Flux install of compute cluster
[icn.git] / deploy / cert-manager / base / cert-manager.yaml
1 # Copyright  The cert-manager Authors.
2 #
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 #     http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
15 ---
16 # Source: cert-manager/templates/templates.out
17 apiVersion: apiextensions.k8s.io/v1
18 kind: CustomResourceDefinition
19 metadata:
20   name: certificaterequests.cert-manager.io
21   annotations:
22     cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
23   labels:
24     app: 'cert-manager'
25     app.kubernetes.io/name: 'cert-manager'
26     app.kubernetes.io/instance: 'cert-manager'
27     # Generated labels
28     app.kubernetes.io/version: "v1.5.3"
29 spec:
30   group: cert-manager.io
31   names:
32     kind: CertificateRequest
33     listKind: CertificateRequestList
34     plural: certificaterequests
35     shortNames:
36       - cr
37       - crs
38     singular: certificaterequest
39     categories:
40       - cert-manager
41   scope: Namespaced
42   conversion:
43     # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
44     strategy: Webhook
45     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
46     webhook:
47       # We don't actually support `v1beta1` but is listed here as it is a
48       # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
49       # API server reads the supported versions in order, so _should always_
50       # attempt a `v1` request which is understood by the cert-manager webhook.
51       # Any `v1beta1` request will return an error and fail closed for that
52       # resource (the whole object request is rejected).
53       # When we no longer support v1.16 we can remove `v1beta1` from this list.
54       conversionReviewVersions: ["v1", "v1beta1"]
55       clientConfig:
56         #
57         service:
58           name: 'cert-manager-webhook'
59           namespace: "cert-manager"
60           path: /convert
61           #
62   versions:
63     - name: v1alpha2
64       subresources:
65         status: {}
66       additionalPrinterColumns:
67         - jsonPath: .status.conditions[?(@.type=="Approved")].status
68           name: Approved
69           type: string
70         - jsonPath: .status.conditions[?(@.type=="Denied")].status
71           name: Denied
72           type: string
73         - jsonPath: .status.conditions[?(@.type=="Ready")].status
74           name: Ready
75           type: string
76         - jsonPath: .spec.issuerRef.name
77           name: Issuer
78           type: string
79         - jsonPath: .spec.username
80           name: Requestor
81           type: string
82         - jsonPath: .status.conditions[?(@.type=="Ready")].message
83           name: Status
84           priority: 1
85           type: string
86         - jsonPath: .metadata.creationTimestamp
87           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
88           name: Age
89           type: date
90       schema:
91         openAPIV3Schema:
92           description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
93           type: object
94           properties:
95             apiVersion:
96               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
97               type: string
98             kind:
99               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
100               type: string
101             metadata:
102               type: object
103             spec:
104               description: Desired state of the CertificateRequest resource.
105               type: object
106               required:
107                 - csr
108                 - issuerRef
109               properties:
110                 csr:
111                   description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
112                   type: string
113                   format: byte
114                 duration:
115                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
116                   type: string
117                 extra:
118                   description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
119                   type: object
120                   additionalProperties:
121                     type: array
122                     items:
123                       type: string
124                 groups:
125                   description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
126                   type: array
127                   items:
128                     type: string
129                   x-kubernetes-list-type: atomic
130                 isCA:
131                   description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
132                   type: boolean
133                 issuerRef:
134                   description: IssuerRef is a reference to the issuer for this CertificateRequest.  If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
135                   type: object
136                   required:
137                     - name
138                   properties:
139                     group:
140                       description: Group of the resource being referred to.
141                       type: string
142                     kind:
143                       description: Kind of the resource being referred to.
144                       type: string
145                     name:
146                       description: Name of the resource being referred to.
147                       type: string
148                 uid:
149                   description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
150                   type: string
151                 usages:
152                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
153                   type: array
154                   items:
155                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
156                     type: string
157                     enum:
158                       - signing
159                       - digital signature
160                       - content commitment
161                       - key encipherment
162                       - key agreement
163                       - data encipherment
164                       - cert sign
165                       - crl sign
166                       - encipher only
167                       - decipher only
168                       - any
169                       - server auth
170                       - client auth
171                       - code signing
172                       - email protection
173                       - s/mime
174                       - ipsec end system
175                       - ipsec tunnel
176                       - ipsec user
177                       - timestamping
178                       - ocsp signing
179                       - microsoft sgc
180                       - netscape sgc
181                 username:
182                   description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
183                   type: string
184             status:
185               description: Status of the CertificateRequest. This is set and managed automatically.
