|
|
|
2114 additionalProperties:
|
|
|
2115 type: string
|
|
|
2116 name:
|
|
|
2117 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
|
|
|
2118 type: string
|
|
|
2119 podTemplate:
|
|
|
2120 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
|
|
|
2121 type: object
|
|
|
2122 properties:
|
|
|
2123 metadata:
|
|
|
2124 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
|
|
|
2125 type: object
|
|
|
2126 properties:
|
|
|
2127 annotations:
|
|
|
2128 description: Annotations that should be added to the create ACME HTTP01 solver pods.
|
|
|
2129 type: object
|
|
|
2130 additionalProperties:
|
|
|
2131 type: string
|
|
|
2132 labels:
|
|
|
2133 description: Labels that should be added to the created ACME HTTP01 solver pods.
|
|
|
2134 type: object
|
|
|
2135 additionalProperties:
|
|
|
2136 type: string
|
|
|
2137 spec:
|
|
|
2138 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
|
|
|
2139 type: object
|
|
|
2140 properties:
|
|
|
2141 affinity:
|
|
|
2142 description: If specified, the pod's scheduling constraints
|
|
|
2143 type: object
|
|
|
2144 properties:
|
|
|
2145 nodeAffinity:
|
|
|
2146 description: Describes node affinity scheduling rules for the pod.
|
|
|
2147 type: object
|
|
|
2148 properties:
|
|
|
2149 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
2150 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
|
|
|
2151 type: array
|
|
|
2152 items:
|
|
|
2153 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|
|
2154 type: object
|
|
|
2155 required:
|
|
|
2156 - preference
|
|
|
2157 - weight
|
|
|
2158 properties:
|
|
|
2159 preference:
|
|
|
2160 description: A node selector term, associated with the corresponding weight.
|
|
|
2161 type: object
|
|
|
2162 properties:
|
|
|
2163 matchExpressions:
|
|
|
2164 description: A list of node selector requirements by node's labels.
|
|
|
2165 type: array
|
|
|
2166 items:
|
|
|
2167 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2168 type: object
|
|
|
2169 required:
|
|
|
2170 - key
|
|
|
2171 - operator
|
|
|
2172 properties:
|
|
|
2173 key:
|
|
|
2174 description: The label key that the selector applies to.
|
|
|
2175 type: string
|
|
|
2176 operator:
|
|
|
2177 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
2178 type: string
|
|
|
2179 values:
|
|
|
2180 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
2181 type: array
|
|
|
2182 items:
|
|
|
2183 type: string
|
|
|
2184 matchFields:
|
|
|
2185 description: A list of node selector requirements by node's fields.
|
|
|
2186 type: array
|
|
|
2187 items:
|
|
|
2188 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2189 type: object
|
|
|
2190 required:
|
|
|
2191 - key
|
|
|
2192 - operator
|
|
|
2193 properties:
|
|
|
2194 key:
|
|
|
2195 description: The label key that the selector applies to.
|
|
|
2196 type: string
|
|
|
2197 operator:
|
|
|
2198 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
2199 type: string
|
|
|
2200 values:
|
|
|
2201 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
2202 type: array
|
|
|
2203 items:
|
|
|
2204 type: string
|
|
|
2205 weight:
|
|
|
2206 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
|
|
|
2207 type: integer
|
|
|
2208 format: int32
|
|
|
2209 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
2210 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
|
|
|
2211 type: object
|
|
|
2212 required:
|
|
|
2213 - nodeSelectorTerms
|
|
|
2214 properties:
|
|
|
2215 nodeSelectorTerms:
|
|
|
2216 description: Required. A list of node selector terms. The terms are ORed.
|
|
|
2217 type: array
|
|
|
2218 items:
|
|
|
2219 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|
|
2220 type: object
|
|
|
2221 properties:
|
|
|
2222 matchExpressions:
|
|
|
2223 description: A list of node selector requirements by node's labels.
|
|
|
2224 type: array
|
|
|
2225 items:
|
|
|
2226 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2227 type: object
|
|
|
2228 required:
|
|
|
2229 - key
|
|
|
2230 - operator
|
|
|
2231 properties:
|
|
|
2232 key:
|
|
|
2233 description: The label key that the selector applies to.
|
|
|
2234 type: string
|
|
|
2235 operator:
|
|
|
2236 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
2237 type: string
|
|
|
2238 values:
|
|
|
2239 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
2240 type: array
|
|
|
2241 items:
|
|
|
2242 type: string
|
|
|
2243 matchFields:
|
|
|
2244 description: A list of node selector requirements by node's fields.
|
|
|
2245 type: array
|
|
|
2246 items:
|
|
|
2247 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2248 type: object
|
|
|
2249 required:
|
|
|
2250 - key
|
|
|
2251 - operator
|
|
|
2252 properties:
|
|
|
2253 key:
|
|
|
2254 description: The label key that the selector applies to.
|
|
|
2255 type: string
|
|
|
2256 operator:
|
|
|
2257 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
2258 type: string
|
|
|
2259 values:
|
|
|
2260 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
2261 type: array
|
|
|
2262 items:
|
|
|
2263 type: string
|
|
|
2264 podAffinity:
|
|
|
2265 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
2266 type: object
|
|
|
2267 properties:
|
|
|
2268 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
2269 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
|
|
|
2270 type: array
|
|
|
2271 items:
|
|
|
2272 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
2273 type: object
|
|
|
2274 required:
|
|
|
2275 - podAffinityTerm
|
|
|
2276 - weight
|
|
|
2277 properties:
|
|
|
2278 podAffinityTerm:
|
|
|
2279 description: Required. A pod affinity term, associated with the corresponding weight.
|
|
|
2280 type: object
|
|
|
2281 required:
|
|
|
2282 - topologyKey
|
|
|
2283 properties:
|
|
|
2284 labelSelector:
|
|
|
2285 description: A label query over a set of resources, in this case pods.
|
|
|
2286 type: object
|
|
|
2287 properties:
|
|
|
2288 matchExpressions:
|
|
|
2289 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2290 type: array
|
|
|
2291 items:
|
|
|
2292 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2293 type: object
|
|
|
2294 required:
|
|
|
2295 - key
|
|
|
2296 - operator
|
|
|
2297 properties:
|
|
|
2298 key:
|
|
|
2299 description: key is the label key that the selector applies to.
|
|
|
2300 type: string
|
|
|
2301 operator:
|
|
|
2302 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2303 type: string
|
|
|
2304 values:
|
|
|
2305 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2306 type: array
|
|
|
2307 items:
|
|
|
2308 type: string
|
|
|
2309 matchLabels:
|
|
|
2310 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2311 type: object
|
|
|
2312 additionalProperties:
|
|
|
2313 type: string
|
|
|
2314 namespaceSelector:
|
|
|
2315 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
2316 type: object
|
|
|
2317 properties:
|
|
|
2318 matchExpressions:
|
|
|
2319 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2320 type: array
|
|
|
2321 items:
|
|
|
2322 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2323 type: object
|
|
|
2324 required:
|
|
|
2325 - key
|
|
|
2326 - operator
|
|
|
2327 properties:
|
|
|
2328 key:
|
|
|
2329 description: key is the label key that the selector applies to.
|
|
|
2330 type: string
|
|
|
2331 operator:
|
|
|
2332 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2333 type: string
|
|
|
2334 values:
|
|
|
2335 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2336 type: array
|
|
|
2337 items:
|
|
|
2338 type: string
|
|
|
2339 matchLabels:
|
|
|
2340 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2341 type: object
|
|
|
2342 additionalProperties:
|
|
|
2343 type: string
|
|
|
2344 namespaces:
|
|
|
2345 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
2346 type: array
|
|
|
2347 items:
|
|
|
2348 type: string
|
|
|
2349 topologyKey:
|
|
|
2350 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
2351 type: string
|
|
|
2352 weight:
|
|
|
2353 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
|
|
|
2354 type: integer
|
|
|
2355 format: int32
|
|
|
2356 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
2357 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|
|
2358 type: array
|
|
|
2359 items:
|
|
|
2360 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
|
|
|
2361 type: object
|
|
|
2362 required:
|
|
|
2363 - topologyKey
|
|
|
2364 properties:
|
|
|
2365 labelSelector:
|
|
|
2366 description: A label query over a set of resources, in this case pods.
|
|
|
2367 type: object
|
|
|
2368 properties:
|
|
|
2369 matchExpressions:
|
|
|
2370 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2371 type: array
|
|
|
2372 items:
|
|
|
2373 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2374 type: object
|
|
|
2375 required:
|
|
|
2376 - key
|
|
|
2377 - operator
|
|
|
2378 properties:
|
|
|
2379 key:
|
|
|
2380 description: key is the label key that the selector applies to.
