1 # Copyright The cert-manager Authors.
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
7 # http://www.apache.org/licenses/LICENSE-2.0
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
16 # Source: cert-manager/templates/templates.out
17 apiVersion: apiextensions.k8s.io/v1
18 kind: CustomResourceDefinition
20 name: certificaterequests.cert-manager.io
22 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
25 app.kubernetes.io/name: 'cert-manager'
26 app.kubernetes.io/instance: 'cert-manager'
28 app.kubernetes.io/version: "v1.5.3"
30 group: cert-manager.io
32 kind: CertificateRequest
33 listKind: CertificateRequestList
34 plural: certificaterequests
38 singular: certificaterequest
43 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
45 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
47 # We don't actually support `v1beta1` but is listed here as it is a
48 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
49 # API server reads the supported versions in order, so _should always_
50 # attempt a `v1` request which is understood by the cert-manager webhook.
51 # Any `v1beta1` request will return an error and fail closed for that
52 # resource (the whole object request is rejected).
53 # When we no longer support v1.16 we can remove `v1beta1` from this list.
54 conversionReviewVersions: ["v1", "v1beta1"]
58 name: 'cert-manager-webhook'
59 namespace: "cert-manager"
66 additionalPrinterColumns:
67 - jsonPath: .status.conditions[?(@.type=="Approved")].status
70 - jsonPath: .status.conditions[?(@.type=="Denied")].status
73 - jsonPath: .status.conditions[?(@.type=="Ready")].status
76 - jsonPath: .spec.issuerRef.name
79 - jsonPath: .spec.username
82 - jsonPath: .status.conditions[?(@.type=="Ready")].message
86 - jsonPath: .metadata.creationTimestamp
87 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
92 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
96 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
99 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
104 description: Desired state of the CertificateRequest resource.
111 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
115 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
118 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
120 additionalProperties:
125 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
129 x-kubernetes-list-type: atomic
131 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
134 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
140 description: Group of the resource being referred to.
143 description: Kind of the resource being referred to.
146 description: Name of the resource being referred to.
149 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
152 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
155 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
182 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
185 description: Status of the CertificateRequest. This is set and managed automatically.
189 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
193 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
197 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
200 description: CertificateRequestCondition contains condition information for a CertificateRequest.
207 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
211 description: Message is a human readable description of the details of the last transition, complementing reason.
214 description: Reason is a brief machine readable explanation for the condition's last transition.
217 description: Status of the condition, one of (`True`, `False`, `Unknown`).
224 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
227 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
235 additionalPrinterColumns:
236 - jsonPath: .status.conditions[?(@.type=="Approved")].status
239 - jsonPath: .status.conditions[?(@.type=="Denied")].status
242 - jsonPath: .status.conditions[?(@.type=="Ready")].status
245 - jsonPath: .spec.issuerRef.name
248 - jsonPath: .spec.username
251 - jsonPath: .status.conditions[?(@.type=="Ready")].message
255 - jsonPath: .metadata.creationTimestamp
256 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
261 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
265 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
268 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
273 description: Desired state of the CertificateRequest resource.
280 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
284 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
287 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
289 additionalProperties:
294 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
298 x-kubernetes-list-type: atomic
300 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
303 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
309 description: Group of the resource being referred to.
312 description: Kind of the resource being referred to.
315 description: Name of the resource being referred to.
318 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
321 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
324 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
351 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
354 description: Status of the CertificateRequest. This is set and managed automatically.
358 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
362 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
366 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
369 description: CertificateRequestCondition contains condition information for a CertificateRequest.
376 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
380 description: Message is a human readable description of the details of the last transition, complementing reason.
383 description: Reason is a brief machine readable explanation for the condition's last transition.
386 description: Status of the condition, one of (`True`, `False`, `Unknown`).
393 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
396 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
404 additionalPrinterColumns:
405 - jsonPath: .status.conditions[?(@.type=="Approved")].status
408 - jsonPath: .status.conditions[?(@.type=="Denied")].status
411 - jsonPath: .status.conditions[?(@.type=="Ready")].status
414 - jsonPath: .spec.issuerRef.name
417 - jsonPath: .spec.username
420 - jsonPath: .status.conditions[?(@.type=="Ready")].message
424 - jsonPath: .metadata.creationTimestamp
425 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
430 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
436 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
439 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
444 description: Desired state of the CertificateRequest resource.
451 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
454 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
456 additionalProperties:
461 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
465 x-kubernetes-list-type: atomic
467 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
470 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
476 description: Group of the resource being referred to.
479 description: Kind of the resource being referred to.
482 description: Name of the resource being referred to.
485 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
489 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
492 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
495 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
522 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
525 description: Status of the CertificateRequest. This is set and managed automatically.
529 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
533 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
537 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
540 description: CertificateRequestCondition contains condition information for a CertificateRequest.
547 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
551 description: Message is a human readable description of the details of the last transition, complementing reason.
554 description: Reason is a brief machine readable explanation for the condition's last transition.
557 description: Status of the condition, one of (`True`, `False`, `Unknown`).
564 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
567 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
575 additionalPrinterColumns:
576 - jsonPath: .status.conditions[?(@.type=="Approved")].status
579 - jsonPath: .status.conditions[?(@.type=="Denied")].status
582 - jsonPath: .status.conditions[?(@.type=="Ready")].status
585 - jsonPath: .spec.issuerRef.name
588 - jsonPath: .spec.username
591 - jsonPath: .status.conditions[?(@.type=="Ready")].message
595 - jsonPath: .metadata.creationTimestamp
596 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
601 description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
607 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
610 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
615 description: Desired state of the CertificateRequest resource.
622 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
625 description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
627 additionalProperties:
632 description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
636 x-kubernetes-list-type: atomic
638 description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
641 description: IssuerRef is a reference to the issuer for this CertificateRequest. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
647 description: Group of the resource being referred to.
650 description: Kind of the resource being referred to.
653 description: Name of the resource being referred to.
656 description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
660 description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
663 description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
666 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
693 description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
696 description: Status of the CertificateRequest. This is set and managed automatically.
700 description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
704 description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
708 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
711 description: CertificateRequestCondition contains condition information for a CertificateRequest.
718 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
722 description: Message is a human readable description of the details of the last transition, complementing reason.
725 description: Reason is a brief machine readable explanation for the condition's last transition.
728 description: Status of the condition, one of (`True`, `False`, `Unknown`).
735 description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
738 description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
744 # Source: cert-manager/templates/templates.out
745 apiVersion: apiextensions.k8s.io/v1
746 kind: CustomResourceDefinition
748 name: certificates.cert-manager.io
750 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
753 app.kubernetes.io/name: 'cert-manager'
754 app.kubernetes.io/instance: 'cert-manager'
756 app.kubernetes.io/version: "v1.5.3"
758 group: cert-manager.io
761 listKind: CertificateList
766 singular: certificate
771 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
773 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
775 # We don't actually support `v1beta1` but is listed here as it is a
776 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
777 # API server reads the supported versions in order, so _should always_
778 # attempt a `v1` request which is understood by the cert-manager webhook.
779 # Any `v1beta1` request will return an error and fail closed for that
780 # resource (the whole object request is rejected).
781 # When we no longer support v1.16 we can remove `v1beta1` from this list.
782 conversionReviewVersions: ["v1", "v1beta1"]
786 name: 'cert-manager-webhook'
787 namespace: "cert-manager"
794 additionalPrinterColumns:
795 - jsonPath: .status.conditions[?(@.type=="Ready")].status
798 - jsonPath: .spec.secretName
801 - jsonPath: .spec.issuerRef.name
805 - jsonPath: .status.conditions[?(@.type=="Ready")].message
809 - jsonPath: .metadata.creationTimestamp
810 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
815 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
819 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
822 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
827 description: Desired state of the Certificate resource.
834 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
837 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
842 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
845 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
849 encodeUsagesInRequest:
850 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
853 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
858 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
861 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
867 description: Group of the resource being referred to.
870 description: Kind of the resource being referred to.
873 description: Name of the resource being referred to.
876 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
882 description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
888 description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
891 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
895 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
902 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
905 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
911 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
914 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
917 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
924 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
927 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
933 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
936 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
939 description: Organization is a list of organizations to be used on the Certificate.
944 description: Options to control private keys used for the Certificate.
948 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
951 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
953 revisionHistoryLimit:
954 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
958 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
961 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
965 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
967 additionalProperties:
970 description: Labels is a key value map to be copied to the target Kubernetes Secret.
972 additionalProperties:
975 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
979 description: Countries to be used on the Certificate.
984 description: Cities to be used on the Certificate.
989 description: Organizational Units to be used on the Certificate.
994 description: Postal codes to be used on the Certificate.
999 description: State/Provinces to be used on the Certificate.
1004 description: Serial number to be used on the Certificate.
1007 description: Street addresses to be used on the Certificate.
1012 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1017 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1020 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1025 - content commitment
1047 description: Status of the Certificate. This is set and managed automatically.
1051 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1054 description: CertificateCondition contains condition information for an Certificate.
1061 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1065 description: Message is a human readable description of the details of the last transition, complementing reason.
1068 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1072 description: Reason is a brief machine readable explanation for the condition's last transition.
1075 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1082 description: Type of the condition, known values are (`Ready`, `Issuing`).
1085 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1088 nextPrivateKeySecretName:
1089 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1092 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1096 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1100 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1104 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1111 additionalPrinterColumns:
1112 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1115 - jsonPath: .spec.secretName
1118 - jsonPath: .spec.issuerRef.name
1122 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1126 - jsonPath: .metadata.creationTimestamp
1127 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1132 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1136 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1139 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1144 description: Desired state of the Certificate resource.
1151 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1154 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1159 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1162 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1166 encodeUsagesInRequest:
1167 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1170 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1175 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1178 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1184 description: Group of the resource being referred to.
1187 description: Kind of the resource being referred to.
1190 description: Name of the resource being referred to.
1193 description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
1199 description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
1205 description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1208 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1212 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1219 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1222 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1228 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1231 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1234 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1241 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1244 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1250 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1253 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1256 description: Options to control private keys used for the Certificate.
1260 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1263 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1265 revisionHistoryLimit:
1266 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1270 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1273 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1277 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1279 additionalProperties:
1282 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1284 additionalProperties:
1287 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1291 description: Countries to be used on the Certificate.
1296 description: Cities to be used on the Certificate.
1300 organizationalUnits:
1301 description: Organizational Units to be used on the Certificate.
1306 description: Organizations to be used on the Certificate.
1311 description: Postal codes to be used on the Certificate.
1316 description: State/Provinces to be used on the Certificate.
1321 description: Serial number to be used on the Certificate.
1324 description: Street addresses to be used on the Certificate.
1329 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1334 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1337 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1342 - content commitment
1364 description: Status of the Certificate. This is set and managed automatically.
1368 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1371 description: CertificateCondition contains condition information for an Certificate.
1378 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1382 description: Message is a human readable description of the details of the last transition, complementing reason.
1385 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1389 description: Reason is a brief machine readable explanation for the condition's last transition.
1392 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1399 description: Type of the condition, known values are (`Ready`, `Issuing`).
1402 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1405 nextPrivateKeySecretName:
1406 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1409 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1413 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1417 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1421 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1428 additionalPrinterColumns:
1429 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1432 - jsonPath: .spec.secretName
1435 - jsonPath: .spec.issuerRef.name
1439 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1443 - jsonPath: .metadata.creationTimestamp
1444 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1449 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1455 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1458 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1463 description: Desired state of the Certificate resource.
1470 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1473 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1478 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1481 description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1485 encodeUsagesInRequest:
1486 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1489 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1494 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1497 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1503 description: Group of the resource being referred to.
1506 description: Kind of the resource being referred to.
1509 description: Name of the resource being referred to.
1512 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1516 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1523 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1526 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1532 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1535 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1538 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1545 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1548 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1554 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1557 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1560 description: Options to control private keys used for the Certificate.
1564 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm.
1570 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1576 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1579 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1582 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1584 revisionHistoryLimit:
1585 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1589 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1592 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1596 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1598 additionalProperties:
1601 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1603 additionalProperties:
1606 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1610 description: Countries to be used on the Certificate.
1615 description: Cities to be used on the Certificate.
1619 organizationalUnits:
1620 description: Organizational Units to be used on the Certificate.
1625 description: Organizations to be used on the Certificate.
1630 description: Postal codes to be used on the Certificate.
1635 description: State/Provinces to be used on the Certificate.
1640 description: Serial number to be used on the Certificate.
1643 description: Street addresses to be used on the Certificate.
1648 description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1653 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1656 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1661 - content commitment
1683 description: Status of the Certificate. This is set and managed automatically.
1687 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1690 description: CertificateCondition contains condition information for an Certificate.
1697 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1701 description: Message is a human readable description of the details of the last transition, complementing reason.
1704 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1708 description: Reason is a brief machine readable explanation for the condition's last transition.
1711 description: Status of the condition, one of (`True`, `False`, `Unknown`).
1718 description: Type of the condition, known values are (`Ready`, `Issuing`).
1721 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1724 nextPrivateKeySecretName:
1725 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1728 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1732 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1736 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1740 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1747 additionalPrinterColumns:
1748 - jsonPath: .status.conditions[?(@.type=="Ready")].status
1751 - jsonPath: .spec.secretName
1754 - jsonPath: .spec.issuerRef.name
1758 - jsonPath: .status.conditions[?(@.type=="Ready")].message
1762 - jsonPath: .metadata.creationTimestamp
1763 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1768 description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1774 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1777 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1782 description: Desired state of the Certificate resource.
1789 description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1792 description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1797 description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1800 description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
1804 encodeUsagesInRequest:
1805 description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1808 description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1813 description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1816 description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1822 description: Group of the resource being referred to.
1825 description: Kind of the resource being referred to.
1828 description: Name of the resource being referred to.
1831 description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1835 description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1842 description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
1845 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1851 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1854 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1857 description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1864 description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
1867 description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1873 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1876 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1879 description: Options to control private keys used for the Certificate.
1883 description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
1890 description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1896 description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1899 description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
1902 description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1904 revisionHistoryLimit:
1905 description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1909 description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1912 description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1916 description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1918 additionalProperties:
1921 description: Labels is a key value map to be copied to the target Kubernetes Secret.
1923 additionalProperties:
1926 description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1930 description: Countries to be used on the Certificate.
1935 description: Cities to be used on the Certificate.
1939 organizationalUnits:
1940 description: Organizational Units to be used on the Certificate.
1945 description: Organizations to be used on the Certificate.
1950 description: Postal codes to be used on the Certificate.
1955 description: State/Provinces to be used on the Certificate.
1960 description: Serial number to be used on the Certificate.
1963 description: Street addresses to be used on the Certificate.
1968 description: URIs is a list of URI subjectAltNames to be set on the Certificate.
1973 description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1976 description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1981 - content commitment
2003 description: Status of the Certificate. This is set and managed automatically.
2007 description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
2010 description: CertificateCondition contains condition information for an Certificate.
2017 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2021 description: Message is a human readable description of the details of the last transition, complementing reason.
2024 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
2028 description: Reason is a brief machine readable explanation for the condition's last transition.
2031 description: Status of the condition, one of (`True`, `False`, `Unknown`).
2038 description: Type of the condition, known values are (`Ready`, `Issuing`).
2041 description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
2044 nextPrivateKeySecretName:
2045 description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
2048 description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
2052 description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
2056 description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
2060 description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
2065 # Source: cert-manager/templates/templates.out
2066 apiVersion: apiextensions.k8s.io/v1
2067 kind: CustomResourceDefinition
2069 name: challenges.acme.cert-manager.io
2071 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
2074 app.kubernetes.io/name: 'cert-manager'
2075 app.kubernetes.io/instance: 'cert-manager'
2077 app.kubernetes.io/version: "v1.5.3"
2079 group: acme.cert-manager.io
2082 listKind: ChallengeList
2090 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
2092 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
2094 # We don't actually support `v1beta1` but is listed here as it is a
2095 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
2096 # API server reads the supported versions in order, so _should always_
2097 # attempt a `v1` request which is understood by the cert-manager webhook.
2098 # Any `v1beta1` request will return an error and fail closed for that
2099 # resource (the whole object request is rejected).
2100 # When we no longer support v1.16 we can remove `v1beta1` from this list.
2101 conversionReviewVersions: ["v1", "v1beta1"]
2105 name: 'cert-manager-webhook'
2106 namespace: "cert-manager"
2110 - additionalPrinterColumns:
2111 - jsonPath: .status.state
2114 - jsonPath: .spec.dnsName
2117 - jsonPath: .status.reason
2121 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2122 jsonPath: .metadata.creationTimestamp
2128 description: Challenge is a type to represent a Challenge request with an ACME server
2134 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2137 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2154 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
2157 description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
2160 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
2166 description: Group of the resource being referred to.
2169 description: Kind of the resource being referred to.
2172 description: Name of the resource being referred to.