186               type: object
187               properties:
188                 ca:
189                   description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
190                   type: string
191                   format: byte
192                 certificate:
193                   description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
194                   type: string
195                   format: byte
196                 conditions:
197                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
198                   type: array
199                   items:
200                     description: CertificateRequestCondition contains condition information for a CertificateRequest.
201                     type: object
202                     required:
203                       - status
204                       - type
205                     properties:
206                       lastTransitionTime:
207                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
208                         type: string
209                         format: date-time
210                       message:
211                         description: Message is a human readable description of the details of the last transition, complementing reason.
212                         type: string
213                       reason:
214                         description: Reason is a brief machine readable explanation for the condition's last transition.
215                         type: string
216                       status:
217                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
218                         type: string
219                         enum:
220                           - "True"
221                           - "False"
222                           - Unknown
223                       type:
224                         description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
225                         type: string
226                 failureTime:
227                   description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
228                   type: string
229                   format: date-time
230       served: true
231       storage: false
232     - name: v1alpha3
233       subresources:
234         status: {}
235       additionalPrinterColumns:
236         - jsonPath: .status.conditions[?(@.type=="Approved")].status
237           name: Approved
238           type: string
239         - jsonPath: .status.conditions[?(@.type=="Denied")].status
240           name: Denied
241           type: string
242         - jsonPath: .status.conditions[?(@.type=="Ready")].status
243           name: Ready
244           type: string
245         - jsonPath: .spec.issuerRef.name
246           name: Issuer
247           type: string
248         - jsonPath: .spec.username
249           name: Requestor
250           type: string
251         - jsonPath: .status.conditions[?(@.type=="Ready")].message
252           name: Status
253           priority: 1
254           type: string
255         - jsonPath: .metadata.creationTimestamp
256           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
257           name: Age
258           type: date
259       schema:
260         openAPIV3Schema:
261           description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
262           type: object
263           properties:
264             apiVersion:
265               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
266               type: string
267             kind:
268               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
269               type: string
270             metadata:
271               type: object
272             spec:
273               description: Desired state of the CertificateRequest resource.
274               type: object
275               required:
276                 - csr
277                 - issuerRef
278               properties:
279                 csr:
280                   description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
281                   type: string
282                   format: byte
283                 duration:
284                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
285                   type: string
286                 extra:
287                   description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
288                   type: object
289                   additionalProperties:
290                     type: array
291                     items:
292                       type: string
293                 groups:
294                   description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
295                   type: array
296                   items:
297                     type: string
298                   x-kubernetes-list-type: atomic
299                 isCA:
300                   description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
301                   type: boolean
302                 issuerRef:
303                   description: IssuerRef is a reference to the issuer for this CertificateRequest.  If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
304                   type: object
305                   required:
306                     - name
307                   properties:
308                     group:
309                       description: Group of the resource being referred to.
310                       type: string
311                     kind:
312                       description: Kind of the resource being referred to.
313                       type: string
314                     name:
315                       description: Name of the resource being referred to.
316                       type: string
317                 uid:
318                   description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
319                   type: string
320                 usages:
321                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
322                   type: array
323                   items:
324                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
325                     type: string
326                     enum:
327                       - signing
328                       - digital signature
329                       - content commitment
330                       - key encipherment
331                       - key agreement
332                       - data encipherment
333                       - cert sign
334                       - crl sign
335                       - encipher only
336                       - decipher only
337                       - any
338                       - server auth
339                       - client auth
340                       - code signing
341                       - email protection
342                       - s/mime
343                       - ipsec end system
344                       - ipsec tunnel
345                       - ipsec user
346                       - timestamping
347                       - ocsp signing
348                       - microsoft sgc
349                       - netscape sgc
350                 username:
351                   description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
352                   type: string
353             status:
354               description: Status of the CertificateRequest. This is set and managed automatically.
355               type: object
356               properties:
357                 ca:
358                   description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
359                   type: string
360                   format: byte
361                 certificate:
362                   description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
363                   type: string
364                   format: byte
365                 conditions:
366                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
367                   type: array
368                   items:
369                     description: CertificateRequestCondition contains condition information for a CertificateRequest.
370                     type: object
371                     required:
372                       - status
373                       - type
374                     properties:
375                       lastTransitionTime:
376                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
377                         type: string
378                         format: date-time
379                       message:
380                         description: Message is a human readable description of the details of the last transition, complementing reason.