|
|
|
2381 type: string
|
|
|
2382 operator:
|
|
|
2383 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2384 type: string
|
|
|
2385 values:
|
|
|
2386 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2387 type: array
|
|
|
2388 items:
|
|
|
2389 type: string
|
|
|
2390 matchLabels:
|
|
|
2391 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2392 type: object
|
|
|
2393 additionalProperties:
|
|
|
2394 type: string
|
|
|
2395 namespaceSelector:
|
|
|
2396 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
2397 type: object
|
|
|
2398 properties:
|
|
|
2399 matchExpressions:
|
|
|
2400 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2401 type: array
|
|
|
2402 items:
|
|
|
2403 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2404 type: object
|
|
|
2405 required:
|
|
|
2406 - key
|
|
|
2407 - operator
|
|
|
2408 properties:
|
|
|
2409 key:
|
|
|
2410 description: key is the label key that the selector applies to.
|
|
|
2411 type: string
|
|
|
2412 operator:
|
|
|
2413 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2414 type: string
|
|
|
2415 values:
|
|
|
2416 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2417 type: array
|
|
|
2418 items:
|
|
|
2419 type: string
|
|
|
2420 matchLabels:
|
|
|
2421 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2422 type: object
|
|
|
2423 additionalProperties:
|
|
|
2424 type: string
|
|
|
2425 namespaces:
|
|
|
2426 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
2427 type: array
|
|
|
2428 items:
|
|
|
2429 type: string
|
|
|
2430 topologyKey:
|
|
|
2431 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
2432 type: string
|
|
|
2433 podAntiAffinity:
|
|
|
2434 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
2435 type: object
|
|
|
2436 properties:
|
|
|
2437 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
2438 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
|
|
|
2439 type: array
|
|
|
2440 items:
|
|
|
2441 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
2442 type: object
|
|
|
2443 required:
|
|
|
2444 - podAffinityTerm
|
|
|
2445 - weight
|
|
|
2446 properties:
|
|
|
2447 podAffinityTerm:
|
|
|
2448 description: Required. A pod affinity term, associated with the corresponding weight.
|
|
|
2449 type: object
|
|
|
2450 required:
|
|
|
2451 - topologyKey
|
|
|
2452 properties:
|
|
|
2453 labelSelector:
|
|
|
2454 description: A label query over a set of resources, in this case pods.
|
|
|
2455 type: object
|
|
|
2456 properties:
|
|
|
2457 matchExpressions:
|
|
|
2458 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2459 type: array
|
|
|
2460 items:
|
|
|
2461 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2462 type: object
|
|
|
2463 required:
|
|
|
2464 - key
|
|
|
2465 - operator
|
|
|
2466 properties:
|
|
|
2467 key:
|
|
|
2468 description: key is the label key that the selector applies to.
|
|
|
2469 type: string
|
|
|
2470 operator:
|
|
|
2471 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2472 type: string
|
|
|
2473 values:
|
|
|
2474 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2475 type: array
|
|
|
2476 items:
|
|
|
2477 type: string
|
|
|
2478 matchLabels:
|
|
|
2479 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2480 type: object
|
|
|
2481 additionalProperties:
|
|
|
2482 type: string
|
|
|
2483 namespaceSelector:
|
|
|
2484 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
2485 type: object
|
|
|
2486 properties:
|
|
|
2487 matchExpressions:
|
|
|
2488 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2489 type: array
|
|
|
2490 items:
|
|
|
2491 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2492 type: object
|
|
|
2493 required:
|
|
|
2494 - key
|
|
|
2495 - operator
|
|
|
2496 properties:
|
|
|
2497 key:
|
|
|
2498 description: key is the label key that the selector applies to.
|
|
|
2499 type: string
|
|
|
2500 operator:
|
|
|
2501 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2502 type: string
|
|
|
2503 values:
|
|
|
2504 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2505 type: array
|
|
|
2506 items:
|
|
|
2507 type: string
|
|
|
2508 matchLabels:
|
|
|
2509 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2510 type: object
|
|
|
2511 additionalProperties:
|
|
|
2512 type: string
|
|
|
2513 namespaces:
|
|
|
2514 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
2515 type: array
|
|
|
2516 items:
|
|
|
2517 type: string
|
|
|
2518 topologyKey:
|
|
|
2519 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
2520 type: string
|
|
|
2521 weight:
|
|
|
2522 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
|
|
|
2523 type: integer
|
|
|
2524 format: int32
|
|
|
2525 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
2526 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|
|
2527 type: array
|
|
|
2528 items:
|
|
|
2529 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
|
|
|
2530 type: object
|
|
|
2531 required:
|
|
|
2532 - topologyKey
|
|
|
2533 properties:
|
|
|
2534 labelSelector:
|
|
|
2535 description: A label query over a set of resources, in this case pods.
|
|
|
2536 type: object
|
|
|
2537 properties:
|
|
|
2538 matchExpressions:
|
|
|
2539 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2540 type: array
|
|
|
2541 items:
|
|
|
2542 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2543 type: object
|
|
|
2544 required:
|
|
|
2545 - key
|
|
|
2546 - operator
|
|
|
2547 properties:
|
|
|
2548 key:
|
|
|
2549 description: key is the label key that the selector applies to.
|
|
|
2550 type: string
|
|
|
2551 operator:
|
|
|
2552 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2553 type: string
|
|
|
2554 values:
|
|
|
2555 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2556 type: array
|
|
|
2557 items:
|
|
|
2558 type: string
|
|
|
2559 matchLabels:
|
|
|
2560 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2561 type: object
|
|
|
2562 additionalProperties:
|
|
|
2563 type: string
|
|
|
2564 namespaceSelector:
|
|
|
2565 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
2566 type: object
|
|
|
2567 properties:
|
|
|
2568 matchExpressions:
|
|
|
2569 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
2570 type: array
|
|
|
2571 items:
|
|
|
2572 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
2573 type: object
|
|
|
2574 required:
|
|
|
2575 - key
|
|
|
2576 - operator
|
|
|
2577 properties:
|
|
|
2578 key:
|
|
|
2579 description: key is the label key that the selector applies to.
|
|
|
2580 type: string
|
|
|
2581 operator:
|
|
|
2582 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
2583 type: string
|
|
|
2584 values:
|
|
|
2585 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
2586 type: array
|
|
|
2587 items:
|
|
|
2588 type: string
|
|
|
2589 matchLabels:
|
|
|
2590 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
2591 type: object
|
|
|
2592 additionalProperties:
|
|
|
2593 type: string
|
|
|
2594 namespaces:
|
|
|
2595 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
2596 type: array
|
|
|
2597 items:
|
|
|
2598 type: string
|
|
|
2599 topologyKey:
|
|
|
2600 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
2601 type: string
|
|
|
2602 nodeSelector:
|
|
|
2603 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
|
2604 type: object
|
|
|
2605 additionalProperties:
|
|
|
2606 type: string
|
|
|
2607 priorityClassName:
|
|
|
2608 description: If specified, the pod's priorityClassName.
|
|
|
2609 type: string
|
|
|
2610 serviceAccountName:
|
|
|
2611 description: If specified, the pod's service account
|
|
|
2612 type: string
|
|
|
2613 tolerations:
|
|
|
2614 description: If specified, the pod's tolerations.
|
|
|
2615 type: array
|
|
|
2616 items:
|
|
|
2617 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
|
|
|
2618 type: object
|
|
|
2619 properties:
|
|
|
2620 effect:
|
|
|
2621 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
|
|
2622 type: string
|
|
|
2623 key:
|
|
|
2624 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
|
|
2625 type: string
|
|
|
2626 operator:
|
|
|
2627 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
|
|
|
2628 type: string
|
|
|
2629 tolerationSeconds:
|
|
|
2630 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
|
|
|
2631 type: integer
|
|
|
2632 format: int64
|
|
|
2633 value:
|
|
|
2634 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
|
|
|
2635 type: string
|
|
|
2636 serviceType:
|
|
|
2637 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|
|
2638 type: string
|
|
|
2639 selector:
|
|
|
2640 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
|
|
|
2641 type: object
|
|
|
2642 properties:
|
|
|
2643 dnsNames:
|
|
|
2644 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
|
|
|
2645 type: array
|
|
|
2646 items:
|
|
|
2647 type: string
|
|
|
2648 dnsZones:
|
|
|
2649 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
|
|
|
2650 type: array
|
|
|
2651 items:
|
|
|
2652 type: string
|
|
|
2653 matchLabels:
|
|
|
2654 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
|
|
|
2655 type: object
|
|
|
2656 additionalProperties:
|
|
|
2657 type: string
|
|
|
2658 ca:
|
|
|
2659 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
|
|
|
2660 type: object
|
|
|
2661 required:
|
|
|
2662 - secretName
|
|
|
2663 properties:
|
|
|
2664 crlDistributionPoints:
|
|
|
2665 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
|
|
|
2666 type: array
|
|
|
2667 items:
|
|
|
2668 type: string
|
|
|
2669 ocspServers:
|
|
|
2670 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
|
|
|
2671 type: array
|
|
|
2672 items:
|
|
|
2673 type: string
|
|
|
2674 secretName:
|
|
|
2675 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
|
|
|
2676 type: string
|
|
|
2677 selfSigned:
|
|
|
2678 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
|
|
|
2679 type: object
|
|
|
2680 properties:
|
|
|
2681 crlDistributionPoints:
|
|
|
2682 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
|
|
|
2683 type: array
|
|
|
2684 items:
|
|
|
2685 type: string
|
|
|
2686 vault:
|
|
|
2687 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
|
|
|
2688 type: object
|
|
|
2689 required:
|
|
|
2690 - auth
|
|
|
2691 - path
|
|
|
2692 - server
|
|
|
2693 properties:
|
|
|
2694 auth:
|
|
|
2695 description: Auth configures how cert-manager authenticates with the Vault server.