2175 description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
2178 description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
2182 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
2186 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
2193 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2199 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2202 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2207 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
2210 - accessTokenSecretRef
2211 - clientSecretSecretRef
2212 - clientTokenSecretRef
2213 - serviceConsumerDomain
2215 accessTokenSecretRef:
2216 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2222 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2225 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2227 clientSecretSecretRef:
2228 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2234 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2237 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2239 clientTokenSecretRef:
2240 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2246 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2249 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2251 serviceConsumerDomain:
2254 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
2261 description: if both this and ClientSecret are left unset MSI will be used
2263 clientSecretSecretRef:
2264 description: if both this and ClientID are left unset MSI will be used
2270 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2273 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2281 - AzureUSGovernmentCloud
2289 description: when specifying ClientID and ClientSecret then this field is also needed
2292 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
2298 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
2302 serviceAccountSecretRef:
2303 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2309 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2312 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2315 description: Use the Cloudflare API to manage DNS01 challenge records.
2319 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
2325 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2328 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2331 description: API token used to authenticate with Cloudflare.
2337 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2340 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2343 description: Email of the account, only required when using API key based authentication.
2346 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
2352 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
2358 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2364 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2367 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2370 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
2376 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
2379 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
2382 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
2384 tsigSecretSecretRef:
2385 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
2391 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2394 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2397 description: Use the AWS Route53 API to manage DNS01 challenge records.
2403 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2406 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2409 description: Always set the region when using AccessKeyID and SecretAccessKey
2412 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2414 secretAccessKeySecretRef:
2415 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2421 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2424 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2427 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2434 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2435 x-kubernetes-preserve-unknown-fields: true
2437 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2440 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2443 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2447 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2451 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
2453 additionalProperties:
2456 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2459 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
2463 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
2466 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
2470 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2474 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
2476 additionalProperties:
2479 description: Labels that should be added to the created ACME HTTP01 solver ingress.
2481 additionalProperties:
2484 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
2487 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2491 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2495 description: Annotations that should be added to the create ACME HTTP01 solver pods.
2497 additionalProperties:
2500 description: Labels that should be added to the created ACME HTTP01 solver pods.
2502 additionalProperties:
2505 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
2509 description: If specified, the pod's scheduling constraints
2513 description: Describes node affinity scheduling rules for the pod.
2516 preferredDuringSchedulingIgnoredDuringExecution:
2517 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2520 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2527 description: A node selector term, associated with the corresponding weight.
2531 description: A list of node selector requirements by node's labels.
2534 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2541 description: The label key that the selector applies to.
2544 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2547 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2552 description: A list of node selector requirements by node's fields.
2555 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2562 description: The label key that the selector applies to.
2565 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2568 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2573 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2576 requiredDuringSchedulingIgnoredDuringExecution:
2577 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2583 description: Required. A list of node selector terms. The terms are ORed.
2586 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2590 description: A list of node selector requirements by node's labels.
2593 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2600 description: The label key that the selector applies to.
2603 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2606 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2611 description: A list of node selector requirements by node's fields.
2614 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2621 description: The label key that the selector applies to.
2624 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2627 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2632 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2635 preferredDuringSchedulingIgnoredDuringExecution:
2636 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2639 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2646 description: Required. A pod affinity term, associated with the corresponding weight.
2652 description: A label query over a set of resources, in this case pods.
2656 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2659 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2666 description: key is the label key that the selector applies to.
2669 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2672 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2677 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2679 additionalProperties:
2682 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2686 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2689 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2696 description: key is the label key that the selector applies to.
2699 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2702 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2707 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2709 additionalProperties:
2712 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2717 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2720 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2723 requiredDuringSchedulingIgnoredDuringExecution:
2724 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2727 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2733 description: A label query over a set of resources, in this case pods.
2737 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2740 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2747 description: key is the label key that the selector applies to.
2750 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2753 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2758 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2760 additionalProperties:
2763 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2767 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2770 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2777 description: key is the label key that the selector applies to.
2780 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2783 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2788 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2790 additionalProperties:
2793 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2798 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2801 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2804 preferredDuringSchedulingIgnoredDuringExecution:
2805 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2808 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2815 description: Required. A pod affinity term, associated with the corresponding weight.
2821 description: A label query over a set of resources, in this case pods.
2825 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2828 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2835 description: key is the label key that the selector applies to.
2838 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2841 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2846 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2848 additionalProperties:
2851 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2855 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2858 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2865 description: key is the label key that the selector applies to.
2868 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2871 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2876 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2878 additionalProperties:
2881 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2886 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2889 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2892 requiredDuringSchedulingIgnoredDuringExecution:
2893 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2896 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2902 description: A label query over a set of resources, in this case pods.
2906 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2909 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2916 description: key is the label key that the selector applies to.
2919 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2922 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2927 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2929 additionalProperties:
2932 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2936 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2939 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2946 description: key is the label key that the selector applies to.
2949 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2952 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2957 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2959 additionalProperties:
2962 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2967 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2970 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2972 additionalProperties:
2975 description: If specified, the pod's priorityClassName.
2978 description: If specified, the pod's service account
2981 description: If specified, the pod's tolerations.
2984 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2988 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2991 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2994 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2997 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3001 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3004 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3007 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3011 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3016 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3021 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3023 additionalProperties:
3026 description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3029 description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3035 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3038 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
3044 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
3047 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
3050 description: Reason contains human readable information on why the Challenge is in the current state.
3053 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
3067 - additionalPrinterColumns:
3068 - jsonPath: .status.state
3071 - jsonPath: .spec.dnsName
3074 - jsonPath: .status.reason
3078 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
3079 jsonPath: .metadata.creationTimestamp
3085 description: Challenge is a type to represent a Challenge request with an ACME server
3091 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3094 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3111 description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
3114 description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
3117 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
3123 description: Group of the resource being referred to.
3126 description: Kind of the resource being referred to.
3129 description: Name of the resource being referred to.
3132 description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
3135 description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
3139 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
3143 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
3150 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3156 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3159 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3164 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
3167 - accessTokenSecretRef
3168 - clientSecretSecretRef
3169 - clientTokenSecretRef
3170 - serviceConsumerDomain
3172 accessTokenSecretRef:
3173 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3179 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3182 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3184 clientSecretSecretRef:
3185 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3191 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3194 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3196 clientTokenSecretRef:
3197 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3203 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3206 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3208 serviceConsumerDomain:
3211 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
3218 description: if both this and ClientSecret are left unset MSI will be used
3220 clientSecretSecretRef:
3221 description: if both this and ClientID are left unset MSI will be used
3227 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3230 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3238 - AzureUSGovernmentCloud
3246 description: when specifying ClientID and ClientSecret then this field is also needed
3249 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3255 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3259 serviceAccountSecretRef:
3260 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3266 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3269 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3272 description: Use the Cloudflare API to manage DNS01 challenge records.
3276 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3282 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3285 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3288 description: API token used to authenticate with Cloudflare.
3294 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3297 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3300 description: Email of the account, only required when using API key based authentication.
3303 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3309 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3315 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3321 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3324 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3327 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3333 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
3336 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3339 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3341 tsigSecretSecretRef:
3342 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3348 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3351 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3354 description: Use the AWS Route53 API to manage DNS01 challenge records.
3360 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3363 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3366 description: Always set the region when using AccessKeyID and SecretAccessKey
3369 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3371 secretAccessKeySecretRef:
3372 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
3378 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3381 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3384 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3391 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3392 x-kubernetes-preserve-unknown-fields: true
3394 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3397 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3400 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3404 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3408 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
3410 additionalProperties:
3413 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3416 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3420 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
3423 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
3427 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3431 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3433 additionalProperties:
3436 description: Labels that should be added to the created ACME HTTP01 solver ingress.
3438 additionalProperties:
3441 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
3444 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3448 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3452 description: Annotations that should be added to the create ACME HTTP01 solver pods.
3454 additionalProperties:
3457 description: Labels that should be added to the created ACME HTTP01 solver pods.
3459 additionalProperties:
3462 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
3466 description: If specified, the pod's scheduling constraints
3470 description: Describes node affinity scheduling rules for the pod.
3473 preferredDuringSchedulingIgnoredDuringExecution:
3474 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3477 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3484 description: A node selector term, associated with the corresponding weight.
3488 description: A list of node selector requirements by node's labels.
3491 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3498 description: The label key that the selector applies to.
3501 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3504 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3509 description: A list of node selector requirements by node's fields.
3512 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3519 description: The label key that the selector applies to.
3522 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3525 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3530 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3533 requiredDuringSchedulingIgnoredDuringExecution:
3534 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3540 description: Required. A list of node selector terms. The terms are ORed.
3543 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3547 description: A list of node selector requirements by node's labels.
3550 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3557 description: The label key that the selector applies to.
3560 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3563 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3568 description: A list of node selector requirements by node's fields.
3571 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3578 description: The label key that the selector applies to.
3581 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3584 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3589 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3592 preferredDuringSchedulingIgnoredDuringExecution:
3593 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3596 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3603 description: Required. A pod affinity term, associated with the corresponding weight.
3609 description: A label query over a set of resources, in this case pods.
3613 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3616 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3623 description: key is the label key that the selector applies to.
3626 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3629 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3634 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3636 additionalProperties:
3639 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3643 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3646 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3653 description: key is the label key that the selector applies to.
3656 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3659 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3664 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3666 additionalProperties:
3669 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3674 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3677 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3680 requiredDuringSchedulingIgnoredDuringExecution:
3681 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3684 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3690 description: A label query over a set of resources, in this case pods.
3694 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3697 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3704 description: key is the label key that the selector applies to.
3707 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3710 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3715 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3717 additionalProperties:
3720 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3724 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3727 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3734 description: key is the label key that the selector applies to.
3737 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3740 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3745 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3747 additionalProperties:
3750 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3755 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3758 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3761 preferredDuringSchedulingIgnoredDuringExecution:
3762 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3765 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3772 description: Required. A pod affinity term, associated with the corresponding weight.
3778 description: A label query over a set of resources, in this case pods.
3782 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3785 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3792 description: key is the label key that the selector applies to.
3795 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3798 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3803 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3805 additionalProperties:
3808 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3812 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3815 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3822 description: key is the label key that the selector applies to.
3825 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3828 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3833 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3835 additionalProperties:
3838 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3843 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3846 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3849 requiredDuringSchedulingIgnoredDuringExecution:
3850 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3853 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3859 description: A label query over a set of resources, in this case pods.
3863 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3866 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3873 description: key is the label key that the selector applies to.
3876 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3879 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3884 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3886 additionalProperties:
3889 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3893 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3896 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3903 description: key is the label key that the selector applies to.
3906 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3909 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3914 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3916 additionalProperties:
3919 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3924 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3927 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3929 additionalProperties:
3932 description: If specified, the pod's priorityClassName.
3935 description: If specified, the pod's service account
3938 description: If specified, the pod's tolerations.
3941 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3945 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3948 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3951 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3954 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3958 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3961 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3964 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3968 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3973 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3978 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3980 additionalProperties:
3983 description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3986 description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3992 description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3995 description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
4001 description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4004 description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4007 description: Reason contains human readable information on why the Challenge is in the current state.
4010 description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4024 - additionalPrinterColumns:
4025 - jsonPath: .status.state
4028 - jsonPath: .spec.dnsName
4031 - jsonPath: .status.reason
4035 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4036 jsonPath: .metadata.creationTimestamp
4042 description: Challenge is a type to represent a Challenge request with an ACME server
4049 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4052 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4069 description: The URL to the ACME Authorization resource that this challenge is a part of.
4072 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
4075 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
4081 description: Group of the resource being referred to.
4084 description: Kind of the resource being referred to.
4087 description: Name of the resource being referred to.
4090 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
4093 description: Contains the domain solving configuration that should be used to solve this challenge resource.
4097 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
4101 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
4108 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4114 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4117 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4122 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
4125 - accessTokenSecretRef
4126 - clientSecretSecretRef
4127 - clientTokenSecretRef
4128 - serviceConsumerDomain
4130 accessTokenSecretRef:
4131 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4137 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4140 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4142 clientSecretSecretRef:
4143 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4149 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4152 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4154 clientTokenSecretRef:
4155 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4161 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4164 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4166 serviceConsumerDomain:
4169 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
4176 description: if both this and ClientSecret are left unset MSI will be used
4178 clientSecretSecretRef:
4179 description: if both this and ClientID are left unset MSI will be used
4185 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4188 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4196 - AzureUSGovernmentCloud
4204 description: when specifying ClientID and ClientSecret then this field is also needed
4207 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
4213 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
4217 serviceAccountSecretRef:
4218 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4224 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4227 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4230 description: Use the Cloudflare API to manage DNS01 challenge records.
4234 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
4240 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4243 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4246 description: API token used to authenticate with Cloudflare.
4252 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4255 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4258 description: Email of the account, only required when using API key based authentication.
4261 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
4267 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
4273 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4279 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4282 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4285 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
4291 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
4294 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
4297 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
4299 tsigSecretSecretRef:
4300 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
4306 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4309 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4312 description: Use the AWS Route53 API to manage DNS01 challenge records.
4318 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4321 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
4324 description: Always set the region when using AccessKeyID and SecretAccessKey
4327 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
4329 secretAccessKeySecretRef:
4330 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4336 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4339 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4342 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
4349 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
4350 x-kubernetes-preserve-unknown-fields: true
4352 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
4355 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
4358 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
4362 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
4366 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
4368 additionalProperties:
4371 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4374 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
4378 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
4381 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
4385 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4389 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
4391 additionalProperties:
4394 description: Labels that should be added to the created ACME HTTP01 solver ingress.
4396 additionalProperties:
4399 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
4402 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
4406 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4410 description: Annotations that should be added to the create ACME HTTP01 solver pods.
4412 additionalProperties:
4415 description: Labels that should be added to the created ACME HTTP01 solver pods.
4417 additionalProperties:
4420 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
4424 description: If specified, the pod's scheduling constraints
4428 description: Describes node affinity scheduling rules for the pod.
4431 preferredDuringSchedulingIgnoredDuringExecution:
4432 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
4435 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
4442 description: A node selector term, associated with the corresponding weight.
4446 description: A list of node selector requirements by node's labels.
4449 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4456 description: The label key that the selector applies to.
4459 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4462 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4467 description: A list of node selector requirements by node's fields.
4470 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4477 description: The label key that the selector applies to.
4480 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4483 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4488 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
4491 requiredDuringSchedulingIgnoredDuringExecution:
4492 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
4498 description: Required. A list of node selector terms. The terms are ORed.
4501 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
4505 description: A list of node selector requirements by node's labels.
4508 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4515 description: The label key that the selector applies to.
4518 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4521 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4526 description: A list of node selector requirements by node's fields.
4529 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4536 description: The label key that the selector applies to.
4539 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4542 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4547 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
4550 preferredDuringSchedulingIgnoredDuringExecution:
4551 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4554 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4561 description: Required. A pod affinity term, associated with the corresponding weight.
4567 description: A label query over a set of resources, in this case pods.
4571 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4574 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4581 description: key is the label key that the selector applies to.
4584 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4587 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4592 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4594 additionalProperties:
4597 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4601 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4604 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4611 description: key is the label key that the selector applies to.
4614 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4617 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4622 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4624 additionalProperties:
4627 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4632 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4635 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4638 requiredDuringSchedulingIgnoredDuringExecution:
4639 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4642 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4648 description: A label query over a set of resources, in this case pods.
4652 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4655 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4662 description: key is the label key that the selector applies to.
4665 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4668 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4673 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4675 additionalProperties:
4678 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4682 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4685 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4692 description: key is the label key that the selector applies to.
4695 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4698 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4703 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4705 additionalProperties:
4708 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4713 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4716 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
4719 preferredDuringSchedulingIgnoredDuringExecution:
4720 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4723 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4730 description: Required. A pod affinity term, associated with the corresponding weight.
4736 description: A label query over a set of resources, in this case pods.
4740 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4743 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4750 description: key is the label key that the selector applies to.
4753 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4756 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4761 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4763 additionalProperties:
4766 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4770 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4773 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4780 description: key is the label key that the selector applies to.
4783 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4786 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4791 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4793 additionalProperties:
4796 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4801 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4804 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4807 requiredDuringSchedulingIgnoredDuringExecution:
4808 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4811 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4817 description: A label query over a set of resources, in this case pods.
4821 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4824 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4831 description: key is the label key that the selector applies to.
4834 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4837 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4842 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4844 additionalProperties:
4847 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4851 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4854 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4861 description: key is the label key that the selector applies to.
4864 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4867 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4872 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4874 additionalProperties:
4877 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4882 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4885 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
4887 additionalProperties:
4890 description: If specified, the pod's priorityClassName.
4893 description: If specified, the pod's service account
4896 description: If specified, the pod's tolerations.
4899 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
4903 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4906 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4909 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
4912 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
4916 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
4919 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4922 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
4926 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4931 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4936 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
4938 additionalProperties:
4941 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
4944 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
4950 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
4953 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
4959 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4962 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4965 description: Contains human readable information on why the Challenge is in the current state.
4968 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4982 - additionalPrinterColumns:
4983 - jsonPath: .status.state
4986 - jsonPath: .spec.dnsName
4989 - jsonPath: .status.reason
4993 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4994 jsonPath: .metadata.creationTimestamp
5000 description: Challenge is a type to represent a Challenge request with an ACME server
5007 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
5010 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
5027 description: The URL to the ACME Authorization resource that this challenge is a part of.