381                         type: string
382                       reason:
383                         description: Reason is a brief machine readable explanation for the condition's last transition.
384                         type: string
385                       status:
386                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
387                         type: string
388                         enum:
389                           - "True"
390                           - "False"
391                           - Unknown
392                       type:
393                         description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
394                         type: string
395                 failureTime:
396                   description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
397                   type: string
398                   format: date-time
399       served: true
400       storage: false
401     - name: v1beta1
402       subresources:
403         status: {}
404       additionalPrinterColumns:
405         - jsonPath: .status.conditions[?(@.type=="Approved")].status
406           name: Approved
407           type: string
408         - jsonPath: .status.conditions[?(@.type=="Denied")].status
409           name: Denied
410           type: string
411         - jsonPath: .status.conditions[?(@.type=="Ready")].status
412           name: Ready
413           type: string
414         - jsonPath: .spec.issuerRef.name
415           name: Issuer
416           type: string
417         - jsonPath: .spec.username
418           name: Requestor
419           type: string
420         - jsonPath: .status.conditions[?(@.type=="Ready")].message
421           name: Status
422           priority: 1
423           type: string
424         - jsonPath: .metadata.creationTimestamp
425           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
426           name: Age
427           type: date
428       schema:
429         openAPIV3Schema:
430           description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
431           type: object
432           required:
433             - spec
434           properties:
435             apiVersion:
436               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
437               type: string
438             kind:
439               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
440               type: string
441             metadata:
442               type: object
443             spec:
444               description: Desired state of the CertificateRequest resource.
445               type: object
446               required:
447                 - issuerRef
448                 - request
449               properties:
450                 duration:
451                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
452                   type: string
453                 extra:
454                   description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
455                   type: object
456                   additionalProperties:
457                     type: array
458                     items:
459                       type: string
460                 groups:
461                   description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
462                   type: array
463                   items:
464                     type: string
465                   x-kubernetes-list-type: atomic
466                 isCA:
467                   description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
468                   type: boolean
469                 issuerRef:
470                   description: IssuerRef is a reference to the issuer for this CertificateRequest.  If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
471                   type: object
472                   required:
473                     - name
474                   properties:
475                     group:
476                       description: Group of the resource being referred to.
477                       type: string
478                     kind:
479                       description: Kind of the resource being referred to.
480                       type: string
481                     name:
482                       description: Name of the resource being referred to.
483                       type: string
484                 request:
485                   description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
486                   type: string
487                   format: byte
488                 uid:
489                   description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
490                   type: string
491                 usages:
492                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
493                   type: array
494                   items:
495                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
496                     type: string
497                     enum:
498                       - signing
499                       - digital signature
500                       - content commitment
501                       - key encipherment
502                       - key agreement
503                       - data encipherment
504                       - cert sign
505                       - crl sign
506                       - encipher only
507                       - decipher only
508                       - any
509                       - server auth
510                       - client auth
511                       - code signing
512                       - email protection
513                       - s/mime
514                       - ipsec end system
515                       - ipsec tunnel
516                       - ipsec user
517                       - timestamping
518                       - ocsp signing
519                       - microsoft sgc
520                       - netscape sgc
521                 username:
522                   description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
523                   type: string
524             status:
525               description: Status of the CertificateRequest. This is set and managed automatically.
526               type: object
527               properties:
528                 ca:
529                   description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
530                   type: string
531                   format: byte
532                 certificate:
533                   description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
534                   type: string
535                   format: byte
536                 conditions:
537                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
538                   type: array
539                   items:
540                     description: CertificateRequestCondition contains condition information for a CertificateRequest.
541                     type: object
542                     required:
543                       - status
544                       - type
545                     properties:
546                       lastTransitionTime:
547                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
548                         type: string
549                         format: date-time
550                       message:
551                         description: Message is a human readable description of the details of the last transition, complementing reason.
552                         type: string
553                       reason:
554                         description: Reason is a brief machine readable explanation for the condition's last transition.