|
|
|
2696 type: object
|
|
|
2697 properties:
|
|
|
2698 appRole:
|
|
|
2699 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
|
|
|
2700 type: object
|
|
|
2701 required:
|
|
|
2702 - path
|
|
|
2703 - roleId
|
|
|
2704 - secretRef
|
|
|
2705 properties:
|
|
|
2706 path:
|
|
|
2707 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
|
|
|
2708 type: string
|
|
|
2709 roleId:
|
|
|
2710 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
|
|
|
2711 type: string
|
|
|
2712 secretRef:
|
|
|
2713 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
|
|
|
2714 type: object
|
|
|
2715 required:
|
|
|
2716 - name
|
|
|
2717 properties:
|
|
|
2718 key:
|
|
|
2719 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2720 type: string
|
|
|
2721 name:
|
|
|
2722 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2723 type: string
|
|
|
2724 kubernetes:
|
|
|
2725 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
|
|
|
2726 type: object
|
|
|
2727 required:
|
|
|
2728 - role
|
|
|
2729 - secretRef
|
|
|
2730 properties:
|
|
|
2731 mountPath:
|
|
|
2732 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
|
|
|
2733 type: string
|
|
|
2734 role:
|
|
|
2735 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
|
|
|
2736 type: string
|
|
|
2737 secretRef:
|
|
|
2738 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
|
|
|
2739 type: object
|
|
|
2740 required:
|
|
|
2741 - name
|
|
|
2742 properties:
|
|
|
2743 key:
|
|
|
2744 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2745 type: string
|
|
|
2746 name:
|
|
|
2747 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2748 type: string
|
|
|
2749 tokenSecretRef:
|
|
|
2750 description: TokenSecretRef authenticates with Vault by presenting a token.
|
|
|
2751 type: object
|
|
|
2752 required:
|
|
|
2753 - name
|
|
|
2754 properties:
|
|
|
2755 key:
|
|
|
2756 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2757 type: string
|
|
|
2758 name:
|
|
|
2759 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2760 type: string
|
|
|
2761 caBundle:
|
|
|
2762 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
|
|
|
2763 type: string
|
|
|
2764 format: byte
|
|
|
2765 namespace:
|
|
|
2766 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
|
2767 type: string
|
|
|
2768 path:
|
|
|
2769 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
|
|
2770 type: string
|
|
|
2771 server:
|
|
|
2772 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
|
|
|
2773 type: string
|
|
|
2774 venafi:
|
|
|
2775 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
|
|
|
2776 type: object
|
|
|
2777 required:
|
|
|
2778 - zone
|
|
|
2779 properties:
|
|
|
2780 cloud:
|
|
|
2781 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
|
|
|
2782 type: object
|
|
|
2783 required:
|
|
|
2784 - apiTokenSecretRef
|
|
|
2785 properties:
|
|
|
2786 apiTokenSecretRef:
|
|
|
2787 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
|
|
|
2788 type: object
|
|
|
2789 required:
|
|
|
2790 - name
|
|
|
2791 properties:
|
|
|
2792 key:
|
|
|
2793 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2794 type: string
|
|
|
2795 name:
|
|
|
2796 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2797 type: string
|
|
|
2798 url:
|
|
|
2799 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
|
|
|
2800 type: string
|
|
|
2801 tpp:
|
|
|
2802 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
|
|
|
2803 type: object
|
|
|
2804 required:
|
|
|
2805 - credentialsRef
|
|
|
2806 - url
|
|
|
2807 properties:
|
|
|
2808 caBundle:
|
|
|
2809 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
|
|
|
2810 type: string
|
|
|
2811 format: byte
|
|
|
2812 credentialsRef:
|
|
|
2813 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
|
|
|
2814 type: object
|
|
|
2815 required:
|
|
|
2816 - name
|
|
|
2817 properties:
|
|
|
2818 name:
|
|
|
2819 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2820 type: string
|
|
|
2821 url:
|
|
|
2822 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
|
|
2823 type: string
|
|
|
2824 zone:
|
|
|
2825 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
|
|
|
2826 type: string
|
|
|
2827 status:
|
|
|
2828 description: Status of the ClusterIssuer. This is set and managed automatically.
|
|
|
2829 type: object
|
|
|
2830 properties:
|
|
|
2831 acme:
|
|
|
2832 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
|
|
|
2833 type: object
|
|
|
2834 properties:
|
|
|
2835 lastRegisteredEmail:
|
|
|
2836 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
|
|
|
2837 type: string
|
|
|
2838 uri:
|
|
|
2839 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
|
|
|
2840 type: string
|
|
|
2841 conditions:
|
|
|
2842 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
|
|
|
2843 type: array
|
|
|
2844 items:
|
|
|
2845 description: IssuerCondition contains condition information for an Issuer.
|
|
|
2846 type: object
|
|
|
2847 required:
|
|
|
2848 - status
|
|
|
2849 - type
|
|
|
2850 properties:
|
|
|
2851 lastTransitionTime:
|
|
|
2852 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
|
|
|
2853 type: string
|
|
|
2854 format: date-time
|
|
|
2855 message:
|
|
|
2856 description: Message is a human readable description of the details of the last transition, complementing reason.
|
|
|
2857 type: string
|
|
|
2858 observedGeneration:
|
|
|
2859 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
|
|
|
2860 type: integer
|
|
|
2861 format: int64
|
|
|
2862 reason:
|
|
|
2863 description: Reason is a brief machine readable explanation for the condition's last transition.
|
|
|
2864 type: string
|
|
|
2865 status:
|
|
|
2866 description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|
|
2867 type: string
|
|
|
2868 enum:
|
|
|
2869 - "True"
|
|
|
2870 - "False"
|
|
|
2871 - Unknown
|
|
|
2872 type:
|
|
|
2873 description: Type of the condition, known values are (`Ready`).
|
|
|
2874 type: string
|
|
|
2875 x-kubernetes-list-map-keys:
|
|
|
2876 - type
|
|
|
2877 x-kubernetes-list-type: map
|
|
|
2878 served: true
|
|
|
2879 storage: true
|
|
|
2880 ---
|
|
|
2881 # Source: cert-manager/templates/crd-templates.yaml
|
|
|
2882 apiVersion: apiextensions.k8s.io/v1
|
|
|
2883 kind: CustomResourceDefinition
|
|
|
2884 metadata:
|
|
|
2885 name: issuers.cert-manager.io
|
|
|
2886 labels:
|
|
|
2887 app: 'cert-manager'
|
|
|
2888 app.kubernetes.io/name: 'cert-manager'
|
|
|
2889 app.kubernetes.io/instance: 'cert-manager'
|
|
|
2890 # Generated labels
|
|
8
|
2891 app.kubernetes.io/version: "v1.10.1"
|
|
0
|
2892 spec:
|
|
|
2893 group: cert-manager.io
|
|
|
2894 names:
|
|
|
2895 kind: Issuer
|
|
|
2896 listKind: IssuerList
|
|
|
2897 plural: issuers
|
|
|
2898 singular: issuer
|
|
|
2899 categories:
|
|
|
2900 - cert-manager
|
|
|
2901 scope: Namespaced
|
|
|
2902 versions:
|
|
|
2903 - name: v1
|
|
|
2904 subresources:
|
|
|
2905 status: {}
|
|
|
2906 additionalPrinterColumns:
|
|
|
2907 - jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
|
2908 name: Ready
|
|
|
2909 type: string
|
|
|
2910 - jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
|
2911 name: Status
|
|
|
2912 priority: 1
|
|
|
2913 type: string
|
|
|
2914 - jsonPath: .metadata.creationTimestamp
|
|
|
2915 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
|
2916 name: Age
|
|
|
2917 type: date
|
|
|
2918 schema:
|
|
|
2919 openAPIV3Schema:
|
|
|
2920 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
|
|
|
2921 type: object
|
|
|
2922 required:
|
|
|
2923 - spec
|
|
|
2924 properties:
|
|
|
2925 apiVersion:
|
|
|
2926 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
2927 type: string
|
|
|
2928 kind:
|
|
|
2929 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
2930 type: string
|
|
|
2931 metadata:
|
|
|
2932 type: object
|
|
|
2933 spec:
|
|
|
2934 description: Desired state of the Issuer resource.