5030 description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
5033 description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
5039 description: Group of the resource being referred to.
5042 description: Kind of the resource being referred to.
5045 description: Name of the resource being referred to.
5048 description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
5051 description: Contains the domain solving configuration that should be used to solve this challenge resource.
5055 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
5059 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
5066 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5072 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5075 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5080 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
5083 - accessTokenSecretRef
5084 - clientSecretSecretRef
5085 - clientTokenSecretRef
5086 - serviceConsumerDomain
5088 accessTokenSecretRef:
5089 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5095 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5098 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5100 clientSecretSecretRef:
5101 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5107 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5110 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5112 clientTokenSecretRef:
5113 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5119 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5122 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5124 serviceConsumerDomain:
5127 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
5134 description: if both this and ClientSecret are left unset MSI will be used
5136 clientSecretSecretRef:
5137 description: if both this and ClientID are left unset MSI will be used
5143 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5146 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5154 - AzureUSGovernmentCloud
5162 description: when specifying ClientID and ClientSecret then this field is also needed
5165 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
5171 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
5175 serviceAccountSecretRef:
5176 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5182 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5185 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5188 description: Use the Cloudflare API to manage DNS01 challenge records.
5192 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
5198 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5201 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5204 description: API token used to authenticate with Cloudflare.
5210 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5213 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5216 description: Email of the account, only required when using API key based authentication.
5219 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
5225 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
5231 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5237 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5240 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5243 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
5249 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
5252 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
5255 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
5257 tsigSecretSecretRef:
5258 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
5264 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5267 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5270 description: Use the AWS Route53 API to manage DNS01 challenge records.
5276 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
5279 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
5282 description: Always set the region when using AccessKeyID and SecretAccessKey
5285 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
5287 secretAccessKeySecretRef:
5288 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
5294 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5297 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5300 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
5307 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
5308 x-kubernetes-preserve-unknown-fields: true
5310 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
5313 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
5316 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
5320 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
5324 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
5326 additionalProperties:
5329 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5332 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
5336 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
5339 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
5343 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5347 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
5349 additionalProperties:
5352 description: Labels that should be added to the created ACME HTTP01 solver ingress.
5354 additionalProperties:
5357 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
5360 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
5364 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5368 description: Annotations that should be added to the create ACME HTTP01 solver pods.
5370 additionalProperties:
5373 description: Labels that should be added to the created ACME HTTP01 solver pods.
5375 additionalProperties:
5378 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
5382 description: If specified, the pod's scheduling constraints
5386 description: Describes node affinity scheduling rules for the pod.
5389 preferredDuringSchedulingIgnoredDuringExecution:
5390 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
5393 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
5400 description: A node selector term, associated with the corresponding weight.
5404 description: A list of node selector requirements by node's labels.
5407 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5414 description: The label key that the selector applies to.
5417 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5420 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5425 description: A list of node selector requirements by node's fields.
5428 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5435 description: The label key that the selector applies to.
5438 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5441 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5446 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
5449 requiredDuringSchedulingIgnoredDuringExecution:
5450 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
5456 description: Required. A list of node selector terms. The terms are ORed.
5459 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
5463 description: A list of node selector requirements by node's labels.
5466 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5473 description: The label key that the selector applies to.
5476 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5479 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5484 description: A list of node selector requirements by node's fields.
5487 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5494 description: The label key that the selector applies to.
5497 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5500 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5505 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
5508 preferredDuringSchedulingIgnoredDuringExecution:
5509 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5512 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5519 description: Required. A pod affinity term, associated with the corresponding weight.
5525 description: A label query over a set of resources, in this case pods.
5529 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5532 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5539 description: key is the label key that the selector applies to.
5542 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5545 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5550 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5552 additionalProperties:
5555 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5559 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5562 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5569 description: key is the label key that the selector applies to.
5572 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5575 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5580 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5582 additionalProperties:
5585 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5590 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5593 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5596 requiredDuringSchedulingIgnoredDuringExecution:
5597 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5600 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5606 description: A label query over a set of resources, in this case pods.
5610 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5613 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5620 description: key is the label key that the selector applies to.
5623 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5626 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5631 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5633 additionalProperties:
5636 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5640 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5643 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5650 description: key is the label key that the selector applies to.
5653 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5656 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5661 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5663 additionalProperties:
5666 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5671 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5674 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
5677 preferredDuringSchedulingIgnoredDuringExecution:
5678 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5681 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5688 description: Required. A pod affinity term, associated with the corresponding weight.
5694 description: A label query over a set of resources, in this case pods.
5698 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5701 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5708 description: key is the label key that the selector applies to.
5711 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5714 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5719 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5721 additionalProperties:
5724 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5728 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5731 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5738 description: key is the label key that the selector applies to.
5741 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5744 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5749 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5751 additionalProperties:
5754 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5759 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5762 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5765 requiredDuringSchedulingIgnoredDuringExecution:
5766 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5769 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5775 description: A label query over a set of resources, in this case pods.
5779 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5782 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5789 description: key is the label key that the selector applies to.
5792 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5795 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5800 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5802 additionalProperties:
5805 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5809 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5812 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5819 description: key is the label key that the selector applies to.
5822 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5825 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5830 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5832 additionalProperties:
5835 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5840 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5843 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
5845 additionalProperties:
5848 description: If specified, the pod's priorityClassName.
5851 description: If specified, the pod's service account
5854 description: If specified, the pod's tolerations.
5857 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
5861 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
5864 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
5867 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
5870 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
5874 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
5877 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5880 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
5884 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5889 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5894 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
5896 additionalProperties:
5899 description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
5902 description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
5908 description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
5911 description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
5917 description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
5920 description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
5923 description: Contains human readable information on why the Challenge is in the current state.
5926 description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
5941 # Source: cert-manager/templates/templates.out
5942 apiVersion: apiextensions.k8s.io/v1
5943 kind: CustomResourceDefinition
5945 name: clusterissuers.cert-manager.io
5947 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
5950 app.kubernetes.io/name: 'cert-manager'
5951 app.kubernetes.io/instance: 'cert-manager'
5953 app.kubernetes.io/version: "v1.5.3"
5955 group: cert-manager.io
5958 listKind: ClusterIssuerList
5959 plural: clusterissuers
5960 singular: clusterissuer
5965 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
5967 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
5969 # We don't actually support `v1beta1` but is listed here as it is a
5970 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
5971 # API server reads the supported versions in order, so _should always_
5972 # attempt a `v1` request which is understood by the cert-manager webhook.
5973 # Any `v1beta1` request will return an error and fail closed for that
5974 # resource (the whole object request is rejected).
5975 # When we no longer support v1.16 we can remove `v1beta1` from this list.
5976 conversionReviewVersions: ["v1", "v1beta1"]
5980 name: 'cert-manager-webhook'
5981 namespace: "cert-manager"
5988 additionalPrinterColumns:
5989 - jsonPath: .status.conditions[?(@.type=="Ready")].status
5992 - jsonPath: .status.conditions[?(@.type=="Ready")].message
5996 - jsonPath: .metadata.creationTimestamp
5997 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
6002 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
6006 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6009 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6014 description: Desired state of the ClusterIssuer resource.
6018 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
6021 - privateKeySecretRef
6024 disableAccountKeyGeneration:
6025 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
6028 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
6030 enableDurationFeature:
6031 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
6033 externalAccountBinding:
6034 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
6041 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
6048 description: keyID is the ID of the CA key that the External Account is bound to.
6051 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
6057 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6060 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6063 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
6066 privateKeySecretRef:
6067 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
6073 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6076 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6079 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
6082 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
6085 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
6088 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
6092 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
6096 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
6103 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6109 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6112 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6117 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
6120 - accessTokenSecretRef
6121 - clientSecretSecretRef
6122 - clientTokenSecretRef
6123 - serviceConsumerDomain
6125 accessTokenSecretRef:
6126 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6132 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6135 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6137 clientSecretSecretRef:
6138 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6144 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6147 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6149 clientTokenSecretRef:
6150 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6156 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6159 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6161 serviceConsumerDomain:
6164 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
6171 description: if both this and ClientSecret are left unset MSI will be used
6173 clientSecretSecretRef:
6174 description: if both this and ClientID are left unset MSI will be used
6180 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6183 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6191 - AzureUSGovernmentCloud
6199 description: when specifying ClientID and ClientSecret then this field is also needed
6202 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
6208 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
6212 serviceAccountSecretRef:
6213 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6219 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6222 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6225 description: Use the Cloudflare API to manage DNS01 challenge records.
6229 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
6235 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6238 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6241 description: API token used to authenticate with Cloudflare.
6247 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6250 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6253 description: Email of the account, only required when using API key based authentication.
6256 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
6262 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
6268 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6274 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6277 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6280 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
6286 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
6289 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
6292 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
6294 tsigSecretSecretRef:
6295 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
6301 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6304 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6307 description: Use the AWS Route53 API to manage DNS01 challenge records.
6313 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
6316 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
6319 description: Always set the region when using AccessKeyID and SecretAccessKey
6322 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
6324 secretAccessKeySecretRef:
6325 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
6331 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6334 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6337 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
6344 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
6345 x-kubernetes-preserve-unknown-fields: true
6347 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
6350 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
6353 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
6357 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
6361 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
6363 additionalProperties:
6366 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6369 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
6373 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
6376 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
6380 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6384 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
6386 additionalProperties:
6389 description: Labels that should be added to the created ACME HTTP01 solver ingress.
6391 additionalProperties:
6394 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
6397 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
6401 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6405 description: Annotations that should be added to the create ACME HTTP01 solver pods.
6407 additionalProperties:
6410 description: Labels that should be added to the created ACME HTTP01 solver pods.
6412 additionalProperties:
6415 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
6419 description: If specified, the pod's scheduling constraints
6423 description: Describes node affinity scheduling rules for the pod.
6426 preferredDuringSchedulingIgnoredDuringExecution:
6427 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
6430 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
6437 description: A node selector term, associated with the corresponding weight.
6441 description: A list of node selector requirements by node's labels.
6444 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6451 description: The label key that the selector applies to.
6454 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6457 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6462 description: A list of node selector requirements by node's fields.
6465 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6472 description: The label key that the selector applies to.
6475 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6478 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6483 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
6486 requiredDuringSchedulingIgnoredDuringExecution:
6487 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
6493 description: Required. A list of node selector terms. The terms are ORed.
6496 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
6500 description: A list of node selector requirements by node's labels.
6503 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6510 description: The label key that the selector applies to.
6513 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6516 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6521 description: A list of node selector requirements by node's fields.
6524 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6531 description: The label key that the selector applies to.
6534 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6537 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6542 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
6545 preferredDuringSchedulingIgnoredDuringExecution:
6546 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6549 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6556 description: Required. A pod affinity term, associated with the corresponding weight.
6562 description: A label query over a set of resources, in this case pods.
6566 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6569 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6576 description: key is the label key that the selector applies to.
6579 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6582 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6587 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6589 additionalProperties:
6592 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6596 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6599 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6606 description: key is the label key that the selector applies to.
6609 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6612 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6617 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6619 additionalProperties:
6622 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6627 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6630 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6633 requiredDuringSchedulingIgnoredDuringExecution:
6634 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6637 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6643 description: A label query over a set of resources, in this case pods.
6647 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6650 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6657 description: key is the label key that the selector applies to.
6660 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6663 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6668 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6670 additionalProperties:
6673 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6677 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6680 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6687 description: key is the label key that the selector applies to.
6690 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6693 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6698 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6700 additionalProperties:
6703 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6708 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6711 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
6714 preferredDuringSchedulingIgnoredDuringExecution:
6715 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6718 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6725 description: Required. A pod affinity term, associated with the corresponding weight.
6731 description: A label query over a set of resources, in this case pods.
6735 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6738 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6745 description: key is the label key that the selector applies to.
6748 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6751 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6756 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6758 additionalProperties:
6761 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6765 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6768 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6775 description: key is the label key that the selector applies to.
6778 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6781 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6786 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6788 additionalProperties:
6791 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6796 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6799 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6802 requiredDuringSchedulingIgnoredDuringExecution:
6803 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6806 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6812 description: A label query over a set of resources, in this case pods.
6816 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6819 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6826 description: key is the label key that the selector applies to.
6829 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6832 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6837 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6839 additionalProperties:
6842 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6846 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6849 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6856 description: key is the label key that the selector applies to.
6859 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6862 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6867 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6869 additionalProperties:
6872 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6877 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6880 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
6882 additionalProperties:
6885 description: If specified, the pod's priorityClassName.
6888 description: If specified, the pod's service account
6891 description: If specified, the pod's tolerations.
6894 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
6898 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
6901 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
6904 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
6907 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
6911 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
6914 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6917 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
6921 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6926 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6931 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
6933 additionalProperties:
6936 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
6941 crlDistributionPoints:
6942 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
6947 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
6952 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
6955 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
6958 crlDistributionPoints:
6959 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
6964 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
6972 description: Auth configures how cert-manager authenticates with the Vault server.
6976 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
6984 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
6987 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
6990 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
6996 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6999 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7002 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
7009 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
7012 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
7015 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
7021 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7024 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7027 description: TokenSecretRef authenticates with Vault by presenting a token.
7033 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7036 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7039 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
7043 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
7046 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
7049 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
7052 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
7058 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
7064 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
7070 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7073 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7076 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
7079 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
7086 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
7090 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
7096 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7099 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
7102 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
7105 description: Status of the ClusterIssuer. This is set and managed automatically.
7109 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
7112 lastRegisteredEmail:
7113 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
7116 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
7119 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
7122 description: IssuerCondition contains condition information for an Issuer.
7129 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
7133 description: Message is a human readable description of the details of the last transition, complementing reason.
7136 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
7140 description: Reason is a brief machine readable explanation for the condition's last transition.
7143 description: Status of the condition, one of (`True`, `False`, `Unknown`).
7150 description: Type of the condition, known values are (`Ready`).
7157 additionalPrinterColumns:
7158 - jsonPath: .status.conditions[?(@.type=="Ready")].status
7161 - jsonPath: .status.conditions[?(@.type=="Ready")].message
7165 - jsonPath: .metadata.creationTimestamp
7166 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
7171 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
7175 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
7178 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
7183 description: Desired state of the ClusterIssuer resource.
7187 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
7190 - privateKeySecretRef
7193 disableAccountKeyGeneration:
7194 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
7197 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
7199 enableDurationFeature:
7200 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
7202 externalAccountBinding:
7203 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
7210 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
7217 description: keyID is the ID of the CA key that the External Account is bound to.
7220 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
7226 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7229 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7232 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
7235 privateKeySecretRef:
7236 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
7242 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7245 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7248 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
7251 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
7254 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
7257 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
7261 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
7265 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
7272 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7278 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7281 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7286 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
7289 - accessTokenSecretRef
7290 - clientSecretSecretRef
7291 - clientTokenSecretRef
7292 - serviceConsumerDomain
7294 accessTokenSecretRef:
7295 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7301 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7304 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7306 clientSecretSecretRef:
7307 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7313 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7316 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7318 clientTokenSecretRef:
7319 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7325 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7328 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7330 serviceConsumerDomain:
7333 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
7340 description: if both this and ClientSecret are left unset MSI will be used
7342 clientSecretSecretRef:
7343 description: if both this and ClientID are left unset MSI will be used
7349 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7352 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7360 - AzureUSGovernmentCloud
7368 description: when specifying ClientID and ClientSecret then this field is also needed
7371 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
7377 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
7381 serviceAccountSecretRef:
7382 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7388 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7391 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7394 description: Use the Cloudflare API to manage DNS01 challenge records.
7398 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
7404 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7407 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7410 description: API token used to authenticate with Cloudflare.
7416 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7419 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7422 description: Email of the account, only required when using API key based authentication.
7425 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
7431 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
7437 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7443 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7446 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7449 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
7455 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
7458 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
7461 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
7463 tsigSecretSecretRef:
7464 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
7470 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7473 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7476 description: Use the AWS Route53 API to manage DNS01 challenge records.
7482 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
7485 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
7488 description: Always set the region when using AccessKeyID and SecretAccessKey
7491 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
7493 secretAccessKeySecretRef:
7494 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
7500 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7503 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7506 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
7513 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
7514 x-kubernetes-preserve-unknown-fields: true
7516 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
7519 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
7522 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
7526 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
7530 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
7532 additionalProperties:
7535 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
7538 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
7542 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
7545 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
7549 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7553 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
7555 additionalProperties:
7558 description: Labels that should be added to the created ACME HTTP01 solver ingress.
7560 additionalProperties:
7563 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
7566 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
7570 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7574 description: Annotations that should be added to the create ACME HTTP01 solver pods.
7576 additionalProperties:
7579 description: Labels that should be added to the created ACME HTTP01 solver pods.
7581 additionalProperties:
7584 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
7588 description: If specified, the pod's scheduling constraints
7592 description: Describes node affinity scheduling rules for the pod.
7595 preferredDuringSchedulingIgnoredDuringExecution:
7596 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
7599 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
7606 description: A node selector term, associated with the corresponding weight.
7610 description: A list of node selector requirements by node's labels.
7613 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7620 description: The label key that the selector applies to.