555                         type: string
556                       status:
557                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
558                         type: string
559                         enum:
560                           - "True"
561                           - "False"
562                           - Unknown
563                       type:
564                         description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
565                         type: string
566                 failureTime:
567                   description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
568                   type: string
569                   format: date-time
570       served: true
571       storage: false
572     - name: v1
573       subresources:
574         status: {}
575       additionalPrinterColumns:
576         - jsonPath: .status.conditions[?(@.type=="Approved")].status
577           name: Approved
578           type: string
579         - jsonPath: .status.conditions[?(@.type=="Denied")].status
580           name: Denied
581           type: string
582         - jsonPath: .status.conditions[?(@.type=="Ready")].status
583           name: Ready
584           type: string
585         - jsonPath: .spec.issuerRef.name
586           name: Issuer
587           type: string
588         - jsonPath: .spec.username
589           name: Requestor
590           type: string
591         - jsonPath: .status.conditions[?(@.type=="Ready")].message
592           name: Status
593           priority: 1
594           type: string
595         - jsonPath: .metadata.creationTimestamp
596           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
597           name: Age
598           type: date
599       schema:
600         openAPIV3Schema:
601           description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
602           type: object
603           required:
604             - spec
605           properties:
606             apiVersion:
607               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
608               type: string
609             kind:
610               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
611               type: string
612             metadata:
613               type: object
614             spec:
615               description: Desired state of the CertificateRequest resource.
616               type: object
617               required:
618                 - issuerRef
619                 - request
620               properties:
621                 duration:
622                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types.
623                   type: string
624                 extra:
625                   description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
626                   type: object
627                   additionalProperties:
628                     type: array
629                     items:
630                       type: string
631                 groups:
632                   description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
633                   type: array
634                   items:
635                     type: string
636                   x-kubernetes-list-type: atomic
637                 isCA:
638                   description: IsCA will request to mark the certificate as valid for certificate signing when submitting to the issuer. This will automatically add the `cert sign` usage to the list of `usages`.
639                   type: boolean
640                 issuerRef:
641                   description: IssuerRef is a reference to the issuer for this CertificateRequest.  If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the CertificateRequest will be used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to `cert-manager.io` if empty.
642                   type: object
643                   required:
644                     - name
645                   properties:
646                     group:
647                       description: Group of the resource being referred to.
648                       type: string
649                     kind:
650                       description: Kind of the resource being referred to.
651                       type: string
652                     name:
653                       description: Name of the resource being referred to.
654                       type: string
655                 request:
656                   description: The PEM-encoded x509 certificate signing request to be submitted to the CA for signing.
657                   type: string
658                   format: byte
659                 uid:
660                   description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
661                   type: string
662                 usages:
663                   description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
664                   type: array
665                   items:
666                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
667                     type: string
668                     enum:
669                       - signing
670                       - digital signature
671                       - content commitment
672                       - key encipherment
673                       - key agreement
674                       - data encipherment
675                       - cert sign
676                       - crl sign
677                       - encipher only
678                       - decipher only
679                       - any
680                       - server auth
681                       - client auth
682                       - code signing
683                       - email protection
684                       - s/mime
685                       - ipsec end system
686                       - ipsec tunnel
687                       - ipsec user
688                       - timestamping
689                       - ocsp signing
690                       - microsoft sgc
691                       - netscape sgc
692                 username:
693                   description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
694                   type: string
695             status:
696               description: Status of the CertificateRequest. This is set and managed automatically.
697               type: object
698               properties:
699                 ca:
700                   description: The PEM encoded x509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
701                   type: string
702                   format: byte
703                 certificate:
704                   description: The PEM encoded x509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
705                   type: string
706                   format: byte
707                 conditions:
708                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
709                   type: array
710                   items:
711                     description: CertificateRequestCondition contains condition information for a CertificateRequest.
712                     type: object
713                     required:
714                       - status
715                       - type
716                     properties:
717                       lastTransitionTime:
718                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
719                         type: string
720                         format: date-time
721                       message:
722                         description: Message is a human readable description of the details of the last transition, complementing reason.
723                         type: string
724                       reason:
725                         description: Reason is a brief machine readable explanation for the condition's last transition.
726                         type: string
727                       status:
728                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
729                         type: string
730                         enum:
731                           - "True"
732                           - "False"
733                           - Unknown
734                       type:
735                         description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
736                         type: string
737                 failureTime:
738                   description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
739                   type: string
740                   format: date-time
741       served: true
742       storage: true
743 ---
744 # Source: cert-manager/templates/templates.out
745 apiVersion: apiextensions.k8s.io/v1
746 kind: CustomResourceDefinition
747 metadata:
748   name: certificates.cert-manager.io
749   annotations:
750     cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
751   labels:
752     app: 'cert-manager'
753     app.kubernetes.io/name: 'cert-manager'
754     app.kubernetes.io/instance: 'cert-manager'
755     # Generated labels
756     app.kubernetes.io/version: "v1.5.3"
757 spec:
758   group: cert-manager.io
759   names:
760     kind: Certificate
761     listKind: CertificateList
762     plural: certificates
763     shortNames:
764       - cert
765       - certs
766     singular: certificate
767     categories:
768       - cert-manager
769   scope: Namespaced
770   conversion:
771     # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
772     strategy: Webhook
773     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
774     webhook:
775       # We don't actually support `v1beta1` but is listed here as it is a
776       # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
777       # API server reads the supported versions in order, so _should always_
778       # attempt a `v1` request which is understood by the cert-manager webhook.