|
|
|
2935 type: object
|
|
|
2936 properties:
|
|
|
2937 acme:
|
|
|
2938 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
|
|
|
2939 type: object
|
|
|
2940 required:
|
|
|
2941 - privateKeySecretRef
|
|
|
2942 - server
|
|
|
2943 properties:
|
|
|
2944 disableAccountKeyGeneration:
|
|
|
2945 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
|
|
|
2946 type: boolean
|
|
|
2947 email:
|
|
|
2948 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
|
|
|
2949 type: string
|
|
|
2950 enableDurationFeature:
|
|
|
2951 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
|
|
|
2952 type: boolean
|
|
|
2953 externalAccountBinding:
|
|
|
2954 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
|
|
|
2955 type: object
|
|
|
2956 required:
|
|
|
2957 - keyID
|
|
|
2958 - keySecretRef
|
|
|
2959 properties:
|
|
|
2960 keyAlgorithm:
|
|
|
2961 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
|
|
|
2962 type: string
|
|
|
2963 enum:
|
|
|
2964 - HS256
|
|
|
2965 - HS384
|
|
|
2966 - HS512
|
|
|
2967 keyID:
|
|
|
2968 description: keyID is the ID of the CA key that the External Account is bound to.
|
|
|
2969 type: string
|
|
|
2970 keySecretRef:
|
|
|
2971 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
|
|
|
2972 type: object
|
|
|
2973 required:
|
|
|
2974 - name
|
|
|
2975 properties:
|
|
|
2976 key:
|
|
|
2977 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2978 type: string
|
|
|
2979 name:
|
|
|
2980 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2981 type: string
|
|
|
2982 preferredChain:
|
|
|
2983 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
|
|
|
2984 type: string
|
|
|
2985 maxLength: 64
|
|
|
2986 privateKeySecretRef:
|
|
|
2987 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
|
|
|
2988 type: object
|
|
|
2989 required:
|
|
|
2990 - name
|
|
|
2991 properties:
|
|
|
2992 key:
|
|
|
2993 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
2994 type: string
|
|
|
2995 name:
|
|
|
2996 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
2997 type: string
|
|
|
2998 server:
|
|
|
2999 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
|
|
3000 type: string
|
|
|
3001 skipTLSVerify:
|
|
|
3002 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
|
|
|
3003 type: boolean
|
|
|
3004 solvers:
|
|
|
3005 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
|
|
3006 type: array
|
|
|
3007 items:
|
|
|
3008 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
|
|
|
3009 type: object
|
|
|
3010 properties:
|
|
|
3011 dns01:
|
|
|
3012 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
|
|
|
3013 type: object
|
|
|
3014 properties:
|
|
|
3015 acmeDNS:
|
|
|
3016 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
|
|
|
3017 type: object
|
|
|
3018 required:
|
|
|
3019 - accountSecretRef
|
|
|
3020 - host
|
|
|
3021 properties:
|
|
|
3022 accountSecretRef:
|
|
|
3023 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
3024 type: object
|
|
|
3025 required:
|
|
|
3026 - name
|
|
|
3027 properties:
|
|
|
3028 key:
|
|
|
3029 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3030 type: string
|
|
|
3031 name:
|
|
|
3032 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3033 type: string
|
|
|
3034 host:
|
|
|
3035 type: string
|
|
|
3036 akamai:
|
|
|
3037 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
|
|
|
3038 type: object
|
|
|
3039 required:
|
|
|
3040 - accessTokenSecretRef
|
|
|
3041 - clientSecretSecretRef
|
|
|
3042 - clientTokenSecretRef
|
|
|
3043 - serviceConsumerDomain
|
|
|
3044 properties:
|
|
|
3045 accessTokenSecretRef:
|
|
|
3046 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
3047 type: object
|
|
|
3048 required:
|
|
|
3049 - name
|
|
|
3050 properties:
|
|
|
3051 key:
|
|
|
3052 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3053 type: string
|
|
|
3054 name:
|
|
|
3055 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3056 type: string
|
|
|
3057 clientSecretSecretRef:
|
|
|
3058 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
3059 type: object
|
|
|
3060 required:
|
|
|
3061 - name
|
|
|
3062 properties:
|
|
|
3063 key:
|
|
|
3064 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3065 type: string
|
|
|
3066 name:
|
|
|
3067 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3068 type: string
|
|
|
3069 clientTokenSecretRef:
|
|
|
3070 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
3071 type: object
|
|
|
3072 required:
|
|
|
3073 - name
|
|
|
3074 properties:
|
|
|
3075 key:
|
|
|
3076 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3077 type: string
|
|
|
3078 name:
|
|
|
3079 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3080 type: string
|
|
|
3081 serviceConsumerDomain:
|
|
|
3082 type: string
|
|
|
3083 azureDNS:
|
|
|
3084 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
|
|
|
3085 type: object
|
|
|
3086 required:
|
|
|
3087 - resourceGroupName
|
|
|
3088 - subscriptionID
|
|
|
3089 properties:
|
|
|
3090 clientID:
|
|
|
3091 description: if both this and ClientSecret are left unset MSI will be used
|
|
|
3092 type: string
|
|
|
3093 clientSecretSecretRef:
|
|
|
3094 description: if both this and ClientID are left unset MSI will be used
|
|
|
3095 type: object
|
|
|
3096 required:
|
|
|
3097 - name
|
|
|
3098 properties:
|
|
|
3099 key:
|
|
|
3100 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3101 type: string
|
|
|
3102 name:
|
|
|
3103 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3104 type: string
|
|
|
3105 environment:
|
|
|
3106 description: name of the Azure environment (default AzurePublicCloud)
|
|
|
3107 type: string
|
|
|
3108 enum:
|
|
|
3109 - AzurePublicCloud
|
|
|
3110 - AzureChinaCloud
|
|
|
3111 - AzureGermanCloud
|
|
|
3112 - AzureUSGovernmentCloud
|
|
|
3113 hostedZoneName:
|
|
|
3114 description: name of the DNS zone that should be used
|
|
|
3115 type: string
|
|
|
3116 managedIdentity:
|
|
|
3117 description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
|
|
|
3118 type: object
|
|
|
3119 properties:
|
|
|
3120 clientID:
|
|
|
3121 description: client ID of the managed identity, can not be used at the same time as resourceID
|
|
|
3122 type: string
|
|
|
3123 resourceID:
|
|
|
3124 description: resource ID of the managed identity, can not be used at the same time as clientID
|
|
|
3125 type: string
|
|
|
3126 resourceGroupName:
|
|
|
3127 description: resource group the DNS zone is located in
|
|
|
3128 type: string
|
|
|
3129 subscriptionID:
|
|
|
3130 description: ID of the Azure subscription
|
|
|
3131 type: string
|
|
|
3132 tenantID:
|
|
|
3133 description: when specifying ClientID and ClientSecret then this field is also needed
|
|
|
3134 type: string
|
|
|
3135 cloudDNS:
|
|
|
3136 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
|
|
|
3137 type: object
|
|
|
3138 required:
|
|
|
3139 - project
|
|
|
3140 properties:
|
|
|
3141 hostedZoneName:
|
|
|
3142 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
|
|
|
3143 type: string
|
|
|
3144 project:
|
|
|
3145 type: string
|
|
|
3146 serviceAccountSecretRef:
|
|
|
3147 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
3148 type: object
|
|
|
3149 required:
|
|
|
3150 - name
|
|
|
3151 properties:
|
|
|
3152 key:
|
|
|
3153 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3154 type: string
|
|
|
3155 name:
|
|
|
3156 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3157 type: string
|
|
|
3158 cloudflare:
|
|
|
3159 description: Use the Cloudflare API to manage DNS01 challenge records.
|
|
|
3160 type: object
|
|
|
3161 properties:
|
|
|
3162 apiKeySecretRef:
|
|
|
3163 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
|
|
|
3164 type: object
|
|
|
3165 required:
|
|
|
3166 - name
|
|
|
3167 properties:
|
|
|
3168 key:
|
|
|
3169 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3170 type: string
|
|
|
3171 name:
|
|
|
3172 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3173 type: string
|
|
|
3174 apiTokenSecretRef:
|
|
|
3175 description: API token used to authenticate with Cloudflare.
|
|
|
3176 type: object
|
|
|
3177 required:
|
|
|
3178 - name
|
|
|
3179 properties:
|
|
|
3180 key:
|
|
|
3181 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3182 type: string
|
|
|
3183 name:
|
|
|
3184 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3185 type: string
|
|
|
3186 email:
|
|
|
3187 description: Email of the account, only required when using API key based authentication.
|
|
|
3188 type: string
|
|
|
3189 cnameStrategy:
|
|
|
3190 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
|
|
|
3191 type: string
|
|
|
3192 enum:
|
|
|
3193 - None
|
|
|
3194 - Follow
|
|
|
3195 digitalocean:
|
|
|
3196 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
|
|
|
3197 type: object
|
|
|
3198 required:
|
|
|
3199 - tokenSecretRef
|
|
|
3200 properties:
|
|
|
3201 tokenSecretRef:
|
|
|
3202 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
|
|
|
3203 type: object
|
|
|
3204 required:
|
|
|
3205 - name
|
|
|
3206 properties:
|
|
|
3207 key:
|
|
|
3208 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3209 type: string
|
|
|
3210 name:
|
|
|
3211 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3212 type: string
|
|
|
3213 rfc2136:
|
|
|
3214 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
|
|
|
3215 type: object
|
|
|
3216 required:
|
|
|
3217 - nameserver
|
|
|
3218 properties:
|
|
|
3219 nameserver:
|
|
|
3220 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
|
|
|
3221 type: string
|
|
|
3222 tsigAlgorithm:
|
|
|
3223 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
|
3224 type: string
|
|
|
3225 tsigKeyName:
|
|
|
3226 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
|
|
|
3227 type: string
|
|
|
3228 tsigSecretSecretRef:
|
|
|
3229 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
|
|
|
3230 type: object
|
|
|
3231 required:
|
|
|
3232 - name
|
|
|
3233 properties:
|
|
|
3234 key:
|
|
|
3235 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3236 type: string
|
|
|
3237 name:
|
|
|
3238 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3239 type: string
|
|
|
3240 route53:
|
|
|
3241 description: Use the AWS Route53 API to manage DNS01 challenge records.