7623 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7626 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7631 description: A list of node selector requirements by node's fields.
7634 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7641 description: The label key that the selector applies to.
7644 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7647 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7652 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
7655 requiredDuringSchedulingIgnoredDuringExecution:
7656 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
7662 description: Required. A list of node selector terms. The terms are ORed.
7665 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
7669 description: A list of node selector requirements by node's labels.
7672 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7679 description: The label key that the selector applies to.
7682 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7685 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7690 description: A list of node selector requirements by node's fields.
7693 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7700 description: The label key that the selector applies to.
7703 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7706 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7711 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
7714 preferredDuringSchedulingIgnoredDuringExecution:
7715 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7718 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7725 description: Required. A pod affinity term, associated with the corresponding weight.
7731 description: A label query over a set of resources, in this case pods.
7735 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7738 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7745 description: key is the label key that the selector applies to.
7748 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7751 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7756 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7758 additionalProperties:
7761 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7765 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7768 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7775 description: key is the label key that the selector applies to.
7778 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7781 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7786 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7788 additionalProperties:
7791 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7796 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7799 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7802 requiredDuringSchedulingIgnoredDuringExecution:
7803 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7806 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7812 description: A label query over a set of resources, in this case pods.
7816 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7819 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7826 description: key is the label key that the selector applies to.
7829 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7832 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7837 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7839 additionalProperties:
7842 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7846 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7849 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7856 description: key is the label key that the selector applies to.
7859 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7862 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7867 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7869 additionalProperties:
7872 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7877 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7880 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
7883 preferredDuringSchedulingIgnoredDuringExecution:
7884 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7887 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7894 description: Required. A pod affinity term, associated with the corresponding weight.
7900 description: A label query over a set of resources, in this case pods.
7904 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7907 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7914 description: key is the label key that the selector applies to.
7917 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7920 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7925 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7927 additionalProperties:
7930 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7934 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7937 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7944 description: key is the label key that the selector applies to.
7947 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7950 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7955 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7957 additionalProperties:
7960 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7965 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7968 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7971 requiredDuringSchedulingIgnoredDuringExecution:
7972 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7975 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7981 description: A label query over a set of resources, in this case pods.
7985 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7988 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7995 description: key is the label key that the selector applies to.
7998 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8001 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8006 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8008 additionalProperties:
8011 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8015 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8018 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8025 description: key is the label key that the selector applies to.
8028 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8031 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8036 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8038 additionalProperties:
8041 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8046 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8049 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
8051 additionalProperties:
8054 description: If specified, the pod's priorityClassName.
8057 description: If specified, the pod's service account
8060 description: If specified, the pod's tolerations.
8063 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
8067 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
8070 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
8073 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
8076 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
8080 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
8083 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8086 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
8090 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8095 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8100 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
8102 additionalProperties:
8105 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
8110 crlDistributionPoints:
8111 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
8116 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
8121 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
8124 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
8127 crlDistributionPoints:
8128 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
8133 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
8141 description: Auth configures how cert-manager authenticates with the Vault server.
8145 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
8153 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
8156 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
8159 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
8165 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8168 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8171 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
8178 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
8181 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
8184 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
8190 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8193 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8196 description: TokenSecretRef authenticates with Vault by presenting a token.
8202 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8205 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8208 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
8212 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
8215 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
8218 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
8221 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
8227 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
8233 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
8239 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8242 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8245 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
8248 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
8255 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
8259 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
8265 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8268 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
8271 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
8274 description: Status of the ClusterIssuer. This is set and managed automatically.
8278 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
8281 lastRegisteredEmail:
8282 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
8285 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
8288 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
8291 description: IssuerCondition contains condition information for an Issuer.
8298 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
8302 description: Message is a human readable description of the details of the last transition, complementing reason.
8305 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
8309 description: Reason is a brief machine readable explanation for the condition's last transition.
8312 description: Status of the condition, one of (`True`, `False`, `Unknown`).
8319 description: Type of the condition, known values are (`Ready`).
8326 additionalPrinterColumns:
8327 - jsonPath: .status.conditions[?(@.type=="Ready")].status
8330 - jsonPath: .status.conditions[?(@.type=="Ready")].message
8334 - jsonPath: .metadata.creationTimestamp
8335 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
8340 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
8346 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8349 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8354 description: Desired state of the ClusterIssuer resource.
8358 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
8361 - privateKeySecretRef
8364 disableAccountKeyGeneration:
8365 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
8368 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
8370 enableDurationFeature:
8371 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
8373 externalAccountBinding:
8374 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
8381 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
8388 description: keyID is the ID of the CA key that the External Account is bound to.
8391 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
8397 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8400 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8403 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
8406 privateKeySecretRef:
8407 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
8413 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8416 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8419 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
8422 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
8425 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
8428 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
8432 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
8436 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
8443 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8449 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8452 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8457 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
8460 - accessTokenSecretRef
8461 - clientSecretSecretRef
8462 - clientTokenSecretRef
8463 - serviceConsumerDomain
8465 accessTokenSecretRef:
8466 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8472 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8475 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8477 clientSecretSecretRef:
8478 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8484 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8487 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8489 clientTokenSecretRef:
8490 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8496 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8499 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8501 serviceConsumerDomain:
8504 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
8511 description: if both this and ClientSecret are left unset MSI will be used
8513 clientSecretSecretRef:
8514 description: if both this and ClientID are left unset MSI will be used
8520 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8523 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8531 - AzureUSGovernmentCloud
8539 description: when specifying ClientID and ClientSecret then this field is also needed
8542 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
8548 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
8552 serviceAccountSecretRef:
8553 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8559 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8562 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8565 description: Use the Cloudflare API to manage DNS01 challenge records.
8569 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
8575 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8578 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8581 description: API token used to authenticate with Cloudflare.
8587 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8590 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8593 description: Email of the account, only required when using API key based authentication.
8596 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
8602 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
8608 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8614 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8617 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8620 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
8626 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
8629 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
8632 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
8634 tsigSecretSecretRef:
8635 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
8641 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8644 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8647 description: Use the AWS Route53 API to manage DNS01 challenge records.
8653 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
8656 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
8659 description: Always set the region when using AccessKeyID and SecretAccessKey
8662 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
8664 secretAccessKeySecretRef:
8665 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8671 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8674 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8677 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
8684 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
8685 x-kubernetes-preserve-unknown-fields: true
8687 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
8690 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
8693 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
8697 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
8701 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
8703 additionalProperties:
8706 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8709 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
8713 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
8716 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
8720 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8724 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
8726 additionalProperties:
8729 description: Labels that should be added to the created ACME HTTP01 solver ingress.
8731 additionalProperties:
8734 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
8737 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
8741 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8745 description: Annotations that should be added to the create ACME HTTP01 solver pods.
8747 additionalProperties:
8750 description: Labels that should be added to the created ACME HTTP01 solver pods.
8752 additionalProperties:
8755 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
8759 description: If specified, the pod's scheduling constraints
8763 description: Describes node affinity scheduling rules for the pod.
8766 preferredDuringSchedulingIgnoredDuringExecution:
8767 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
8770 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
8777 description: A node selector term, associated with the corresponding weight.
8781 description: A list of node selector requirements by node's labels.
8784 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8791 description: The label key that the selector applies to.
8794 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8797 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8802 description: A list of node selector requirements by node's fields.
8805 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8812 description: The label key that the selector applies to.
8815 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8818 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8823 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
8826 requiredDuringSchedulingIgnoredDuringExecution:
8827 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
8833 description: Required. A list of node selector terms. The terms are ORed.
8836 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
8840 description: A list of node selector requirements by node's labels.
8843 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8850 description: The label key that the selector applies to.
8853 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8856 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8861 description: A list of node selector requirements by node's fields.
8864 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8871 description: The label key that the selector applies to.
8874 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8877 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8882 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
8885 preferredDuringSchedulingIgnoredDuringExecution:
8886 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
8889 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
8896 description: Required. A pod affinity term, associated with the corresponding weight.
8902 description: A label query over a set of resources, in this case pods.
8906 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8909 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8916 description: key is the label key that the selector applies to.
8919 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8922 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8927 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8929 additionalProperties:
8932 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8936 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8939 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8946 description: key is the label key that the selector applies to.
8949 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8952 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8957 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8959 additionalProperties:
8962 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8967 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8970 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
8973 requiredDuringSchedulingIgnoredDuringExecution:
8974 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
8977 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
8983 description: A label query over a set of resources, in this case pods.
8987 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8990 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8997 description: key is the label key that the selector applies to.
9000 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9003 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9008 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9010 additionalProperties:
9013 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9017 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9020 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9027 description: key is the label key that the selector applies to.
9030 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9033 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9038 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9040 additionalProperties:
9043 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9048 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9051 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
9054 preferredDuringSchedulingIgnoredDuringExecution:
9055 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
9058 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
9065 description: Required. A pod affinity term, associated with the corresponding weight.
9071 description: A label query over a set of resources, in this case pods.
9075 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9078 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9085 description: key is the label key that the selector applies to.
9088 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9091 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9096 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9098 additionalProperties:
9101 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9105 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9108 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9115 description: key is the label key that the selector applies to.
9118 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9121 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9126 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9128 additionalProperties:
9131 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9136 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9139 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
9142 requiredDuringSchedulingIgnoredDuringExecution:
9143 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
9146 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
9152 description: A label query over a set of resources, in this case pods.
9156 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9159 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9166 description: key is the label key that the selector applies to.
9169 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9172 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9177 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9179 additionalProperties:
9182 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9186 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9189 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9196 description: key is the label key that the selector applies to.
9199 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9202 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9207 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9209 additionalProperties:
9212 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9217 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9220 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
9222 additionalProperties:
9225 description: If specified, the pod's priorityClassName.
9228 description: If specified, the pod's service account
9231 description: If specified, the pod's tolerations.
9234 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
9238 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
9241 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
9244 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
9247 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
9251 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
9254 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9257 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
9261 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9266 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9271 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
9273 additionalProperties:
9276 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
9281 crlDistributionPoints:
9282 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
9287 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
9292 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
9295 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
9298 crlDistributionPoints:
9299 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
9304 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
9312 description: Auth configures how cert-manager authenticates with the Vault server.
9316 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
9324 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
9327 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
9330 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
9336 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9339 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9342 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
9349 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
9352 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
9355 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
9361 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9364 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9367 description: TokenSecretRef authenticates with Vault by presenting a token.
9373 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9376 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9379 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
9383 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
9386 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
9389 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
9392 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
9398 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
9404 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
9410 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9413 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9416 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
9419 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
9426 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
9430 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
9436 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9439 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
9442 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
9445 description: Status of the ClusterIssuer. This is set and managed automatically.
9449 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
9452 lastRegisteredEmail:
9453 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
9456 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
9459 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
9462 description: IssuerCondition contains condition information for an Issuer.
9469 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
9473 description: Message is a human readable description of the details of the last transition, complementing reason.
9476 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
9480 description: Reason is a brief machine readable explanation for the condition's last transition.
9483 description: Status of the condition, one of (`True`, `False`, `Unknown`).
9490 description: Type of the condition, known values are (`Ready`).
9497 additionalPrinterColumns:
9498 - jsonPath: .status.conditions[?(@.type=="Ready")].status
9501 - jsonPath: .status.conditions[?(@.type=="Ready")].message
9505 - jsonPath: .metadata.creationTimestamp
9506 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
9511 description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
9517 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9520 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9525 description: Desired state of the ClusterIssuer resource.
9529 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
9532 - privateKeySecretRef
9535 disableAccountKeyGeneration:
9536 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
9539 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
9541 enableDurationFeature:
9542 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
9544 externalAccountBinding:
9545 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
9552 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
9559 description: keyID is the ID of the CA key that the External Account is bound to.
9562 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
9568 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9571 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9574 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
9577 privateKeySecretRef:
9578 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
9584 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9587 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9590 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
9593 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
9596 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
9599 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
9603 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
9607 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
9614 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9620 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9623 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9628 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
9631 - accessTokenSecretRef
9632 - clientSecretSecretRef
9633 - clientTokenSecretRef
9634 - serviceConsumerDomain
9636 accessTokenSecretRef:
9637 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9643 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9646 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9648 clientSecretSecretRef:
9649 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9655 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9658 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9660 clientTokenSecretRef:
9661 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9667 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9670 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9672 serviceConsumerDomain:
9675 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
9682 description: if both this and ClientSecret are left unset MSI will be used
9684 clientSecretSecretRef:
9685 description: if both this and ClientID are left unset MSI will be used
9691 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9694 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9702 - AzureUSGovernmentCloud
9710 description: when specifying ClientID and ClientSecret then this field is also needed
9713 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
9719 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
9723 serviceAccountSecretRef:
9724 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9730 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9733 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9736 description: Use the Cloudflare API to manage DNS01 challenge records.
9740 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
9746 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9749 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9752 description: API token used to authenticate with Cloudflare.
9758 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9761 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9764 description: Email of the account, only required when using API key based authentication.
9767 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
9773 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
9779 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9785 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9788 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9791 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
9797 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
9800 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
9803 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
9805 tsigSecretSecretRef:
9806 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
9812 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9815 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9818 description: Use the AWS Route53 API to manage DNS01 challenge records.
9824 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
9827 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
9830 description: Always set the region when using AccessKeyID and SecretAccessKey
9833 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
9835 secretAccessKeySecretRef:
9836 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
9842 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9845 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9848 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
9855 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
9856 x-kubernetes-preserve-unknown-fields: true
9858 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
9861 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
9864 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
9868 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
9872 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
9874 additionalProperties:
9877 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9880 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
9884 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
9887 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
9891 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9895 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
9897 additionalProperties:
9900 description: Labels that should be added to the created ACME HTTP01 solver ingress.
9902 additionalProperties:
9905 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
9908 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
9912 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9916 description: Annotations that should be added to the create ACME HTTP01 solver pods.
9918 additionalProperties:
9921 description: Labels that should be added to the created ACME HTTP01 solver pods.
9923 additionalProperties:
9926 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
9930 description: If specified, the pod's scheduling constraints
9934 description: Describes node affinity scheduling rules for the pod.
9937 preferredDuringSchedulingIgnoredDuringExecution:
9938 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
9941 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
9948 description: A node selector term, associated with the corresponding weight.
9952 description: A list of node selector requirements by node's labels.
9955 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9962 description: The label key that the selector applies to.
9965 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9968 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
9973 description: A list of node selector requirements by node's fields.
9976 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9983 description: The label key that the selector applies to.
9986 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9989 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
9994 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
9997 requiredDuringSchedulingIgnoredDuringExecution:
9998 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
10001 - nodeSelectorTerms
10004 description: Required. A list of node selector terms. The terms are ORed.
10007 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
10011 description: A list of node selector requirements by node's labels.
10014 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10021 description: The label key that the selector applies to.
10024 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10027 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10032 description: A list of node selector requirements by node's fields.
10035 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10042 description: The label key that the selector applies to.
10045 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10048 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10053 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
10056 preferredDuringSchedulingIgnoredDuringExecution:
10057 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10060 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10067 description: Required. A pod affinity term, associated with the corresponding weight.
10073 description: A label query over a set of resources, in this case pods.
10077 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10080 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10087 description: key is the label key that the selector applies to.
10090 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10093 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10098 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10100 additionalProperties:
10103 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10107 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10110 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10117 description: key is the label key that the selector applies to.
10120 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10123 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10128 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10130 additionalProperties:
10133 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10138 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10141 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10144 requiredDuringSchedulingIgnoredDuringExecution:
10145 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10148 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10154 description: A label query over a set of resources, in this case pods.
10158 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10161 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10168 description: key is the label key that the selector applies to.
10171 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10174 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10179 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10181 additionalProperties:
10184 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10188 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10191 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10198 description: key is the label key that the selector applies to.
10201 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10204 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10209 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10211 additionalProperties:
10214 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10219 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10222 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
10225 preferredDuringSchedulingIgnoredDuringExecution:
10226 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10229 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10236 description: Required. A pod affinity term, associated with the corresponding weight.
10242 description: A label query over a set of resources, in this case pods.
10246 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10249 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10256 description: key is the label key that the selector applies to.
10259 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10262 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10267 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10269 additionalProperties:
10272 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10276 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10279 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10286 description: key is the label key that the selector applies to.
10289 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10292 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10297 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10299 additionalProperties:
10302 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10307 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10310 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10313 requiredDuringSchedulingIgnoredDuringExecution:
10314 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10317 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10323 description: A label query over a set of resources, in this case pods.
10327 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10330 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10337 description: key is the label key that the selector applies to.
10340 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10343 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10348 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10350 additionalProperties:
10353 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10357 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10360 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10367 description: key is the label key that the selector applies to.
10370 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10373 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10378 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10380 additionalProperties:
10383 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10388 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10391 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
10393 additionalProperties:
10396 description: If specified, the pod's priorityClassName.
10398 serviceAccountName:
10399 description: If specified, the pod's service account
10402 description: If specified, the pod's tolerations.
10405 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
10409 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
10412 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
10415 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
10418 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
10422 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
10425 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
10428 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
10432 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10437 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10442 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
10444 additionalProperties:
10447 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
10452 crlDistributionPoints:
10453 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
10458 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
10463 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
10466 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
10469 crlDistributionPoints:
10470 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
10475 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
10483 description: Auth configures how cert-manager authenticates with the Vault server.