779       # Any `v1beta1` request will return an error and fail closed for that
780       # resource (the whole object request is rejected).
781       # When we no longer support v1.16 we can remove `v1beta1` from this list.
782       conversionReviewVersions: ["v1", "v1beta1"]
783       clientConfig:
784         #
785         service:
786           name: 'cert-manager-webhook'
787           namespace: "cert-manager"
788           path: /convert
789           #
790   versions:
791     - name: v1alpha2
792       subresources:
793         status: {}
794       additionalPrinterColumns:
795         - jsonPath: .status.conditions[?(@.type=="Ready")].status
796           name: Ready
797           type: string
798         - jsonPath: .spec.secretName
799           name: Secret
800           type: string
801         - jsonPath: .spec.issuerRef.name
802           name: Issuer
803           priority: 1
804           type: string
805         - jsonPath: .status.conditions[?(@.type=="Ready")].message
806           name: Status
807           priority: 1
808           type: string
809         - jsonPath: .metadata.creationTimestamp
810           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
811           name: Age
812           type: date
813       schema:
814         openAPIV3Schema:
815           description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
816           type: object
817           properties:
818             apiVersion:
819               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
820               type: string
821             kind:
822               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
823               type: string
824             metadata:
825               type: object
826             spec:
827               description: Desired state of the Certificate resource.
828               type: object
829               required:
830                 - issuerRef
831                 - secretName
832               properties:
833                 commonName:
834                   description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
835                   type: string
836                 dnsNames:
837                   description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
838                   type: array
839                   items:
840                     type: string
841                 duration:
842                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
843                   type: string
844                 emailSANs:
845                   description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
846                   type: array
847                   items:
848                     type: string
849                 encodeUsagesInRequest:
850                   description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
851                   type: boolean
852                 ipAddresses:
853                   description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
854                   type: array
855                   items:
856                     type: string
857                 isCA:
858                   description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
859                   type: boolean
860                 issuerRef:
861                   description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
862                   type: object
863                   required:
864                     - name
865                   properties:
866                     group:
867                       description: Group of the resource being referred to.
868                       type: string
869                     kind:
870                       description: Kind of the resource being referred to.
871                       type: string
872                     name:
873                       description: Name of the resource being referred to.
874                       type: string
875                 keyAlgorithm:
876                   description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
877                   type: string
878                   enum:
879                     - rsa
880                     - ecdsa
881                 keyEncoding:
882                   description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
883                   type: string
884                   enum:
885                     - pkcs1
886                     - pkcs8
887                 keySize:
888                   description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
889                   type: integer
890                 keystores:
891                   description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
892                   type: object
893                   properties:
894                     jks:
895                       description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
896                       type: object
897                       required:
898                         - create
899                         - passwordSecretRef
900                       properties:
901                         create:
902                           description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
903                           type: boolean
904                         passwordSecretRef:
905                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
906                           type: object
907                           required:
908                             - name
909                           properties:
910                             key:
911                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
912                               type: string
913                             name:
914                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
915                               type: string
916                     pkcs12:
917                       description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
918                       type: object
919                       required:
920                         - create
921                         - passwordSecretRef
922                       properties:
923                         create:
924                           description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
925                           type: boolean
926                         passwordSecretRef:
927                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
928                           type: object
929                           required:
930                             - name
931                           properties:
932                             key:
933                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
934                               type: string
935                             name:
936                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
937                               type: string
938                 organization:
939                   description: Organization is a list of organizations to be used on the Certificate.
940                   type: array
941                   items:
942                     type: string
943                 privateKey:
944                   description: Options to control private keys used for the Certificate.
945                   type: object
946                   properties:
947                     rotationPolicy:
948                       description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
949                       type: string
950                 renewBefore:
951                   description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
952                   type: string
953                 revisionHistoryLimit:
954                   description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
955                   type: integer
956                   format: int32
957                 secretName:
958                   description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
959                   type: string
960                 secretTemplate:
961                   description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
962                   type: object
963                   properties:
964                     annotations:
965                       description: Annotations is a key value map to be copied to the target Kubernetes Secret.