|
|
|
3242 type: object
|
|
|
3243 required:
|
|
|
3244 - region
|
|
|
3245 properties:
|
|
|
3246 accessKeyID:
|
|
|
3247 description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
3248 type: string
|
|
|
3249 accessKeyIDSecretRef:
|
|
|
3250 description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
3251 type: object
|
|
|
3252 required:
|
|
|
3253 - name
|
|
|
3254 properties:
|
|
|
3255 key:
|
|
|
3256 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3257 type: string
|
|
|
3258 name:
|
|
|
3259 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3260 type: string
|
|
|
3261 hostedZoneID:
|
|
|
3262 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
|
|
|
3263 type: string
|
|
|
3264 region:
|
|
|
3265 description: Always set the region when using AccessKeyID and SecretAccessKey
|
|
|
3266 type: string
|
|
|
3267 role:
|
|
|
3268 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
|
|
|
3269 type: string
|
|
|
3270 secretAccessKeySecretRef:
|
|
|
3271 description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
|
3272 type: object
|
|
|
3273 required:
|
|
|
3274 - name
|
|
|
3275 properties:
|
|
|
3276 key:
|
|
|
3277 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3278 type: string
|
|
|
3279 name:
|
|
|
3280 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3281 type: string
|
|
|
3282 webhook:
|
|
|
3283 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
|
|
|
3284 type: object
|
|
|
3285 required:
|
|
|
3286 - groupName
|
|
|
3287 - solverName
|
|
|
3288 properties:
|
|
|
3289 config:
|
|
|
3290 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
|
|
|
3291 x-kubernetes-preserve-unknown-fields: true
|
|
|
3292 groupName:
|
|
|
3293 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
|
|
|
3294 type: string
|
|
|
3295 solverName:
|
|
|
3296 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
|
|
|
3297 type: string
|
|
|
3298 http01:
|
|
|
3299 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
|
|
|
3300 type: object
|
|
|
3301 properties:
|
|
|
3302 gatewayHTTPRoute:
|
|
|
3303 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
|
|
|
3304 type: object
|
|
|
3305 properties:
|
|
|
3306 labels:
|
|
|
3307 description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
|
|
|
3308 type: object
|
|
|
3309 additionalProperties:
|
|
|
3310 type: string
|
|
|
3311 parentRefs:
|
|
|
3312 description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways'
|
|
|
3313 type: array
|
|
|
3314 items:
|
|
|
3315 description: "ParentRef identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object."
|
|
|
3316 type: object
|
|
|
3317 required:
|
|
|
3318 - name
|
|
|
3319 properties:
|
|
|
3320 group:
|
|
|
3321 description: "Group is the group of the referent. \n Support: Core"
|
|
|
3322 type: string
|
|
|
3323 default: gateway.networking.k8s.io
|
|
|
3324 maxLength: 253
|
|
|
3325 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
3326 kind:
|
|
|
3327 description: "Kind is kind of the referent. \n Support: Core (Gateway) Support: Custom (Other Resources)"
|
|
|
3328 type: string
|
|
|
3329 default: Gateway
|
|
|
3330 maxLength: 63
|
|
|
3331 minLength: 1
|
|
|
3332 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|
|
3333 name:
|
|
|
3334 description: "Name is the name of the referent. \n Support: Core"
|
|
|
3335 type: string
|
|
|
3336 maxLength: 253
|
|
|
3337 minLength: 1
|
|
|
3338 namespace:
|
|
|
3339 description: "Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core"
|
|
|
3340 type: string
|
|
|
3341 maxLength: 63
|
|
|
3342 minLength: 1
|
|
|
3343 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|
|
3344 sectionName:
|
|
|
3345 description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
|
|
|
3346 type: string
|
|
|
3347 maxLength: 253
|
|
|
3348 minLength: 1
|
|
|
3349 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|
|
3350 serviceType:
|
|
|
3351 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|
|
3352 type: string
|
|
|
3353 ingress:
|
|
|
3354 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
|
|
|
3355 type: object
|
|
|
3356 properties:
|
|
|
3357 class:
|
|
|
3358 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
|
|
|
3359 type: string
|
|
|
3360 ingressTemplate:
|
|
|
3361 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
|
|
|
3362 type: object
|
|
|
3363 properties:
|
|
|
3364 metadata:
|
|
|
3365 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
|
|
|
3366 type: object
|
|
|
3367 properties:
|
|
|
3368 annotations:
|
|
|
3369 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
|
|
|
3370 type: object
|
|
|
3371 additionalProperties:
|
|
|
3372 type: string
|
|
|
3373 labels:
|
|
|
3374 description: Labels that should be added to the created ACME HTTP01 solver ingress.
|
|
|
3375 type: object
|
|
|
3376 additionalProperties:
|
|
|
3377 type: string
|
|
|
3378 name:
|
|
|
3379 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
|
|
|
3380 type: string
|
|
|
3381 podTemplate:
|
|
|
3382 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
|
|
|
3383 type: object
|
|
|
3384 properties:
|
|
|
3385 metadata:
|
|
|
3386 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
|
|
|
3387 type: object
|
|
|
3388 properties:
|
|
|
3389 annotations:
|
|
|
3390 description: Annotations that should be added to the create ACME HTTP01 solver pods.
|
|
|
3391 type: object
|
|
|
3392 additionalProperties:
|
|
|
3393 type: string
|
|
|
3394 labels:
|
|
|
3395 description: Labels that should be added to the created ACME HTTP01 solver pods.
|
|
|
3396 type: object
|
|
|
3397 additionalProperties:
|
|
|
3398 type: string
|
|
|
3399 spec:
|
|
|
3400 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
|
|
|
3401 type: object
|
|
|
3402 properties:
|
|
|
3403 affinity:
|
|
|
3404 description: If specified, the pod's scheduling constraints
|
|
|
3405 type: object
|
|
|
3406 properties:
|
|
|
3407 nodeAffinity:
|
|
|
3408 description: Describes node affinity scheduling rules for the pod.
|
|
|
3409 type: object
|
|
|
3410 properties:
|
|
|
3411 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
3412 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
|
|
|
3413 type: array
|
|
|
3414 items:
|
|
|
3415 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|
|
3416 type: object
|
|
|
3417 required:
|
|
|
3418 - preference
|
|
|
3419 - weight
|
|
|
3420 properties:
|
|
|
3421 preference:
|
|
|
3422 description: A node selector term, associated with the corresponding weight.
|
|
|
3423 type: object
|
|
|
3424 properties:
|
|
|
3425 matchExpressions:
|
|
|
3426 description: A list of node selector requirements by node's labels.
|
|
|
3427 type: array
|
|
|
3428 items:
|
|
|
3429 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3430 type: object
|
|
|
3431 required:
|
|
|
3432 - key
|
|
|
3433 - operator
|
|
|
3434 properties:
|
|
|
3435 key:
|
|
|
3436 description: The label key that the selector applies to.
|
|
|
3437 type: string
|
|
|
3438 operator:
|
|
|
3439 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
3440 type: string
|
|
|
3441 values:
|
|
|
3442 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
3443 type: array
|
|
|
3444 items:
|
|
|
3445 type: string
|
|
|
3446 matchFields:
|
|
|
3447 description: A list of node selector requirements by node's fields.
|
|
|
3448 type: array
|
|
|
3449 items:
|
|
|
3450 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3451 type: object
|
|
|
3452 required:
|
|
|
3453 - key
|
|
|
3454 - operator
|
|
|
3455 properties:
|
|
|
3456 key:
|
|
|
3457 description: The label key that the selector applies to.
|
|
|
3458 type: string
|
|
|
3459 operator:
|
|
|
3460 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
3461 type: string
|
|
|
3462 values:
|
|
|
3463 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
3464 type: array
|
|
|
3465 items:
|
|
|
3466 type: string
|
|
|
3467 weight:
|
|
|
3468 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
|
|
|
3469 type: integer
|
|
|
3470 format: int32
|
|
|
3471 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
3472 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
|
|
|
3473 type: object
|
|
|
3474 required:
|
|
|
3475 - nodeSelectorTerms
|
|
|
3476 properties:
|
|
|
3477 nodeSelectorTerms:
|
|
|
3478 description: Required. A list of node selector terms. The terms are ORed.
|
|
|
3479 type: array
|
|
|
3480 items:
|
|
|
3481 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|
|
3482 type: object
|
|
|
3483 properties:
|
|
|
3484 matchExpressions:
|
|
|
3485 description: A list of node selector requirements by node's labels.