10487 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
10495 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
10498 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
10501 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
10507 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10510 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10513 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
10520 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
10523 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
10526 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
10532 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10535 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10538 description: TokenSecretRef authenticates with Vault by presenting a token.
10544 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10547 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10550 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
10554 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
10557 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
10560 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
10563 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
10569 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
10572 - apiTokenSecretRef
10575 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
10581 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10584 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10587 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
10590 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
10597 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
10601 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
10607 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10610 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
10613 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
10616 description: Status of the ClusterIssuer. This is set and managed automatically.
10620 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
10623 lastRegisteredEmail:
10624 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
10627 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
10630 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
10633 description: IssuerCondition contains condition information for an Issuer.
10639 lastTransitionTime:
10640 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
10644 description: Message is a human readable description of the details of the last transition, complementing reason.
10646 observedGeneration:
10647 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
10651 description: Reason is a brief machine readable explanation for the condition's last transition.
10654 description: Status of the condition, one of (`True`, `False`, `Unknown`).
10661 description: Type of the condition, known values are (`Ready`).
10666 # Source: cert-manager/templates/templates.out
10667 apiVersion: apiextensions.k8s.io/v1
10668 kind: CustomResourceDefinition
10670 name: issuers.cert-manager.io
10672 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
10674 app: 'cert-manager'
10675 app.kubernetes.io/name: 'cert-manager'
10676 app.kubernetes.io/instance: 'cert-manager'
10678 app.kubernetes.io/version: "v1.5.3"
10680 group: cert-manager.io
10683 listKind: IssuerList
10690 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
10692 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
10694 # We don't actually support `v1beta1` but is listed here as it is a
10695 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
10696 # API server reads the supported versions in order, so _should always_
10697 # attempt a `v1` request which is understood by the cert-manager webhook.
10698 # Any `v1beta1` request will return an error and fail closed for that
10699 # resource (the whole object request is rejected).
10700 # When we no longer support v1.16 we can remove `v1beta1` from this list.
10701 conversionReviewVersions: ["v1", "v1beta1"]
10705 name: 'cert-manager-webhook'
10706 namespace: "cert-manager"
10713 additionalPrinterColumns:
10714 - jsonPath: .status.conditions[?(@.type=="Ready")].status
10717 - jsonPath: .status.conditions[?(@.type=="Ready")].message
10721 - jsonPath: .metadata.creationTimestamp
10722 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
10727 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
10731 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10734 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10739 description: Desired state of the Issuer resource.
10743 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
10746 - privateKeySecretRef
10749 disableAccountKeyGeneration:
10750 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
10753 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
10755 enableDurationFeature:
10756 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
10758 externalAccountBinding:
10759 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
10766 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
10773 description: keyID is the ID of the CA key that the External Account is bound to.
10776 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
10782 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10785 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10788 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
10791 privateKeySecretRef:
10792 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
10798 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10801 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10804 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
10807 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
10810 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
10813 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
10817 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
10821 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
10828 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10834 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10837 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10842 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
10845 - accessTokenSecretRef
10846 - clientSecretSecretRef
10847 - clientTokenSecretRef
10848 - serviceConsumerDomain
10850 accessTokenSecretRef:
10851 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10857 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10860 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10862 clientSecretSecretRef:
10863 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10869 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10872 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10874 clientTokenSecretRef:
10875 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10881 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10884 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10886 serviceConsumerDomain:
10889 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
10892 - resourceGroupName
10896 description: if both this and ClientSecret are left unset MSI will be used
10898 clientSecretSecretRef:
10899 description: if both this and ClientID are left unset MSI will be used
10905 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10908 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10916 - AzureUSGovernmentCloud
10924 description: when specifying ClientID and ClientSecret then this field is also needed
10927 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
10933 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
10937 serviceAccountSecretRef:
10938 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10944 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10947 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10950 description: Use the Cloudflare API to manage DNS01 challenge records.
10954 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
10960 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10963 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10966 description: API token used to authenticate with Cloudflare.
10972 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10975 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10978 description: Email of the account, only required when using API key based authentication.
10981 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
10987 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
10993 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10999 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11002 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11005 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
11011 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
11014 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
11017 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
11019 tsigSecretSecretRef:
11020 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
11026 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11029 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11032 description: Use the AWS Route53 API to manage DNS01 challenge records.
11038 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
11041 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
11044 description: Always set the region when using AccessKeyID and SecretAccessKey
11047 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
11049 secretAccessKeySecretRef:
11050 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
11056 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11059 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11062 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
11069 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
11070 x-kubernetes-preserve-unknown-fields: true
11072 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
11075 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
11078 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
11082 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
11086 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
11088 additionalProperties:
11091 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11094 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
11098 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
11101 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
11105 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11109 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
11111 additionalProperties:
11114 description: Labels that should be added to the created ACME HTTP01 solver ingress.
11116 additionalProperties:
11119 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
11122 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
11126 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11130 description: Annotations that should be added to the create ACME HTTP01 solver pods.
11132 additionalProperties:
11135 description: Labels that should be added to the created ACME HTTP01 solver pods.
11137 additionalProperties:
11140 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
11144 description: If specified, the pod's scheduling constraints
11148 description: Describes node affinity scheduling rules for the pod.
11151 preferredDuringSchedulingIgnoredDuringExecution:
11152 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
11155 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
11162 description: A node selector term, associated with the corresponding weight.
11166 description: A list of node selector requirements by node's labels.
11169 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11176 description: The label key that the selector applies to.
11179 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11182 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11187 description: A list of node selector requirements by node's fields.
11190 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11197 description: The label key that the selector applies to.
11200 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11203 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11208 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
11211 requiredDuringSchedulingIgnoredDuringExecution:
11212 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
11215 - nodeSelectorTerms
11218 description: Required. A list of node selector terms. The terms are ORed.
11221 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
11225 description: A list of node selector requirements by node's labels.
11228 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11235 description: The label key that the selector applies to.
11238 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11241 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11246 description: A list of node selector requirements by node's fields.
11249 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11256 description: The label key that the selector applies to.
11259 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11262 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11267 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
11270 preferredDuringSchedulingIgnoredDuringExecution:
11271 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11274 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11281 description: Required. A pod affinity term, associated with the corresponding weight.
11287 description: A label query over a set of resources, in this case pods.
11291 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11294 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11301 description: key is the label key that the selector applies to.
11304 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11307 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11312 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11314 additionalProperties:
11317 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11321 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11324 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11331 description: key is the label key that the selector applies to.
11334 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11337 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11342 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11344 additionalProperties:
11347 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11352 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11355 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11358 requiredDuringSchedulingIgnoredDuringExecution:
11359 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11362 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11368 description: A label query over a set of resources, in this case pods.
11372 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11375 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11382 description: key is the label key that the selector applies to.
11385 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11388 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11393 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11395 additionalProperties:
11398 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11402 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11405 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11412 description: key is the label key that the selector applies to.
11415 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11418 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11423 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11425 additionalProperties:
11428 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11433 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11436 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
11439 preferredDuringSchedulingIgnoredDuringExecution:
11440 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11443 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11450 description: Required. A pod affinity term, associated with the corresponding weight.
11456 description: A label query over a set of resources, in this case pods.
11460 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11463 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11470 description: key is the label key that the selector applies to.
11473 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11476 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11481 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11483 additionalProperties:
11486 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11490 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11493 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11500 description: key is the label key that the selector applies to.
11503 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11506 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11511 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11513 additionalProperties:
11516 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11521 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11524 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11527 requiredDuringSchedulingIgnoredDuringExecution:
11528 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11531 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11537 description: A label query over a set of resources, in this case pods.
11541 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11544 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11551 description: key is the label key that the selector applies to.
11554 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11557 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11562 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11564 additionalProperties:
11567 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11571 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11574 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11581 description: key is the label key that the selector applies to.
11584 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11587 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11592 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11594 additionalProperties:
11597 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11602 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11605 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
11607 additionalProperties:
11610 description: If specified, the pod's priorityClassName.
11612 serviceAccountName:
11613 description: If specified, the pod's service account
11616 description: If specified, the pod's tolerations.
11619 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
11623 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
11626 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
11629 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
11632 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
11636 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
11639 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11642 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
11646 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
11651 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
11656 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
11658 additionalProperties:
11661 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
11666 crlDistributionPoints:
11667 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
11672 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
11677 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
11680 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
11683 crlDistributionPoints:
11684 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
11689 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
11697 description: Auth configures how cert-manager authenticates with the Vault server.
11701 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
11709 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
11712 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
11715 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
11721 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11724 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11727 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
11734 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
11737 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
11740 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
11746 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11749 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11752 description: TokenSecretRef authenticates with Vault by presenting a token.
11758 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11761 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11764 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
11768 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
11771 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
11774 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
11777 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
11783 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
11786 - apiTokenSecretRef
11789 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
11795 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11798 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11801 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
11804 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
11811 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
11815 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
11821 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11824 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
11827 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
11830 description: Status of the Issuer. This is set and managed automatically.
11834 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
11837 lastRegisteredEmail:
11838 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
11841 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
11844 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
11847 description: IssuerCondition contains condition information for an Issuer.
11853 lastTransitionTime:
11854 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
11858 description: Message is a human readable description of the details of the last transition, complementing reason.
11860 observedGeneration:
11861 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
11865 description: Reason is a brief machine readable explanation for the condition's last transition.
11868 description: Status of the condition, one of (`True`, `False`, `Unknown`).
11875 description: Type of the condition, known values are (`Ready`).
11882 additionalPrinterColumns:
11883 - jsonPath: .status.conditions[?(@.type=="Ready")].status
11886 - jsonPath: .status.conditions[?(@.type=="Ready")].message
11890 - jsonPath: .metadata.creationTimestamp
11891 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
11896 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
11900 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11903 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11908 description: Desired state of the Issuer resource.
11912 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
11915 - privateKeySecretRef
11918 disableAccountKeyGeneration:
11919 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
11922 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
11924 enableDurationFeature:
11925 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
11927 externalAccountBinding:
11928 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
11935 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
11942 description: keyID is the ID of the CA key that the External Account is bound to.
11945 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
11951 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11954 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11957 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
11960 privateKeySecretRef:
11961 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
11967 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11970 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11973 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
11976 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
11979 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
11982 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
11986 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
11990 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
11997 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12003 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12006 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12011 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
12014 - accessTokenSecretRef
12015 - clientSecretSecretRef
12016 - clientTokenSecretRef
12017 - serviceConsumerDomain
12019 accessTokenSecretRef:
12020 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12026 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12029 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12031 clientSecretSecretRef:
12032 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12038 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12041 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12043 clientTokenSecretRef:
12044 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12050 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12053 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12055 serviceConsumerDomain:
12058 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
12061 - resourceGroupName
12065 description: if both this and ClientSecret are left unset MSI will be used
12067 clientSecretSecretRef:
12068 description: if both this and ClientID are left unset MSI will be used
12074 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12077 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12085 - AzureUSGovernmentCloud
12093 description: when specifying ClientID and ClientSecret then this field is also needed
12096 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
12102 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
12106 serviceAccountSecretRef:
12107 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12113 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12116 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12119 description: Use the Cloudflare API to manage DNS01 challenge records.
12123 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
12129 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12132 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12135 description: API token used to authenticate with Cloudflare.
12141 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12144 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12147 description: Email of the account, only required when using API key based authentication.
12150 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
12156 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
12162 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12168 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12171 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12174 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
12180 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
12183 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
12186 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
12188 tsigSecretSecretRef:
12189 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
12195 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12198 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12201 description: Use the AWS Route53 API to manage DNS01 challenge records.
12207 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
12210 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
12213 description: Always set the region when using AccessKeyID and SecretAccessKey
12216 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
12218 secretAccessKeySecretRef:
12219 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
12225 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12228 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12231 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
12238 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
12239 x-kubernetes-preserve-unknown-fields: true
12241 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
12244 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
12247 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
12251 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
12255 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
12257 additionalProperties:
12260 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12263 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
12267 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
12270 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
12274 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12278 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
12280 additionalProperties:
12283 description: Labels that should be added to the created ACME HTTP01 solver ingress.
12285 additionalProperties:
12288 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
12291 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
12295 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12299 description: Annotations that should be added to the create ACME HTTP01 solver pods.
12301 additionalProperties:
12304 description: Labels that should be added to the created ACME HTTP01 solver pods.
12306 additionalProperties:
12309 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
12313 description: If specified, the pod's scheduling constraints
12317 description: Describes node affinity scheduling rules for the pod.
12320 preferredDuringSchedulingIgnoredDuringExecution:
12321 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
12324 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
12331 description: A node selector term, associated with the corresponding weight.
12335 description: A list of node selector requirements by node's labels.
12338 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12345 description: The label key that the selector applies to.
12348 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12351 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12356 description: A list of node selector requirements by node's fields.
12359 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12366 description: The label key that the selector applies to.
12369 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12372 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12377 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
12380 requiredDuringSchedulingIgnoredDuringExecution:
12381 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
12384 - nodeSelectorTerms
12387 description: Required. A list of node selector terms. The terms are ORed.
12390 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
12394 description: A list of node selector requirements by node's labels.
12397 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12404 description: The label key that the selector applies to.
12407 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12410 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12415 description: A list of node selector requirements by node's fields.
12418 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12425 description: The label key that the selector applies to.
12428 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12431 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12436 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
12439 preferredDuringSchedulingIgnoredDuringExecution:
12440 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12443 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12450 description: Required. A pod affinity term, associated with the corresponding weight.
12456 description: A label query over a set of resources, in this case pods.
12460 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12463 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12470 description: key is the label key that the selector applies to.
12473 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12476 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12481 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12483 additionalProperties:
12486 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12490 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12493 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12500 description: key is the label key that the selector applies to.
12503 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12506 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12511 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12513 additionalProperties:
12516 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12521 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12524 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12527 requiredDuringSchedulingIgnoredDuringExecution:
12528 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12531 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12537 description: A label query over a set of resources, in this case pods.
12541 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12544 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12551 description: key is the label key that the selector applies to.
12554 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12557 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12562 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12564 additionalProperties:
12567 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12571 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12574 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12581 description: key is the label key that the selector applies to.
12584 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12587 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12592 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12594 additionalProperties:
12597 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12602 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12605 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
12608 preferredDuringSchedulingIgnoredDuringExecution:
12609 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12612 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12619 description: Required. A pod affinity term, associated with the corresponding weight.
12625 description: A label query over a set of resources, in this case pods.
12629 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12632 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12639 description: key is the label key that the selector applies to.
12642 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12645 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12650 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12652 additionalProperties:
12655 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12659 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12662 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12669 description: key is the label key that the selector applies to.
12672 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12675 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12680 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12682 additionalProperties:
12685 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12690 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12693 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12696 requiredDuringSchedulingIgnoredDuringExecution:
12697 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12700 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12706 description: A label query over a set of resources, in this case pods.
12710 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12713 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12720 description: key is the label key that the selector applies to.
12723 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12726 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12731 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12733 additionalProperties:
12736 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12740 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12743 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12750 description: key is the label key that the selector applies to.
12753 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12756 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12761 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12763 additionalProperties:
12766 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12771 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12774 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
12776 additionalProperties:
12779 description: If specified, the pod's priorityClassName.
12781 serviceAccountName:
12782 description: If specified, the pod's service account
12785 description: If specified, the pod's tolerations.
12788 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
12792 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
12795 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
12798 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
12801 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
12805 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
12808 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12811 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
12815 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12820 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12825 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
12827 additionalProperties:
12830 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
12835 crlDistributionPoints:
12836 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
12841 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
12846 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
12849 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
12852 crlDistributionPoints:
12853 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
12858 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
12866 description: Auth configures how cert-manager authenticates with the Vault server.
12870 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
12878 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
12881 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
12884 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
12890 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12893 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12896 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
12903 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
12906 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
12909 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
12915 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12918 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12921 description: TokenSecretRef authenticates with Vault by presenting a token.
12927 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12930 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12933 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
12937 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
12940 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
12943 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
12946 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
12952 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
12955 - apiTokenSecretRef
12958 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
12964 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12967 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12970 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
12973 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
12980 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
12984 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
12990 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12993 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
12996 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
12999 description: Status of the Issuer. This is set and managed automatically.
13003 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
13006 lastRegisteredEmail:
13007 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
13010 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
13013 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
13016 description: IssuerCondition contains condition information for an Issuer.
13022 lastTransitionTime:
13023 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
13027 description: Message is a human readable description of the details of the last transition, complementing reason.
13029 observedGeneration:
13030 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
13034 description: Reason is a brief machine readable explanation for the condition's last transition.
13037 description: Status of the condition, one of (`True`, `False`, `Unknown`).
13044 description: Type of the condition, known values are (`Ready`).
13051 additionalPrinterColumns:
13052 - jsonPath: .status.conditions[?(@.type=="Ready")].status
13055 - jsonPath: .status.conditions[?(@.type=="Ready")].message
13059 - jsonPath: .metadata.creationTimestamp
13060 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
13065 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
13071 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
13074 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
13079 description: Desired state of the Issuer resource.