|
|
|
3486 type: array
|
|
|
3487 items:
|
|
|
3488 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3489 type: object
|
|
|
3490 required:
|
|
|
3491 - key
|
|
|
3492 - operator
|
|
|
3493 properties:
|
|
|
3494 key:
|
|
|
3495 description: The label key that the selector applies to.
|
|
|
3496 type: string
|
|
|
3497 operator:
|
|
|
3498 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
3499 type: string
|
|
|
3500 values:
|
|
|
3501 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
3502 type: array
|
|
|
3503 items:
|
|
|
3504 type: string
|
|
|
3505 matchFields:
|
|
|
3506 description: A list of node selector requirements by node's fields.
|
|
|
3507 type: array
|
|
|
3508 items:
|
|
|
3509 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3510 type: object
|
|
|
3511 required:
|
|
|
3512 - key
|
|
|
3513 - operator
|
|
|
3514 properties:
|
|
|
3515 key:
|
|
|
3516 description: The label key that the selector applies to.
|
|
|
3517 type: string
|
|
|
3518 operator:
|
|
|
3519 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|
|
3520 type: string
|
|
|
3521 values:
|
|
|
3522 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
|
|
|
3523 type: array
|
|
|
3524 items:
|
|
|
3525 type: string
|
|
|
3526 podAffinity:
|
|
|
3527 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
3528 type: object
|
|
|
3529 properties:
|
|
|
3530 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
3531 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
|
|
|
3532 type: array
|
|
|
3533 items:
|
|
|
3534 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
3535 type: object
|
|
|
3536 required:
|
|
|
3537 - podAffinityTerm
|
|
|
3538 - weight
|
|
|
3539 properties:
|
|
|
3540 podAffinityTerm:
|
|
|
3541 description: Required. A pod affinity term, associated with the corresponding weight.
|
|
|
3542 type: object
|
|
|
3543 required:
|
|
|
3544 - topologyKey
|
|
|
3545 properties:
|
|
|
3546 labelSelector:
|
|
|
3547 description: A label query over a set of resources, in this case pods.
|
|
|
3548 type: object
|
|
|
3549 properties:
|
|
|
3550 matchExpressions:
|
|
|
3551 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3552 type: array
|
|
|
3553 items:
|
|
|
3554 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3555 type: object
|
|
|
3556 required:
|
|
|
3557 - key
|
|
|
3558 - operator
|
|
|
3559 properties:
|
|
|
3560 key:
|
|
|
3561 description: key is the label key that the selector applies to.
|
|
|
3562 type: string
|
|
|
3563 operator:
|
|
|
3564 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3565 type: string
|
|
|
3566 values:
|
|
|
3567 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3568 type: array
|
|
|
3569 items:
|
|
|
3570 type: string
|
|
|
3571 matchLabels:
|
|
|
3572 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3573 type: object
|
|
|
3574 additionalProperties:
|
|
|
3575 type: string
|
|
|
3576 namespaceSelector:
|
|
|
3577 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
3578 type: object
|
|
|
3579 properties:
|
|
|
3580 matchExpressions:
|
|
|
3581 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3582 type: array
|
|
|
3583 items:
|
|
|
3584 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3585 type: object
|
|
|
3586 required:
|
|
|
3587 - key
|
|
|
3588 - operator
|
|
|
3589 properties:
|
|
|
3590 key:
|
|
|
3591 description: key is the label key that the selector applies to.
|
|
|
3592 type: string
|
|
|
3593 operator:
|
|
|
3594 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3595 type: string
|
|
|
3596 values:
|
|
|
3597 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3598 type: array
|
|
|
3599 items:
|
|
|
3600 type: string
|
|
|
3601 matchLabels:
|
|
|
3602 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3603 type: object
|
|
|
3604 additionalProperties:
|
|
|
3605 type: string
|
|
|
3606 namespaces:
|
|
|
3607 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
3608 type: array
|
|
|
3609 items:
|
|
|
3610 type: string
|
|
|
3611 topologyKey:
|
|
|
3612 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
3613 type: string
|
|
|
3614 weight:
|
|
|
3615 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
|
|
|
3616 type: integer
|
|
|
3617 format: int32
|
|
|
3618 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
3619 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|
|
3620 type: array
|
|
|
3621 items:
|
|
|
3622 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
|
|
|
3623 type: object
|
|
|
3624 required:
|
|
|
3625 - topologyKey
|
|
|
3626 properties:
|
|
|
3627 labelSelector:
|
|
|
3628 description: A label query over a set of resources, in this case pods.
|
|
|
3629 type: object
|
|
|
3630 properties:
|
|
|
3631 matchExpressions:
|
|
|
3632 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3633 type: array
|
|
|
3634 items:
|
|
|
3635 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3636 type: object
|
|
|
3637 required:
|
|
|
3638 - key
|
|
|
3639 - operator
|
|
|
3640 properties:
|
|
|
3641 key:
|
|
|
3642 description: key is the label key that the selector applies to.
|
|
|
3643 type: string
|
|
|
3644 operator:
|
|
|
3645 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3646 type: string
|
|
|
3647 values:
|
|
|
3648 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3649 type: array
|
|
|
3650 items:
|
|
|
3651 type: string
|
|
|
3652 matchLabels:
|
|
|
3653 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3654 type: object
|
|
|
3655 additionalProperties:
|
|
|
3656 type: string
|
|
|
3657 namespaceSelector:
|
|
|
3658 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
3659 type: object
|
|
|
3660 properties:
|
|
|
3661 matchExpressions:
|
|
|
3662 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3663 type: array
|
|
|
3664 items:
|
|
|
3665 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3666 type: object
|
|
|
3667 required:
|
|
|
3668 - key
|
|
|
3669 - operator
|
|
|
3670 properties:
|
|
|
3671 key:
|
|
|
3672 description: key is the label key that the selector applies to.
|
|
|
3673 type: string
|
|
|
3674 operator:
|
|
|
3675 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3676 type: string
|
|
|
3677 values:
|
|
|
3678 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3679 type: array
|
|
|
3680 items:
|
|
|
3681 type: string
|
|
|
3682 matchLabels:
|
|
|
3683 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3684 type: object
|
|
|
3685 additionalProperties:
|
|
|
3686 type: string
|
|
|
3687 namespaces:
|
|
|
3688 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
3689 type: array
|
|
|
3690 items:
|
|
|
3691 type: string
|
|
|
3692 topologyKey:
|
|
|
3693 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
3694 type: string
|
|
|
3695 podAntiAffinity:
|
|
|
3696 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
3697 type: object
|
|
|
3698 properties:
|
|
|
3699 preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
3700 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
|
|
|
3701 type: array
|
|
|
3702 items:
|
|
|
3703 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
3704 type: object
|
|
|
3705 required:
|
|
|
3706 - podAffinityTerm
|
|
|
3707 - weight
|
|
|
3708 properties:
|
|
|
3709 podAffinityTerm:
|
|
|
3710 description: Required. A pod affinity term, associated with the corresponding weight.
|
|
|
3711 type: object
|
|
|
3712 required:
|
|
|
3713 - topologyKey
|
|
|
3714 properties:
|
|
|
3715 labelSelector:
|
|
|
3716 description: A label query over a set of resources, in this case pods.
|
|
|
3717 type: object
|
|
|
3718 properties:
|
|
|
3719 matchExpressions:
|
|
|
3720 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3721 type: array
|
|
|
3722 items:
|
|
|
3723 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3724 type: object
|
|
|
3725 required:
|
|
|
3726 - key
|
|
|
3727 - operator
|
|
|
3728 properties:
|
|
|
3729 key:
|
|
|
3730 description: key is the label key that the selector applies to.
|
|
|
3731 type: string
|
|
|
3732 operator:
|
|
|
3733 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3734 type: string
|
|
|
3735 values:
|
|
|
3736 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3737 type: array
|
|
|
3738 items:
|
|
|
3739 type: string
|
|
|
3740 matchLabels:
|
|
|
3741 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3742 type: object
|
|
|
3743 additionalProperties:
|
|
|
3744 type: string
|
|
|
3745 namespaceSelector:
|
|
|
3746 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
3747 type: object
|
|
|
3748 properties:
|
|
|
3749 matchExpressions:
|
|
|
3750 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3751 type: array
|
|
|
3752 items:
|
|
|
3753 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3754 type: object
|
|
|
3755 required:
|
|
|
3756 - key
|
|
|
3757 - operator
|
|
|
3758 properties:
|
|
|
3759 key:
|
|
|
3760 description: key is the label key that the selector applies to.
|
|
|
3761 type: string
|
|
|
3762 operator:
|
|
|
3763 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3764 type: string
|
|
|
3765 values:
|
|
|
3766 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3767 type: array
|
|
|
3768 items:
|
|
|
3769 type: string
|
|
|
3770 matchLabels:
|
|
|
3771 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3772 type: object
|
|
|
3773 additionalProperties:
|
|
|
3774 type: string
|
|
|
3775 namespaces:
|
|
|
3776 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
3777 type: array
|
|
|
3778 items:
|
|
|
3779 type: string
|
|
|
3780 topologyKey:
|
|
|
3781 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
3782 type: string
|
|
|
3783 weight:
|
|
|
3784 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
|
|
|
3785 type: integer
|
|
|
3786 format: int32
|
|
|
3787 requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
3788 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|
|
3789 type: array
|
|
|
3790 items:
|
|
|
3791 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
|
|
|
3792 type: object
|
|
|
3793 required:
|
|
|
3794 - topologyKey
|
|
|
3795 properties:
|
|
|
3796 labelSelector:
|
|
|
3797 description: A label query over a set of resources, in this case pods.
|
|
|
3798 type: object
|
|
|
3799 properties:
|
|
|
3800 matchExpressions:
|
|
|
3801 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3802 type: array
|
|
|
3803 items:
|
|
|
3804 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3805 type: object
|
|
|
3806 required:
|
|
|
3807 - key
|
|
|
3808 - operator
|
|
|
3809 properties:
|
|
|
3810 key:
|
|
|
3811 description: key is the label key that the selector applies to.
|
|
|
3812 type: string
|
|
|
3813 operator:
|
|
|
3814 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3815 type: string
|
|
|
3816 values:
|
|
|
3817 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3818 type: array
|
|
|
3819 items:
|
|
|
3820 type: string
|
|
|
3821 matchLabels:
|
|
|
3822 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3823 type: object
|
|
|
3824 additionalProperties:
|
|
|
3825 type: string
|
|
|
3826 namespaceSelector:
|
|
|
3827 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
|
|
|
3828 type: object
|
|
|
3829 properties:
|
|
|
3830 matchExpressions:
|
|
|
3831 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
|
3832 type: array
|
|
|
3833 items:
|
|
|
3834 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
|
3835 type: object
|
|
|
3836 required:
|
|
|
3837 - key
|
|
|
3838 - operator
|
|
|
3839 properties:
|
|
|
3840 key:
|
|
|
3841 description: key is the label key that the selector applies to.
|
|
|
3842 type: string
|
|
|
3843 operator:
|
|
|
3844 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
|
3845 type: string
|
|
|
3846 values:
|
|
|
3847 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
|
3848 type: array
|
|
|
3849 items:
|
|
|
3850 type: string
|
|
|
3851 matchLabels:
|
|
|
3852 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
|
3853 type: object
|
|
|
3854 additionalProperties:
|
|
|
3855 type: string
|
|
|
3856 namespaces:
|
|
|
3857 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|
|
3858 type: array
|
|
|
3859 items:
|
|
|
3860 type: string
|
|
|
3861 topologyKey:
|
|
|
3862 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
|
|
|
3863 type: string
|
|
|
3864 nodeSelector:
|
|
|
3865 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
|
3866 type: object
|
|
|
3867 additionalProperties:
|
|
|
3868 type: string
|
|
|
3869 priorityClassName:
|
|
|
3870 description: If specified, the pod's priorityClassName.
|
|
|
3871 type: string
|
|
|
3872 serviceAccountName:
|
|
|
3873 description: If specified, the pod's service account
|
|
|
3874 type: string
|
|
|
3875 tolerations:
|
|
|
3876 description: If specified, the pod's tolerations.
|
|
|
3877 type: array
|
|
|
3878 items:
|
|
|
3879 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
|
|
|
3880 type: object
|
|
|
3881 properties:
|
|
|
3882 effect:
|
|
|
3883 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
|
|
3884 type: string
|
|
|
3885 key:
|
|
|
3886 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
|
|
3887 type: string
|
|
|
3888 operator:
|
|
|
3889 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
|
|
|
3890 type: string
|
|
|
3891 tolerationSeconds:
|
|
|
3892 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
|
|
|
3893 type: integer
|
|
|
3894 format: int64
|
|
|
3895 value:
|
|
|
3896 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
|
|
|
3897 type: string
|
|
|
3898 serviceType:
|
|
|
3899 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|
|
3900 type: string
|
|
|
3901 selector:
|
|
|
3902 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
|
|
|
3903 type: object
|
|
|
3904 properties:
|
|
|
3905 dnsNames:
|
|
|
3906 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
|
|
|
3907 type: array
|
|
|
3908 items:
|
|
|
3909 type: string
|
|
|
3910 dnsZones:
|
|
|
3911 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
|
|
|
3912 type: array
|
|
|
3913 items:
|
|
|
3914 type: string
|
|
|
3915 matchLabels:
|
|
|
3916 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
|
|
|
3917 type: object
|
|
|
3918 additionalProperties:
|
|
|
3919 type: string
|
|
|
3920 ca:
|
|
|
3921 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
|
|
|
3922 type: object
|
|
|
3923 required:
|
|
|
3924 - secretName
|
|
|
3925 properties:
|
|
|
3926 crlDistributionPoints:
|
|
|
3927 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
|
|
|
3928 type: array
|
|
|
3929 items:
|
|
|
3930 type: string
|
|
|
3931 ocspServers:
|
|
|
3932 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
|
|
|
3933 type: array
|
|
|
3934 items:
|
|
|
3935 type: string
|
|
|
3936 secretName:
|
|
|
3937 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
|
|
|
3938 type: string
|
|
|
3939 selfSigned:
|
|
|
3940 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
|
|
|
3941 type: object
|
|
|
3942 properties:
|
|
|
3943 crlDistributionPoints:
|
|
|
3944 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
|
|
|
3945 type: array
|
|
|
3946 items:
|
|
|
3947 type: string
|
|
|
3948 vault:
|
|
|
3949 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
|
|
|
3950 type: object
|
|
|
3951 required:
|
|
|
3952 - auth
|
|
|
3953 - path
|
|
|
3954 - server
|
|
|
3955 properties:
|
|
|
3956 auth:
|
|
|
3957 description: Auth configures how cert-manager authenticates with the Vault server.
|
|
|
3958 type: object
|
|
|
3959 properties:
|
|
|
3960 appRole:
|
|
|
3961 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
|
|
|
3962 type: object
|
|
|
3963 required:
|
|
|
3964 - path
|
|
|
3965 - roleId
|
|
|
3966 - secretRef
|
|
|
3967 properties:
|
|
|
3968 path:
|
|
|
3969 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
|
|
|
3970 type: string
|
|
|
3971 roleId:
|
|
|
3972 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
|
|
|
3973 type: string
|
|
|
3974 secretRef:
|
|
|
3975 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
|
|
|
3976 type: object
|
|
|
3977 required:
|
|
|
3978 - name
|
|
|
3979 properties:
|
|
|
3980 key:
|
|
|
3981 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
3982 type: string
|
|
|
3983 name:
|
|
|
3984 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
3985 type: string
|
|
|
3986 kubernetes:
|
|
|
3987 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
|
|
|
3988 type: object
|
|
|
3989 required:
|
|
|
3990 - role
|
|
|
3991 - secretRef
|
|
|
3992 properties:
|
|
|
3993 mountPath:
|
|
|
3994 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
|
|
|
3995 type: string
|
|
|
3996 role:
|
|
|
3997 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
|
|
|
3998 type: string
|
|
|
3999 secretRef:
|
|
|
4000 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
|
|
|
4001 type: object
|
|
|
4002 required:
|
|
|
4003 - name
|
|
|
4004 properties:
|
|
|
4005 key:
|
|
|
4006 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
4007 type: string
|
|
|
4008 name:
|
|
|
4009 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
4010 type: string
|
|
|
4011 tokenSecretRef:
|
|
|
4012 description: TokenSecretRef authenticates with Vault by presenting a token.
|
|
|
4013 type: object
|
|
|
4014 required:
|
|
|
4015 - name
|
|
|
4016 properties:
|
|
|
4017 key:
|
|
|
4018 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
4019 type: string
|
|
|
4020 name:
|
|
|
4021 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
4022 type: string
|
|
|
4023 caBundle:
|
|
|
4024 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
|
|
|
4025 type: string
|
|
|
4026 format: byte
|
|
|
4027 namespace:
|
|
|
4028 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
|
4029 type: string
|
|
|
4030 path:
|
|
|
4031 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
|
|
4032 type: string
|
|
|
4033 server:
|
|
|
4034 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
|
|
|
4035 type: string
|
|
|
4036 venafi:
|
|
|
4037 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
|
|
|
4038 type: object
|
|
|
4039 required:
|
|
|
4040 - zone
|
|
|
4041 properties:
|
|
|
4042 cloud:
|
|
|
4043 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
|
|
|
4044 type: object
|
|
|
4045 required:
|
|
|
4046 - apiTokenSecretRef
|
|
|
4047 properties:
|
|
|
4048 apiTokenSecretRef:
|
|
|
4049 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
|
|
|
4050 type: object
|
|
|
4051 required:
|
|
|
4052 - name
|
|
|
4053 properties:
|
|
|
4054 key:
|
|
|
4055 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
|
|
|
4056 type: string
|
|
|
4057 name:
|
|
|
4058 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
4059 type: string
|
|
|
4060 url:
|
|
|
4061 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
|
|
|
4062 type: string
|
|
|
4063 tpp:
|
|
|
4064 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
|
|
|
4065 type: object
|
|
|
4066 required:
|
|
|
4067 - credentialsRef
|
|
|
4068 - url
|
|
|
4069 properties:
|
|
|
4070 caBundle:
|
|
|
4071 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
|
|
|
4072 type: string
|
|
|
4073 format: byte
|
|
|
4074 credentialsRef:
|
|
|
4075 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
|
|
|
4076 type: object
|
|
|
4077 required:
|
|
|
4078 - name
|
|
|
4079 properties:
|
|
|
4080 name:
|
|
|
4081 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
|
4082 type: string
|
|
|
4083 url:
|
|
|
4084 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
|
|
4085 type: string
|
|
|
4086 zone:
|
|
|
4087 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
|
|
|
4088 type: string
|
|
|
4089 status:
|
|
|
4090 description: Status of the Issuer. This is set and managed automatically.