13083 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
13086 - privateKeySecretRef
13089 disableAccountKeyGeneration:
13090 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
13093 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
13095 enableDurationFeature:
13096 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
13098 externalAccountBinding:
13099 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
13106 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
13113 description: keyID is the ID of the CA key that the External Account is bound to.
13116 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
13122 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13125 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13128 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
13131 privateKeySecretRef:
13132 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
13138 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13141 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13144 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
13147 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
13150 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
13153 description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
13157 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
13161 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
13168 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13174 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13177 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13182 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
13185 - accessTokenSecretRef
13186 - clientSecretSecretRef
13187 - clientTokenSecretRef
13188 - serviceConsumerDomain
13190 accessTokenSecretRef:
13191 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13197 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13200 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13202 clientSecretSecretRef:
13203 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13209 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13212 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13214 clientTokenSecretRef:
13215 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13221 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13224 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13226 serviceConsumerDomain:
13229 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
13232 - resourceGroupName
13236 description: if both this and ClientSecret are left unset MSI will be used
13238 clientSecretSecretRef:
13239 description: if both this and ClientID are left unset MSI will be used
13245 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13248 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13256 - AzureUSGovernmentCloud
13264 description: when specifying ClientID and ClientSecret then this field is also needed
13267 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
13273 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
13277 serviceAccountSecretRef:
13278 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13284 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13287 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13290 description: Use the Cloudflare API to manage DNS01 challenge records.
13294 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
13300 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13303 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13306 description: API token used to authenticate with Cloudflare.
13312 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13315 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13318 description: Email of the account, only required when using API key based authentication.
13321 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
13327 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
13333 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13339 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13342 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13345 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
13351 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
13354 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
13357 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
13359 tsigSecretSecretRef:
13360 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
13366 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13369 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13372 description: Use the AWS Route53 API to manage DNS01 challenge records.
13378 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
13381 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
13384 description: Always set the region when using AccessKeyID and SecretAccessKey
13387 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
13389 secretAccessKeySecretRef:
13390 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
13396 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13399 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13402 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
13409 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
13410 x-kubernetes-preserve-unknown-fields: true
13412 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
13415 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
13418 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
13422 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
13426 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
13428 additionalProperties:
13431 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13434 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
13438 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
13441 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
13445 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13449 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
13451 additionalProperties:
13454 description: Labels that should be added to the created ACME HTTP01 solver ingress.
13456 additionalProperties:
13459 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
13462 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
13466 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13470 description: Annotations that should be added to the create ACME HTTP01 solver pods.
13472 additionalProperties:
13475 description: Labels that should be added to the created ACME HTTP01 solver pods.
13477 additionalProperties:
13480 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
13484 description: If specified, the pod's scheduling constraints
13488 description: Describes node affinity scheduling rules for the pod.
13491 preferredDuringSchedulingIgnoredDuringExecution:
13492 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
13495 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
13502 description: A node selector term, associated with the corresponding weight.
13506 description: A list of node selector requirements by node's labels.
13509 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13516 description: The label key that the selector applies to.
13519 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13522 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13527 description: A list of node selector requirements by node's fields.
13530 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13537 description: The label key that the selector applies to.
13540 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13543 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13548 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
13551 requiredDuringSchedulingIgnoredDuringExecution:
13552 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
13555 - nodeSelectorTerms
13558 description: Required. A list of node selector terms. The terms are ORed.
13561 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
13565 description: A list of node selector requirements by node's labels.
13568 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13575 description: The label key that the selector applies to.
13578 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13581 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13586 description: A list of node selector requirements by node's fields.
13589 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13596 description: The label key that the selector applies to.
13599 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13602 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13607 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
13610 preferredDuringSchedulingIgnoredDuringExecution:
13611 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13614 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13621 description: Required. A pod affinity term, associated with the corresponding weight.
13627 description: A label query over a set of resources, in this case pods.
13631 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13634 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13641 description: key is the label key that the selector applies to.
13644 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13647 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13652 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13654 additionalProperties:
13657 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13661 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13664 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13671 description: key is the label key that the selector applies to.
13674 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13677 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13682 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13684 additionalProperties:
13687 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13692 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13695 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13698 requiredDuringSchedulingIgnoredDuringExecution:
13699 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13702 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13708 description: A label query over a set of resources, in this case pods.
13712 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13715 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13722 description: key is the label key that the selector applies to.
13725 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13728 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13733 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13735 additionalProperties:
13738 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13742 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13745 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13752 description: key is the label key that the selector applies to.
13755 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13758 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13763 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13765 additionalProperties:
13768 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13773 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13776 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
13779 preferredDuringSchedulingIgnoredDuringExecution:
13780 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13783 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13790 description: Required. A pod affinity term, associated with the corresponding weight.
13796 description: A label query over a set of resources, in this case pods.
13800 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13803 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13810 description: key is the label key that the selector applies to.
13813 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13816 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13821 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13823 additionalProperties:
13826 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13830 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13833 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13840 description: key is the label key that the selector applies to.
13843 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13846 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13851 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13853 additionalProperties:
13856 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13861 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13864 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13867 requiredDuringSchedulingIgnoredDuringExecution:
13868 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13871 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13877 description: A label query over a set of resources, in this case pods.
13881 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13884 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13891 description: key is the label key that the selector applies to.
13894 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13897 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13902 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13904 additionalProperties:
13907 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13911 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13914 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13921 description: key is the label key that the selector applies to.
13924 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13927 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13932 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13934 additionalProperties:
13937 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13942 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13945 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
13947 additionalProperties:
13950 description: If specified, the pod's priorityClassName.
13952 serviceAccountName:
13953 description: If specified, the pod's service account
13956 description: If specified, the pod's tolerations.
13959 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
13963 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
13966 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
13969 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
13972 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
13976 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
13979 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13982 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
13986 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13991 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13996 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
13998 additionalProperties:
14001 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
14006 crlDistributionPoints:
14007 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
14012 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
14017 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
14020 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
14023 crlDistributionPoints:
14024 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
14029 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
14037 description: Auth configures how cert-manager authenticates with the Vault server.
14041 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
14049 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
14052 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
14055 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
14061 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14064 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14067 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
14074 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
14077 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
14080 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
14086 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14089 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14092 description: TokenSecretRef authenticates with Vault by presenting a token.
14098 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14101 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14104 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
14108 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
14111 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
14114 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
14117 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
14123 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
14126 - apiTokenSecretRef
14129 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
14135 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14138 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14141 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
14144 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
14151 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
14155 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
14161 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14164 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
14167 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
14170 description: Status of the Issuer. This is set and managed automatically.
14174 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
14177 lastRegisteredEmail:
14178 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
14181 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
14184 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
14187 description: IssuerCondition contains condition information for an Issuer.
14193 lastTransitionTime:
14194 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
14198 description: Message is a human readable description of the details of the last transition, complementing reason.
14200 observedGeneration:
14201 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
14205 description: Reason is a brief machine readable explanation for the condition's last transition.
14208 description: Status of the condition, one of (`True`, `False`, `Unknown`).
14215 description: Type of the condition, known values are (`Ready`).
14222 additionalPrinterColumns:
14223 - jsonPath: .status.conditions[?(@.type=="Ready")].status
14226 - jsonPath: .status.conditions[?(@.type=="Ready")].message
14230 - jsonPath: .metadata.creationTimestamp
14231 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
14236 description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
14242 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
14245 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
14250 description: Desired state of the Issuer resource.
14254 description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
14257 - privateKeySecretRef
14260 disableAccountKeyGeneration:
14261 description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
14264 description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
14266 enableDurationFeature:
14267 description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
14269 externalAccountBinding:
14270 description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
14277 description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
14284 description: keyID is the ID of the CA key that the External Account is bound to.
14287 description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
14293 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14296 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14299 description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
14302 privateKeySecretRef:
14303 description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
14309 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14312 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14315 description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
14318 description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
14321 description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
14324 description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
14328 description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
14332 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
14339 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14345 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14348 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14353 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
14356 - accessTokenSecretRef
14357 - clientSecretSecretRef
14358 - clientTokenSecretRef
14359 - serviceConsumerDomain
14361 accessTokenSecretRef:
14362 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14368 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14371 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14373 clientSecretSecretRef:
14374 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14380 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14383 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14385 clientTokenSecretRef:
14386 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14392 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14395 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14397 serviceConsumerDomain:
14400 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
14403 - resourceGroupName
14407 description: if both this and ClientSecret are left unset MSI will be used
14409 clientSecretSecretRef:
14410 description: if both this and ClientID are left unset MSI will be used
14416 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14419 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14427 - AzureUSGovernmentCloud
14435 description: when specifying ClientID and ClientSecret then this field is also needed
14438 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
14444 description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
14448 serviceAccountSecretRef:
14449 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14455 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14458 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14461 description: Use the Cloudflare API to manage DNS01 challenge records.
14465 description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
14471 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14474 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14477 description: API token used to authenticate with Cloudflare.
14483 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14486 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14489 description: Email of the account, only required when using API key based authentication.
14492 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
14498 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
14504 description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14510 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14513 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14516 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
14522 description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional. This field is required.
14525 description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
14528 description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
14530 tsigSecretSecretRef:
14531 description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
14537 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14540 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14543 description: Use the AWS Route53 API to manage DNS01 challenge records.
14549 description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
14552 description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
14555 description: Always set the region when using AccessKeyID and SecretAccessKey
14558 description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
14560 secretAccessKeySecretRef:
14561 description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
14567 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14570 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14573 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
14580 description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
14581 x-kubernetes-preserve-unknown-fields: true
14583 description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
14586 description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
14589 description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
14593 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
14597 description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
14599 additionalProperties:
14602 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
14605 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
14609 description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
14612 description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
14616 description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14620 description: Annotations that should be added to the created ACME HTTP01 solver ingress.
14622 additionalProperties:
14625 description: Labels that should be added to the created ACME HTTP01 solver ingress.
14627 additionalProperties:
14630 description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
14633 description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
14637 description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14641 description: Annotations that should be added to the create ACME HTTP01 solver pods.
14643 additionalProperties:
14646 description: Labels that should be added to the created ACME HTTP01 solver pods.
14648 additionalProperties:
14651 description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
14655 description: If specified, the pod's scheduling constraints
14659 description: Describes node affinity scheduling rules for the pod.
14662 preferredDuringSchedulingIgnoredDuringExecution:
14663 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
14666 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
14673 description: A node selector term, associated with the corresponding weight.
14677 description: A list of node selector requirements by node's labels.
14680 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14687 description: The label key that the selector applies to.
14690 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14693 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14698 description: A list of node selector requirements by node's fields.
14701 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14708 description: The label key that the selector applies to.
14711 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14714 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14719 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
14722 requiredDuringSchedulingIgnoredDuringExecution:
14723 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
14726 - nodeSelectorTerms
14729 description: Required. A list of node selector terms. The terms are ORed.
14732 description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
14736 description: A list of node selector requirements by node's labels.
14739 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14746 description: The label key that the selector applies to.
14749 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14752 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14757 description: A list of node selector requirements by node's fields.
14760 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14767 description: The label key that the selector applies to.
14770 description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14773 description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14778 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
14781 preferredDuringSchedulingIgnoredDuringExecution:
14782 description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14785 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14792 description: Required. A pod affinity term, associated with the corresponding weight.
14798 description: A label query over a set of resources, in this case pods.
14802 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14805 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14812 description: key is the label key that the selector applies to.
14815 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14818 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14823 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14825 additionalProperties:
14828 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14832 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14835 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14842 description: key is the label key that the selector applies to.
14845 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14848 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14853 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14855 additionalProperties:
14858 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14863 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14866 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
14869 requiredDuringSchedulingIgnoredDuringExecution:
14870 description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
14873 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
14879 description: A label query over a set of resources, in this case pods.
14883 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14886 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14893 description: key is the label key that the selector applies to.
14896 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14899 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14904 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14906 additionalProperties:
14909 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14913 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14916 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14923 description: key is the label key that the selector applies to.
14926 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14929 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14934 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14936 additionalProperties:
14939 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14944 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14947 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
14950 preferredDuringSchedulingIgnoredDuringExecution:
14951 description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14954 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14961 description: Required. A pod affinity term, associated with the corresponding weight.
14967 description: A label query over a set of resources, in this case pods.
14971 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14974 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14981 description: key is the label key that the selector applies to.
14984 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14987 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14992 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14994 additionalProperties:
14997 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
15001 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15004 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15011 description: key is the label key that the selector applies to.
15014 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15017 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15022 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15024 additionalProperties:
15027 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15032 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15035 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
15038 requiredDuringSchedulingIgnoredDuringExecution:
15039 description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
15042 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
15048 description: A label query over a set of resources, in this case pods.
15052 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15055 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15062 description: key is the label key that the selector applies to.
15065 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15068 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15073 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15075 additionalProperties:
15078 description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
15082 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15085 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15092 description: key is the label key that the selector applies to.
15095 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15098 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15103 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15105 additionalProperties:
15108 description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15113 description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15116 description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
15118 additionalProperties:
15121 description: If specified, the pod's priorityClassName.
15123 serviceAccountName:
15124 description: If specified, the pod's service account
15127 description: If specified, the pod's tolerations.
15130 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
15134 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
15137 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
15140 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
15143 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
15147 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
15150 description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
15153 description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
15157 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
15162 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
15167 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
15169 additionalProperties:
15172 description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
15177 crlDistributionPoints:
15178 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
15183 description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
15188 description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
15191 description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
15194 crlDistributionPoints:
15195 description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
15200 description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
15208 description: Auth configures how cert-manager authenticates with the Vault server.
15212 description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
15220 description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
15223 description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
15226 description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
15232 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15235 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15238 description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
15245 description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
15248 description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
15251 description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
15257 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15260 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15263 description: TokenSecretRef authenticates with Vault by presenting a token.
15269 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15272 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15275 description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
15279 description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
15282 description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
15285 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
15288 description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
15294 description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
15297 - apiTokenSecretRef
15300 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
15306 description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15309 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15312 description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
15315 description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
15322 description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
15326 description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
15332 description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15335 description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
15338 description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
15341 description: Status of the Issuer. This is set and managed automatically.
15345 description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
15348 lastRegisteredEmail:
15349 description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
15352 description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
15355 description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
15358 description: IssuerCondition contains condition information for an Issuer.
15364 lastTransitionTime:
15365 description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
15369 description: Message is a human readable description of the details of the last transition, complementing reason.
15371 observedGeneration:
15372 description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
15376 description: Reason is a brief machine readable explanation for the condition's last transition.
15379 description: Status of the condition, one of (`True`, `False`, `Unknown`).
15386 description: Type of the condition, known values are (`Ready`).
15391 # Source: cert-manager/templates/templates.out
15392 apiVersion: apiextensions.k8s.io/v1
15393 kind: CustomResourceDefinition
15395 name: orders.acme.cert-manager.io
15397 cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
15399 app: 'cert-manager'
15400 app.kubernetes.io/name: 'cert-manager'
15401 app.kubernetes.io/instance: 'cert-manager'
15403 app.kubernetes.io/version: "v1.5.3"
15405 group: acme.cert-manager.io
15408 listKind: OrderList
15413 - cert-manager-acme
15416 # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
15418 # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
15420 # We don't actually support `v1beta1` but is listed here as it is a
15421 # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
15422 # API server reads the supported versions in order, so _should always_
15423 # attempt a `v1` request which is understood by the cert-manager webhook.
15424 # Any `v1beta1` request will return an error and fail closed for that
15425 # resource (the whole object request is rejected).
15426 # When we no longer support v1.16 we can remove `v1beta1` from this list.
15427 conversionReviewVersions: ["v1", "v1beta1"]
15431 name: 'cert-manager-webhook'
15432 namespace: "cert-manager"
15439 additionalPrinterColumns:
15440 - jsonPath: .status.state
15443 - jsonPath: .spec.issuerRef.name
15447 - jsonPath: .status.reason
15451 - jsonPath: .metadata.creationTimestamp
15452 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15457 description: Order is a type to represent an Order with an ACME server
15463 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15466 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15477 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15480 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15484 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15489 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15492 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15497 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15503 description: Group of the resource being referred to.
15506 description: Kind of the resource being referred to.
15509 description: Name of the resource being referred to.
15515 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15518 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15524 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15527 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15535 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15538 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15541 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15544 description: Identifier is the DNS name to be validated as part of this authorization
15547 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15558 description: URL is the URL of the Authorization that must be completed
15561 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15564 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15568 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15572 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15575 description: Reason optionally provides more information about a why the order is in the current state.
15578 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15589 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15596 additionalPrinterColumns:
15597 - jsonPath: .status.state
15600 - jsonPath: .spec.issuerRef.name
15604 - jsonPath: .status.reason
15608 - jsonPath: .metadata.creationTimestamp
15609 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15614 description: Order is a type to represent an Order with an ACME server
15620 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15623 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15634 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15637 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15641 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15646 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15649 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15654 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15660 description: Group of the resource being referred to.
15663 description: Kind of the resource being referred to.
15666 description: Name of the resource being referred to.