|
|
|
4091 type: object
|
|
|
4092 properties:
|
|
|
4093 acme:
|
|
|
4094 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
|
|
|
4095 type: object
|
|
|
4096 properties:
|
|
|
4097 lastRegisteredEmail:
|
|
|
4098 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
|
|
|
4099 type: string
|
|
|
4100 uri:
|
|
|
4101 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
|
|
|
4102 type: string
|
|
|
4103 conditions:
|
|
|
4104 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
|
|
|
4105 type: array
|
|
|
4106 items:
|
|
|
4107 description: IssuerCondition contains condition information for an Issuer.
|
|
|
4108 type: object
|
|
|
4109 required:
|
|
|
4110 - status
|
|
|
4111 - type
|
|
|
4112 properties:
|
|
|
4113 lastTransitionTime:
|
|
|
4114 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
|
|
|
4115 type: string
|
|
|
4116 format: date-time
|
|
|
4117 message:
|
|
|
4118 description: Message is a human readable description of the details of the last transition, complementing reason.
|
|
|
4119 type: string
|
|
|
4120 observedGeneration:
|
|
|
4121 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
|
|
|
4122 type: integer
|
|
|
4123 format: int64
|
|
|
4124 reason:
|
|
|
4125 description: Reason is a brief machine readable explanation for the condition's last transition.
|
|
|
4126 type: string
|
|
|
4127 status:
|
|
|
4128 description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|
|
4129 type: string
|
|
|
4130 enum:
|
|
|
4131 - "True"
|
|
|
4132 - "False"
|
|
|
4133 - Unknown
|
|
|
4134 type:
|
|
|
4135 description: Type of the condition, known values are (`Ready`).
|
|
|
4136 type: string
|
|
|
4137 x-kubernetes-list-map-keys:
|
|
|
4138 - type
|
|
|
4139 x-kubernetes-list-type: map
|
|
|
4140 served: true
|
|
|
4141 storage: true
|
|
|
4142 ---
|
|
|
4143 # Source: cert-manager/templates/crd-templates.yaml
|
|
|
4144 apiVersion: apiextensions.k8s.io/v1
|
|
|
4145 kind: CustomResourceDefinition
|
|
|
4146 metadata:
|
|
|
4147 name: orders.acme.cert-manager.io
|
|
|
4148 labels:
|
|
|
4149 app: 'cert-manager'
|
|
|
4150 app.kubernetes.io/name: 'cert-manager'
|
|
|
4151 app.kubernetes.io/instance: 'cert-manager'
|
|
|
4152 # Generated labels
|
|
8
|
4153 app.kubernetes.io/version: "v1.10.1"
|
|
0
|
4154 spec:
|
|
|
4155 group: acme.cert-manager.io
|
|
|
4156 names:
|
|
|
4157 kind: Order
|
|
|
4158 listKind: OrderList
|
|
|
4159 plural: orders
|
|
|
4160 singular: order
|
|
|
4161 categories:
|
|
|
4162 - cert-manager
|
|
|
4163 - cert-manager-acme
|
|
|
4164 scope: Namespaced
|
|
|
4165 versions:
|
|
|
4166 - name: v1
|
|
|
4167 subresources:
|
|
|
4168 status: {}
|
|
|
4169 additionalPrinterColumns:
|
|
|
4170 - jsonPath: .status.state
|
|
|
4171 name: State
|
|
|
4172 type: string
|
|
|
4173 - jsonPath: .spec.issuerRef.name
|
|
|
4174 name: Issuer
|
|
|
4175 priority: 1
|
|
|
4176 type: string
|
|
|
4177 - jsonPath: .status.reason
|
|
|
4178 name: Reason
|
|
|
4179 priority: 1
|
|
|
4180 type: string
|
|
|
4181 - jsonPath: .metadata.creationTimestamp
|
|
|
4182 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
|
4183 name: Age
|
|
|
4184 type: date
|
|
|
4185 schema:
|
|
|
4186 openAPIV3Schema:
|
|
|
4187 description: Order is a type to represent an Order with an ACME server
|
|
|
4188 type: object
|
|
|
4189 required:
|
|
|
4190 - metadata
|
|
|
4191 - spec
|
|
|
4192 properties:
|
|
|
4193 apiVersion:
|
|
|
4194 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
|
4195 type: string
|
|
|
4196 kind:
|
|
|
4197 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
|
4198 type: string
|
|
|
4199 metadata:
|
|
|
4200 type: object
|
|
|
4201 spec:
|
|
|
4202 type: object
|
|
|
4203 required:
|
|
|
4204 - issuerRef
|
|
|
4205 - request
|
|
|
4206 properties:
|
|
|
4207 commonName:
|
|
|
4208 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
|
|
|
4209 type: string
|
|
|
4210 dnsNames:
|
|
|
4211 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
|
|
|
4212 type: array
|
|
|
4213 items:
|
|
|
4214 type: string
|
|
|
4215 duration:
|
|
|
4216 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
|
|
|
4217 type: string
|
|
|
4218 ipAddresses:
|
|
|
4219 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
|
|
|
4220 type: array
|
|
|
4221 items:
|
|
|
4222 type: string
|
|
|
4223 issuerRef:
|
|
|
4224 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
|
|
|
4225 type: object
|
|
|
4226 required:
|
|
|
4227 - name
|
|
|
4228 properties:
|
|
|
4229 group:
|
|
|
4230 description: Group of the resource being referred to.
|
|
|
4231 type: string
|
|
|
4232 kind:
|
|
|
4233 description: Kind of the resource being referred to.
|
|
|
4234 type: string
|
|
|
4235 name:
|
|
|
4236 description: Name of the resource being referred to.
|
|
|
4237 type: string
|
|
|
4238 request:
|
|
|
4239 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
|
|
|
4240 type: string
|
|
|
4241 format: byte
|
|
|
4242 status:
|
|
|
4243 type: object
|
|
|
4244 properties:
|
|
|
4245 authorizations:
|
|
|
4246 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
|
|
|
4247 type: array
|
|
|
4248 items:
|
|
|
4249 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
|
|
|
4250 type: object
|
|
|
4251 required:
|
|
|
4252 - url
|
|
|
4253 properties:
|
|
|
4254 challenges:
|
|
|
4255 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
|
|
|
4256 type: array
|
|
|
4257 items:
|
|
|
4258 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
|
|
|
4259 type: object
|
|
|
4260 required:
|
|
|
4261 - token
|
|
|
4262 - type
|
|
|
4263 - url
|
|
|
4264 properties:
|
|
|
4265 token:
|
|
|
4266 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
|
|
|
4267 type: string
|
|
|
4268 type:
|
|
|
4269 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
|
|
|
4270 type: string
|
|
|
4271 url:
|
|
|
4272 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
|
|
|
4273 type: string
|
|
|
4274 identifier:
|
|
|
4275 description: Identifier is the DNS name to be validated as part of this authorization
|
|
|
4276 type: string
|
|
|
4277 initialState:
|
|
|
4278 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
|
|
|
4279 type: string
|
|
|
4280 enum:
|
|
|
4281 - valid
|
|
|
4282 - ready
|
|
|
4283 - pending
|
|
|
4284 - processing
|
|
|
4285 - invalid
|
|
|
4286 - expired
|
|
|
4287 - errored
|
|
|
4288 url:
|
|
|
4289 description: URL is the URL of the Authorization that must be completed
|
|
|
4290 type: string
|
|
|
4291 wildcard:
|
|
|
4292 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
|
|
|
4293 type: boolean
|
|
|
4294 certificate:
|
|
|
4295 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
|
|
|
4296 type: string
|
|
|
4297 format: byte
|
|
|
4298 failureTime:
|
|
|
4299 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
|
|
|
4300 type: string
|
|
|
4301 format: date-time
|
|
|
4302 finalizeURL:
|
|
|
4303 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
|
|
|
4304 type: string
|
|
|
4305 reason:
|
|
|
4306 description: Reason optionally provides more information about a why the order is in the current state.
|
|
|
4307 type: string
|
|
|
4308 state:
|
|
|
4309 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
|
|
|
4310 type: string
|
|
|
4311 enum:
|
|
|
4312 - valid
|
|
|
4313 - ready
|
|
|
4314 - pending
|
|
|
4315 - processing
|
|
|
4316 - invalid
|
|
|
4317 - expired
|
|
|
4318 - errored
|
|
|
4319 url:
|
|
|
4320 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
|
|
|
4321 type: string
|
|
|
4322 served: true
|
|
|
4323 storage: true
|