15672 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15675 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15681 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15684 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15692 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15695 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15698 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15701 description: Identifier is the DNS name to be validated as part of this authorization
15704 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15715 description: URL is the URL of the Authorization that must be completed
15718 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15721 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15725 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15729 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15732 description: Reason optionally provides more information about a why the order is in the current state.
15735 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15746 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15753 additionalPrinterColumns:
15754 - jsonPath: .status.state
15757 - jsonPath: .spec.issuerRef.name
15761 - jsonPath: .status.reason
15765 - jsonPath: .metadata.creationTimestamp
15766 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15771 description: Order is a type to represent an Order with an ACME server
15778 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15781 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15792 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15795 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15800 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15803 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15808 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15814 description: Group of the resource being referred to.
15817 description: Kind of the resource being referred to.
15820 description: Name of the resource being referred to.
15823 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15830 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15833 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15839 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15842 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15850 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15853 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15856 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15859 description: Identifier is the DNS name to be validated as part of this authorization
15862 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15873 description: URL is the URL of the Authorization that must be completed
15876 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15879 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15883 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15887 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15890 description: Reason optionally provides more information about a why the order is in the current state.
15893 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15904 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15911 additionalPrinterColumns:
15912 - jsonPath: .status.state
15915 - jsonPath: .spec.issuerRef.name
15919 - jsonPath: .status.reason
15923 - jsonPath: .metadata.creationTimestamp
15924 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15929 description: Order is a type to represent an Order with an ACME server
15936 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15939 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15950 description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15953 description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15958 description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15961 description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15966 description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15972 description: Group of the resource being referred to.
15975 description: Kind of the resource being referred to.
15978 description: Name of the resource being referred to.
15981 description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15988 description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15991 description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15997 description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
16000 description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
16008 description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
16011 description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
16014 description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
16017 description: Identifier is the DNS name to be validated as part of this authorization
16020 description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
16031 description: URL is the URL of the Authorization that must be completed
16034 description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
16037 description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
16041 description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
16045 description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
16048 description: Reason optionally provides more information about a why the order is in the current state.
16051 description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
16062 description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
16072 # Source: cert-manager/templates/cainjector-serviceaccount.yaml
16074 kind: ServiceAccount
16075 automountServiceAccountToken: true
16077 name: cert-manager-cainjector
16078 namespace: "cert-manager"
16081 app.kubernetes.io/name: cainjector
16082 app.kubernetes.io/instance: cert-manager
16083 app.kubernetes.io/component: "cainjector"
16084 app.kubernetes.io/version: "v1.5.3"
16086 # Source: cert-manager/templates/serviceaccount.yaml
16088 kind: ServiceAccount
16089 automountServiceAccountToken: true
16092 namespace: "cert-manager"
16095 app.kubernetes.io/name: cert-manager
16096 app.kubernetes.io/instance: cert-manager
16097 app.kubernetes.io/component: "controller"
16098 app.kubernetes.io/version: "v1.5.3"
16100 # Source: cert-manager/templates/webhook-serviceaccount.yaml
16102 kind: ServiceAccount
16103 automountServiceAccountToken: true
16105 name: cert-manager-webhook
16106 namespace: "cert-manager"
16109 app.kubernetes.io/name: webhook
16110 app.kubernetes.io/instance: cert-manager
16111 app.kubernetes.io/component: "webhook"
16112 app.kubernetes.io/version: "v1.5.3"
16114 # Source: cert-manager/templates/cainjector-rbac.yaml
16115 apiVersion: rbac.authorization.k8s.io/v1
16118 name: cert-manager-cainjector
16121 app.kubernetes.io/name: cainjector
16122 app.kubernetes.io/instance: cert-manager
16123 app.kubernetes.io/component: "cainjector"
16124 app.kubernetes.io/version: "v1.5.3"
16126 - apiGroups: ["cert-manager.io"]
16127 resources: ["certificates"]
16128 verbs: ["get", "list", "watch"]
16130 resources: ["secrets"]
16131 verbs: ["get", "list", "watch"]
16133 resources: ["events"]
16134 verbs: ["get", "create", "update", "patch"]
16135 - apiGroups: ["admissionregistration.k8s.io"]
16136 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
16137 verbs: ["get", "list", "watch", "update"]
16138 - apiGroups: ["apiregistration.k8s.io"]
16139 resources: ["apiservices"]
16140 verbs: ["get", "list", "watch", "update"]
16141 - apiGroups: ["apiextensions.k8s.io"]
16142 resources: ["customresourcedefinitions"]
16143 verbs: ["get", "list", "watch", "update"]
16144 - apiGroups: ["auditregistration.k8s.io"]
16145 resources: ["auditsinks"]
16146 verbs: ["get", "list", "watch", "update"]
16148 # Source: cert-manager/templates/rbac.yaml
16149 # Issuer controller role
16150 apiVersion: rbac.authorization.k8s.io/v1
16153 name: cert-manager-controller-issuers
16156 app.kubernetes.io/name: cert-manager
16157 app.kubernetes.io/instance: cert-manager
16158 app.kubernetes.io/component: "controller"
16159 app.kubernetes.io/version: "v1.5.3"
16161 - apiGroups: ["cert-manager.io"]
16162 resources: ["issuers", "issuers/status"]
16164 - apiGroups: ["cert-manager.io"]
16165 resources: ["issuers"]
16166 verbs: ["get", "list", "watch"]
16168 resources: ["secrets"]
16169 verbs: ["get", "list", "watch", "create", "update", "delete"]
16171 resources: ["events"]
16172 verbs: ["create", "patch"]
16174 # Source: cert-manager/templates/rbac.yaml
16175 # ClusterIssuer controller role
16176 apiVersion: rbac.authorization.k8s.io/v1
16179 name: cert-manager-controller-clusterissuers
16182 app.kubernetes.io/name: cert-manager
16183 app.kubernetes.io/instance: cert-manager
16184 app.kubernetes.io/component: "controller"
16185 app.kubernetes.io/version: "v1.5.3"
16187 - apiGroups: ["cert-manager.io"]
16188 resources: ["clusterissuers", "clusterissuers/status"]
16190 - apiGroups: ["cert-manager.io"]
16191 resources: ["clusterissuers"]
16192 verbs: ["get", "list", "watch"]
16194 resources: ["secrets"]
16195 verbs: ["get", "list", "watch", "create", "update", "delete"]
16197 resources: ["events"]
16198 verbs: ["create", "patch"]
16200 # Source: cert-manager/templates/rbac.yaml
16201 # Certificates controller role
16202 apiVersion: rbac.authorization.k8s.io/v1
16205 name: cert-manager-controller-certificates
16208 app.kubernetes.io/name: cert-manager
16209 app.kubernetes.io/instance: cert-manager
16210 app.kubernetes.io/component: "controller"
16211 app.kubernetes.io/version: "v1.5.3"
16213 - apiGroups: ["cert-manager.io"]
16214 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
16216 - apiGroups: ["cert-manager.io"]
16217 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
16218 verbs: ["get", "list", "watch"]
16219 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16220 # admission controller enabled:
16221 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16222 - apiGroups: ["cert-manager.io"]
16223 resources: ["certificates/finalizers", "certificaterequests/finalizers"]
16225 - apiGroups: ["acme.cert-manager.io"]
16226 resources: ["orders"]
16227 verbs: ["create", "delete", "get", "list", "watch"]
16229 resources: ["secrets"]
16230 verbs: ["get", "list", "watch", "create", "update", "delete"]
16232 resources: ["events"]
16233 verbs: ["create", "patch"]
16235 # Source: cert-manager/templates/rbac.yaml
16236 # Orders controller role
16237 apiVersion: rbac.authorization.k8s.io/v1
16240 name: cert-manager-controller-orders
16243 app.kubernetes.io/name: cert-manager
16244 app.kubernetes.io/instance: cert-manager
16245 app.kubernetes.io/component: "controller"
16246 app.kubernetes.io/version: "v1.5.3"
16248 - apiGroups: ["acme.cert-manager.io"]
16249 resources: ["orders", "orders/status"]
16251 - apiGroups: ["acme.cert-manager.io"]
16252 resources: ["orders", "challenges"]
16253 verbs: ["get", "list", "watch"]
16254 - apiGroups: ["cert-manager.io"]
16255 resources: ["clusterissuers", "issuers"]
16256 verbs: ["get", "list", "watch"]
16257 - apiGroups: ["acme.cert-manager.io"]
16258 resources: ["challenges"]
16259 verbs: ["create", "delete"]
16260 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16261 # admission controller enabled:
16262 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16263 - apiGroups: ["acme.cert-manager.io"]
16264 resources: ["orders/finalizers"]
16267 resources: ["secrets"]
16268 verbs: ["get", "list", "watch"]
16270 resources: ["events"]
16271 verbs: ["create", "patch"]
16273 # Source: cert-manager/templates/rbac.yaml
16274 # Challenges controller role
16275 apiVersion: rbac.authorization.k8s.io/v1
16278 name: cert-manager-controller-challenges
16281 app.kubernetes.io/name: cert-manager
16282 app.kubernetes.io/instance: cert-manager
16283 app.kubernetes.io/component: "controller"
16284 app.kubernetes.io/version: "v1.5.3"
16286 # Use to update challenge resource status
16287 - apiGroups: ["acme.cert-manager.io"]
16288 resources: ["challenges", "challenges/status"]
16290 # Used to watch challenge resources
16291 - apiGroups: ["acme.cert-manager.io"]
16292 resources: ["challenges"]
16293 verbs: ["get", "list", "watch"]
16294 # Used to watch challenges, issuer and clusterissuer resources
16295 - apiGroups: ["cert-manager.io"]
16296 resources: ["issuers", "clusterissuers"]
16297 verbs: ["get", "list", "watch"]
16298 # Need to be able to retrieve ACME account private key to complete challenges
16300 resources: ["secrets"]
16301 verbs: ["get", "list", "watch"]
16302 # Used to create events
16304 resources: ["events"]
16305 verbs: ["create", "patch"]
16308 resources: ["pods", "services"]
16309 verbs: ["get", "list", "watch", "create", "delete"]
16310 - apiGroups: ["networking.k8s.io"]
16311 resources: ["ingresses"]
16312 verbs: ["get", "list", "watch", "create", "delete", "update"]
16313 - apiGroups: [ "networking.x-k8s.io" ]
16314 resources: [ "httproutes" ]
16315 verbs: ["get", "list", "watch", "create", "delete", "update"]
16316 # We require the ability to specify a custom hostname when we are creating
16317 # new ingress resources.
16318 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
16319 - apiGroups: ["route.openshift.io"]
16320 resources: ["routes/custom-host"]
16322 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16323 # admission controller enabled:
16324 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16325 - apiGroups: ["acme.cert-manager.io"]
16326 resources: ["challenges/finalizers"]
16328 # DNS01 rules (duplicated above)
16330 resources: ["secrets"]
16331 verbs: ["get", "list", "watch"]
16333 # Source: cert-manager/templates/rbac.yaml
16334 # ingress-shim controller role
16335 apiVersion: rbac.authorization.k8s.io/v1
16338 name: cert-manager-controller-ingress-shim
16341 app.kubernetes.io/name: cert-manager
16342 app.kubernetes.io/instance: cert-manager
16343 app.kubernetes.io/component: "controller"
16344 app.kubernetes.io/version: "v1.5.3"
16346 - apiGroups: ["cert-manager.io"]
16347 resources: ["certificates", "certificaterequests"]
16348 verbs: ["create", "update", "delete"]
16349 - apiGroups: ["cert-manager.io"]
16350 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
16351 verbs: ["get", "list", "watch"]
16352 - apiGroups: ["networking.k8s.io"]
16353 resources: ["ingresses"]
16354 verbs: ["get", "list", "watch"]
16355 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16356 # admission controller enabled:
16357 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16358 - apiGroups: ["networking.k8s.io"]
16359 resources: ["ingresses/finalizers"]
16361 - apiGroups: ["networking.x-k8s.io"]
16362 resources: ["gateways", "httproutes"]
16363 verbs: ["get", "list", "watch"]
16364 - apiGroups: ["networking.x-k8s.io"]
16365 resources: ["gateways/finalizers", "httproutes/finalizers"]
16368 resources: ["events"]
16369 verbs: ["create", "patch"]
16371 # Source: cert-manager/templates/rbac.yaml
16372 apiVersion: rbac.authorization.k8s.io/v1
16375 name: cert-manager-view
16378 app.kubernetes.io/name: cert-manager
16379 app.kubernetes.io/instance: cert-manager
16380 app.kubernetes.io/component: "controller"
16381 app.kubernetes.io/version: "v1.5.3"
16382 rbac.authorization.k8s.io/aggregate-to-view: "true"
16383 rbac.authorization.k8s.io/aggregate-to-edit: "true"
16384 rbac.authorization.k8s.io/aggregate-to-admin: "true"
16386 - apiGroups: ["cert-manager.io"]
16387 resources: ["certificates", "certificaterequests", "issuers"]
16388 verbs: ["get", "list", "watch"]
16389 - apiGroups: ["acme.cert-manager.io"]
16390 resources: ["challenges", "orders"]
16391 verbs: ["get", "list", "watch"]
16393 # Source: cert-manager/templates/rbac.yaml
16394 apiVersion: rbac.authorization.k8s.io/v1
16397 name: cert-manager-edit
16400 app.kubernetes.io/name: cert-manager
16401 app.kubernetes.io/instance: cert-manager
16402 app.kubernetes.io/component: "controller"
16403 app.kubernetes.io/version: "v1.5.3"
16404 rbac.authorization.k8s.io/aggregate-to-edit: "true"
16405 rbac.authorization.k8s.io/aggregate-to-admin: "true"
16407 - apiGroups: ["cert-manager.io"]
16408 resources: ["certificates", "certificaterequests", "issuers"]
16409 verbs: ["create", "delete", "deletecollection", "patch", "update"]
16410 - apiGroups: ["acme.cert-manager.io"]
16411 resources: ["challenges", "orders"]
16412 verbs: ["create", "delete", "deletecollection", "patch", "update"]
16414 # Source: cert-manager/templates/rbac.yaml
16415 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
16416 apiVersion: rbac.authorization.k8s.io/v1
16419 name: cert-manager-controller-approve:cert-manager-io
16422 app.kubernetes.io/name: cert-manager
16423 app.kubernetes.io/instance: cert-manager
16424 app.kubernetes.io/component: "cert-manager"
16425 app.kubernetes.io/version: "v1.5.3"
16427 - apiGroups: ["cert-manager.io"]
16428 resources: ["signers"]
16430 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
16432 # Source: cert-manager/templates/rbac.yaml
16434 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
16435 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
16436 apiVersion: rbac.authorization.k8s.io/v1
16439 name: cert-manager-controller-certificatesigningrequests
16442 app.kubernetes.io/name: cert-manager
16443 app.kubernetes.io/instance: cert-manager
16444 app.kubernetes.io/component: "cert-manager"
16445 app.kubernetes.io/version: "v1.5.3"
16447 - apiGroups: ["certificates.k8s.io"]
16448 resources: ["certificatesigningrequests"]
16449 verbs: ["get", "list", "watch", "update"]
16450 - apiGroups: ["certificates.k8s.io"]
16451 resources: ["certificatesigningrequests/status"]
16453 - apiGroups: ["certificates.k8s.io"]
16454 resources: ["signers"]
16455 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
16457 - apiGroups: ["authorization.k8s.io"]
16458 resources: ["subjectaccessreviews"]
16461 # Source: cert-manager/templates/webhook-rbac.yaml
16462 apiVersion: rbac.authorization.k8s.io/v1
16465 name: cert-manager-webhook:subjectaccessreviews
16468 app.kubernetes.io/name: webhook
16469 app.kubernetes.io/instance: cert-manager
16470 app.kubernetes.io/component: "webhook"
16471 app.kubernetes.io/version: "v1.5.3"
16473 - apiGroups: ["authorization.k8s.io"]
16474 resources: ["subjectaccessreviews"]
16477 # Source: cert-manager/templates/cainjector-rbac.yaml
16478 apiVersion: rbac.authorization.k8s.io/v1
16479 kind: ClusterRoleBinding
16481 name: cert-manager-cainjector
16484 app.kubernetes.io/name: cainjector
16485 app.kubernetes.io/instance: cert-manager
16486 app.kubernetes.io/component: "cainjector"
16487 app.kubernetes.io/version: "v1.5.3"
16489 apiGroup: rbac.authorization.k8s.io
16491 name: cert-manager-cainjector
16493 - name: cert-manager-cainjector
16494 namespace: "cert-manager"
16495 kind: ServiceAccount
16497 # Source: cert-manager/templates/rbac.yaml
16498 apiVersion: rbac.authorization.k8s.io/v1
16499 kind: ClusterRoleBinding
16501 name: cert-manager-controller-issuers
16504 app.kubernetes.io/name: cert-manager
16505 app.kubernetes.io/instance: cert-manager
16506 app.kubernetes.io/component: "controller"
16507 app.kubernetes.io/version: "v1.5.3"
16509 apiGroup: rbac.authorization.k8s.io
16511 name: cert-manager-controller-issuers
16513 - name: cert-manager
16514 namespace: "cert-manager"
16515 kind: ServiceAccount
16517 # Source: cert-manager/templates/rbac.yaml
16518 apiVersion: rbac.authorization.k8s.io/v1
16519 kind: ClusterRoleBinding
16521 name: cert-manager-controller-clusterissuers
16524 app.kubernetes.io/name: cert-manager
16525 app.kubernetes.io/instance: cert-manager
16526 app.kubernetes.io/component: "controller"
16527 app.kubernetes.io/version: "v1.5.3"
16529 apiGroup: rbac.authorization.k8s.io
16531 name: cert-manager-controller-clusterissuers
16533 - name: cert-manager
16534 namespace: "cert-manager"
16535 kind: ServiceAccount
16537 # Source: cert-manager/templates/rbac.yaml
16538 apiVersion: rbac.authorization.k8s.io/v1
16539 kind: ClusterRoleBinding
16541 name: cert-manager-controller-certificates
16544 app.kubernetes.io/name: cert-manager
16545 app.kubernetes.io/instance: cert-manager
16546 app.kubernetes.io/component: "controller"
16547 app.kubernetes.io/version: "v1.5.3"
16549 apiGroup: rbac.authorization.k8s.io
16551 name: cert-manager-controller-certificates
16553 - name: cert-manager
16554 namespace: "cert-manager"
16555 kind: ServiceAccount
16557 # Source: cert-manager/templates/rbac.yaml
16558 apiVersion: rbac.authorization.k8s.io/v1
16559 kind: ClusterRoleBinding
16561 name: cert-manager-controller-orders
16564 app.kubernetes.io/name: cert-manager
16565 app.kubernetes.io/instance: cert-manager
16566 app.kubernetes.io/component: "controller"
16567 app.kubernetes.io/version: "v1.5.3"
16569 apiGroup: rbac.authorization.k8s.io
16571 name: cert-manager-controller-orders
16573 - name: cert-manager
16574 namespace: "cert-manager"
16575 kind: ServiceAccount
16577 # Source: cert-manager/templates/rbac.yaml
16578 apiVersion: rbac.authorization.k8s.io/v1
16579 kind: ClusterRoleBinding
16581 name: cert-manager-controller-challenges
16584 app.kubernetes.io/name: cert-manager
16585 app.kubernetes.io/instance: cert-manager
16586 app.kubernetes.io/component: "controller"
16587 app.kubernetes.io/version: "v1.5.3"
16589 apiGroup: rbac.authorization.k8s.io
16591 name: cert-manager-controller-challenges
16593 - name: cert-manager
16594 namespace: "cert-manager"
16595 kind: ServiceAccount
16597 # Source: cert-manager/templates/rbac.yaml
16598 apiVersion: rbac.authorization.k8s.io/v1
16599 kind: ClusterRoleBinding
16601 name: cert-manager-controller-ingress-shim
16604 app.kubernetes.io/name: cert-manager
16605 app.kubernetes.io/instance: cert-manager
16606 app.kubernetes.io/component: "controller"
16607 app.kubernetes.io/version: "v1.5.3"
16609 apiGroup: rbac.authorization.k8s.io
16611 name: cert-manager-controller-ingress-shim
16613 - name: cert-manager
16614 namespace: "cert-manager"
16615 kind: ServiceAccount
16617 # Source: cert-manager/templates/rbac.yaml
16618 apiVersion: rbac.authorization.k8s.io/v1
16619 kind: ClusterRoleBinding
16621 name: cert-manager-controller-approve:cert-manager-io
16624 app.kubernetes.io/name: cert-manager
16625 app.kubernetes.io/instance: cert-manager
16626 app.kubernetes.io/component: "cert-manager"
16627 app.kubernetes.io/version: "v1.5.3"
16629 apiGroup: rbac.authorization.k8s.io
16631 name: cert-manager-controller-approve:cert-manager-io
16633 - name: cert-manager
16634 namespace: "cert-manager"
16635 kind: ServiceAccount
16637 # Source: cert-manager/templates/rbac.yaml
16638 apiVersion: rbac.authorization.k8s.io/v1
16639 kind: ClusterRoleBinding
16641 name: cert-manager-controller-certificatesigningrequests
16644 app.kubernetes.io/name: cert-manager
16645 app.kubernetes.io/instance: cert-manager
16646 app.kubernetes.io/component: "cert-manager"
16647 app.kubernetes.io/version: "v1.5.3"
16649 apiGroup: rbac.authorization.k8s.io
16651 name: cert-manager-controller-certificatesigningrequests
16653 - name: cert-manager
16654 namespace: "cert-manager"
16655 kind: ServiceAccount
16657 # Source: cert-manager/templates/webhook-rbac.yaml
16658 apiVersion: rbac.authorization.k8s.io/v1
16659 kind: ClusterRoleBinding
16661 name: cert-manager-webhook:subjectaccessreviews
16664 app.kubernetes.io/name: webhook
16665 app.kubernetes.io/instance: cert-manager
16666 app.kubernetes.io/component: "webhook"
16667 app.kubernetes.io/version: "v1.5.3"
16669 apiGroup: rbac.authorization.k8s.io
16671 name: cert-manager-webhook:subjectaccessreviews
16674 kind: ServiceAccount
16675 name: cert-manager-webhook
16676 namespace: cert-manager
16678 # Source: cert-manager/templates/cainjector-rbac.yaml
16679 # leader election rules
16680 apiVersion: rbac.authorization.k8s.io/v1
16683 name: cert-manager-cainjector:leaderelection
16684 namespace: kube-system
16687 app.kubernetes.io/name: cainjector
16688 app.kubernetes.io/instance: cert-manager
16689 app.kubernetes.io/component: "cainjector"
16690 app.kubernetes.io/version: "v1.5.3"
16692 # Used for leader election by the controller
16693 # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
16694 # see cmd/cainjector/start.go#L113
16695 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
16696 # see cmd/cainjector/start.go#L137
16697 # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16699 resources: ["configmaps"]
16700 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
16701 verbs: ["get", "update", "patch"]
16703 resources: ["configmaps"]
16705 - apiGroups: ["coordination.k8s.io"]
16706 resources: ["leases"]
16707 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
16708 verbs: ["get", "update", "patch"]
16709 - apiGroups: ["coordination.k8s.io"]
16710 resources: ["leases"]
16713 # Source: cert-manager/templates/rbac.yaml
16714 apiVersion: rbac.authorization.k8s.io/v1
16717 name: cert-manager:leaderelection
16718 namespace: kube-system
16721 app.kubernetes.io/name: cert-manager
16722 app.kubernetes.io/instance: cert-manager
16723 app.kubernetes.io/component: "controller"
16724 app.kubernetes.io/version: "v1.5.3"
16726 # Used for leader election by the controller
16727 # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16729 resources: ["configmaps"]
16730 resourceNames: ["cert-manager-controller"]
16731 verbs: ["get", "update", "patch"]
16733 resources: ["configmaps"]
16735 - apiGroups: ["coordination.k8s.io"]
16736 resources: ["leases"]
16737 resourceNames: ["cert-manager-controller"]
16738 verbs: ["get", "update", "patch"]
16739 - apiGroups: ["coordination.k8s.io"]
16740 resources: ["leases"]
16743 # Source: cert-manager/templates/webhook-rbac.yaml
16744 apiVersion: rbac.authorization.k8s.io/v1
16747 name: cert-manager-webhook:dynamic-serving
16748 namespace: "cert-manager"
16751 app.kubernetes.io/name: webhook
16752 app.kubernetes.io/instance: cert-manager
16753 app.kubernetes.io/component: "webhook"
16754 app.kubernetes.io/version: "v1.5.3"
16757 resources: ["secrets"]
16759 - 'cert-manager-webhook-ca'
16760 verbs: ["get", "list", "watch", "update"]
16761 # It's not possible to grant CREATE permission on a single resourceName.
16763 resources: ["secrets"]
16766 # Source: cert-manager/templates/cainjector-rbac.yaml
16767 # grant cert-manager permission to manage the leaderelection configmap in the
16768 # leader election namespace
16769 apiVersion: rbac.authorization.k8s.io/v1
16772 name: cert-manager-cainjector:leaderelection
16773 namespace: kube-system
16776 app.kubernetes.io/name: cainjector
16777 app.kubernetes.io/instance: cert-manager
16778 app.kubernetes.io/component: "cainjector"
16779 app.kubernetes.io/version: "v1.5.3"
16781 apiGroup: rbac.authorization.k8s.io
16783 name: cert-manager-cainjector:leaderelection
16785 - kind: ServiceAccount
16786 name: cert-manager-cainjector
16787 namespace: cert-manager
16789 # Source: cert-manager/templates/rbac.yaml
16790 # grant cert-manager permission to manage the leaderelection configmap in the
16791 # leader election namespace
16792 apiVersion: rbac.authorization.k8s.io/v1
16795 name: cert-manager:leaderelection
16796 namespace: kube-system
16799 app.kubernetes.io/name: cert-manager
16800 app.kubernetes.io/instance: cert-manager
16801 app.kubernetes.io/component: "controller"
16802 app.kubernetes.io/version: "v1.5.3"
16804 apiGroup: rbac.authorization.k8s.io
16806 name: cert-manager:leaderelection
16809 kind: ServiceAccount
16811 namespace: cert-manager
16813 # Source: cert-manager/templates/webhook-rbac.yaml
16814 apiVersion: rbac.authorization.k8s.io/v1
16817 name: cert-manager-webhook:dynamic-serving
16818 namespace: "cert-manager"
16821 app.kubernetes.io/name: webhook
16822 app.kubernetes.io/instance: cert-manager
16823 app.kubernetes.io/component: "webhook"
16824 app.kubernetes.io/version: "v1.5.3"
16826 apiGroup: rbac.authorization.k8s.io
16828 name: cert-manager-webhook:dynamic-serving
16831 kind: ServiceAccount
16832 name: cert-manager-webhook
16833 namespace: cert-manager
16835 # Source: cert-manager/templates/service.yaml
16840 namespace: "cert-manager"
16843 app.kubernetes.io/name: cert-manager
16844 app.kubernetes.io/instance: cert-manager
16845 app.kubernetes.io/component: "controller"
16846 app.kubernetes.io/version: "v1.5.3"
16852 name: tcp-prometheus-servicemonitor
16855 app.kubernetes.io/name: cert-manager
16856 app.kubernetes.io/instance: cert-manager
16857 app.kubernetes.io/component: "controller"
16859 # Source: cert-manager/templates/webhook-service.yaml
16863 name: cert-manager-webhook
16864 namespace: "cert-manager"
16867 app.kubernetes.io/name: webhook
16868 app.kubernetes.io/instance: cert-manager
16869 app.kubernetes.io/component: "webhook"
16870 app.kubernetes.io/version: "v1.5.3"
16879 app.kubernetes.io/name: webhook
16880 app.kubernetes.io/instance: cert-manager
16881 app.kubernetes.io/component: "webhook"
16883 # Source: cert-manager/templates/cainjector-deployment.yaml
16884 apiVersion: apps/v1
16887 name: cert-manager-cainjector
16888 namespace: "cert-manager"
16891 app.kubernetes.io/name: cainjector
16892 app.kubernetes.io/instance: cert-manager
16893 app.kubernetes.io/component: "cainjector"
16894 app.kubernetes.io/version: "v1.5.3"
16899 app.kubernetes.io/name: cainjector
16900 app.kubernetes.io/instance: cert-manager
16901 app.kubernetes.io/component: "cainjector"
16906 app.kubernetes.io/name: cainjector
16907 app.kubernetes.io/instance: cert-manager
16908 app.kubernetes.io/component: "cainjector"
16909 app.kubernetes.io/version: "v1.5.3"
16911 serviceAccountName: cert-manager-cainjector
16915 - name: cert-manager
16916 image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
16917 imagePullPolicy: IfNotPresent
16920 - --leader-election-namespace=kube-system
16922 - name: POD_NAMESPACE
16925 fieldPath: metadata.namespace
16929 # Source: cert-manager/templates/deployment.yaml
16930 apiVersion: apps/v1
16934 namespace: "cert-manager"
16937 app.kubernetes.io/name: cert-manager
16938 app.kubernetes.io/instance: cert-manager
16939 app.kubernetes.io/component: "controller"
16940 app.kubernetes.io/version: "v1.5.3"
16945 app.kubernetes.io/name: cert-manager
16946 app.kubernetes.io/instance: cert-manager
16947 app.kubernetes.io/component: "controller"
16952 app.kubernetes.io/name: cert-manager
16953 app.kubernetes.io/instance: cert-manager
16954 app.kubernetes.io/component: "controller"
16955 app.kubernetes.io/version: "v1.5.3"
16957 prometheus.io/path: "/metrics"
16958 prometheus.io/scrape: 'true'
16959 prometheus.io/port: '9402'
16961 serviceAccountName: cert-manager
16965 - name: cert-manager
16966 image: "quay.io/jetstack/cert-manager-controller:v1.5.3"
16967 imagePullPolicy: IfNotPresent
16970 - --cluster-resource-namespace=$(POD_NAMESPACE)
16971 - --leader-election-namespace=kube-system
16973 - containerPort: 9402
16976 - name: POD_NAMESPACE
16979 fieldPath: metadata.namespace
16983 # Source: cert-manager/templates/webhook-deployment.yaml
16984 apiVersion: apps/v1
16987 name: cert-manager-webhook
16988 namespace: "cert-manager"
16991 app.kubernetes.io/name: webhook
16992 app.kubernetes.io/instance: cert-manager
16993 app.kubernetes.io/component: "webhook"
16994 app.kubernetes.io/version: "v1.5.3"
16999 app.kubernetes.io/name: webhook
17000 app.kubernetes.io/instance: cert-manager
17001 app.kubernetes.io/component: "webhook"
17006 app.kubernetes.io/name: webhook
17007 app.kubernetes.io/instance: cert-manager
17008 app.kubernetes.io/component: "webhook"
17009 app.kubernetes.io/version: "v1.5.3"
17011 serviceAccountName: cert-manager-webhook
17015 - name: cert-manager
17016 image: "quay.io/jetstack/cert-manager-webhook:v1.5.3"
17017 imagePullPolicy: IfNotPresent
17020 - --secure-port=10250
17021 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
17022 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
17023 - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
17027 containerPort: 10250
17033 initialDelaySeconds: 60
17036 successThreshold: 1
17037 failureThreshold: 3
17043 initialDelaySeconds: 5
17046 successThreshold: 1
17047 failureThreshold: 3
17049 - name: POD_NAMESPACE
17052 fieldPath: metadata.namespace
17056 # Source: cert-manager/templates/webhook-mutating-webhook.yaml
17057 apiVersion: admissionregistration.k8s.io/v1
17058 kind: MutatingWebhookConfiguration
17060 name: cert-manager-webhook
17063 app.kubernetes.io/name: webhook
17064 app.kubernetes.io/instance: cert-manager
17065 app.kubernetes.io/component: "webhook"
17066 app.kubernetes.io/version: "v1.5.3"
17068 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
17070 - name: webhook.cert-manager.io
17073 - "cert-manager.io"
17074 - "acme.cert-manager.io"
17082 # We don't actually support `v1beta1` but is listed here as it is a
17083 # required value for
17084 # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
17085 # The API server reads the supported versions in order, so _should always_
17086 # attempt a `v1` request which is understood by the cert-manager webhook.
17087 # Any `v1beta1` request will return an error and fail closed for that
17088 # resource (the whole object request is rejected). When we no longer
17089 # support v1.16 we can remove `v1beta1` from this list.
17090 admissionReviewVersions: ["v1", "v1beta1"]
17091 # This webhook only accepts v1 cert-manager resources.
17092 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
17093 # this webhook (after the resources have been converted to v1).
17094 matchPolicy: Equivalent
17096 failurePolicy: Fail
17097 # Only include 'sideEffects' field in Kubernetes 1.12+
17101 name: cert-manager-webhook
17102 namespace: "cert-manager"
17105 # Source: cert-manager/templates/webhook-validating-webhook.yaml
17106 apiVersion: admissionregistration.k8s.io/v1
17107 kind: ValidatingWebhookConfiguration
17109 name: cert-manager-webhook
17112 app.kubernetes.io/name: webhook
17113 app.kubernetes.io/instance: cert-manager
17114 app.kubernetes.io/component: "webhook"
17115 app.kubernetes.io/version: "v1.5.3"
17117 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
17119 - name: webhook.cert-manager.io
17122 - key: "cert-manager.io/disable-validation"
17132 - "cert-manager.io"
17133 - "acme.cert-manager.io"
17141 # We don't actually support `v1beta1` but is listed here as it is a
17142 # required value for
17143 # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
17144 # The API server reads the supported versions in order, so _should always_
17145 # attempt a `v1` request which is understood by the cert-manager webhook.
17146 # Any `v1beta1` request will return an error and fail closed for that
17147 # resource (the whole object request is rejected). When we no longer
17148 # support v1.16 we can remove `v1beta1` from this list.
17149 admissionReviewVersions: ["v1", "v1beta1"]
17150 # This webhook only accepts v1 cert-manager resources.
17151 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
17152 # this webhook (after the resources have been converted to v1).
17153 matchPolicy: Equivalent
17155 failurePolicy: Fail
17159 name: cert-manager-webhook
17160 namespace: "cert-manager"