966                       type: object
967                       additionalProperties:
968                         type: string
969                     labels:
970                       description: Labels is a key value map to be copied to the target Kubernetes Secret.
971                       type: object
972                       additionalProperties:
973                         type: string
974                 subject:
975                   description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
976                   type: object
977                   properties:
978                     countries:
979                       description: Countries to be used on the Certificate.
980                       type: array
981                       items:
982                         type: string
983                     localities:
984                       description: Cities to be used on the Certificate.
985                       type: array
986                       items:
987                         type: string
988                     organizationalUnits:
989                       description: Organizational Units to be used on the Certificate.
990                       type: array
991                       items:
992                         type: string
993                     postalCodes:
994                       description: Postal codes to be used on the Certificate.
995                       type: array
996                       items:
997                         type: string
998                     provinces:
999                       description: State/Provinces to be used on the Certificate.
1000                       type: array
1001                       items:
1002                         type: string
1003                     serialNumber:
1004                       description: Serial number to be used on the Certificate.
1005                       type: string
1006                     streetAddresses:
1007                       description: Street addresses to be used on the Certificate.
1008                       type: array
1009                       items:
1010                         type: string
1011                 uriSANs:
1012                   description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1013                   type: array
1014                   items:
1015                     type: string
1016                 usages:
1017                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1018                   type: array
1019                   items:
1020                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1021                     type: string
1022                     enum:
1023                       - signing
1024                       - digital signature
1025                       - content commitment
1026                       - key encipherment
1027                       - key agreement
1028                       - data encipherment
1029                       - cert sign
1030                       - crl sign
1031                       - encipher only
1032                       - decipher only
1033                       - any
1034                       - server auth
1035                       - client auth
1036                       - code signing
1037                       - email protection
1038                       - s/mime
1039                       - ipsec end system
1040                       - ipsec tunnel
1041                       - ipsec user
1042                       - timestamping
1043                       - ocsp signing
1044                       - microsoft sgc
1045                       - netscape sgc
1046             status:
1047               description: Status of the Certificate. This is set and managed automatically.
1048               type: object
1049               properties:
1050                 conditions:
1051                   description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1052                   type: array
1053                   items:
1054                     description: CertificateCondition contains condition information for an Certificate.
1055                     type: object
1056                     required:
1057                       - status
1058                       - type
1059                     properties:
1060                       lastTransitionTime:
1061                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1062                         type: string
1063                         format: date-time
1064                       message:
1065                         description: Message is a human readable description of the details of the last transition, complementing reason.
1066                         type: string
1067                       observedGeneration:
1068                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1069                         type: integer
1070                         format: int64
1071                       reason:
1072                         description: Reason is a brief machine readable explanation for the condition's last transition.
1073                         type: string
1074                       status:
1075                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
1076                         type: string
1077                         enum:
1078                           - "True"
1079                           - "False"
1080                           - Unknown
1081                       type:
1082                         description: Type of the condition, known values are (`Ready`, `Issuing`).
1083                         type: string
1084                 lastFailureTime:
1085                   description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1086                   type: string
1087                   format: date-time
1088                 nextPrivateKeySecretName:
1089                   description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1090                   type: string
1091                 notAfter:
1092                   description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1093                   type: string
1094                   format: date-time
1095                 notBefore:
1096                   description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1097                   type: string
1098                   format: date-time
1099                 renewalTime:
1100                   description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1101                   type: string
1102                   format: date-time
1103                 revision:
1104                   description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1105                   type: integer
1106       served: true
1107       storage: false
1108     - name: v1alpha3
1109       subresources:
1110         status: {}
1111       additionalPrinterColumns:
1112         - jsonPath: .status.conditions[?(@.type=="Ready")].status
1113           name: Ready
1114           type: string
1115         - jsonPath: .spec.secretName
1116           name: Secret
1117           type: string
1118         - jsonPath: .spec.issuerRef.name
1119           name: Issuer
1120           priority: 1
1121           type: string
1122         - jsonPath: .status.conditions[?(@.type=="Ready")].message
1123           name: Status
1124           priority: 1
1125           type: string
1126         - jsonPath: .metadata.creationTimestamp
1127           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1128           name: Age
1129           type: date
1130       schema:
1131         openAPIV3Schema:
1132           description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1133           type: object
1134           properties:
1135             apiVersion:
1136               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1137               type: string
1138             kind:
1139               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1140               type: string
1141             metadata:
1142               type: object
1143             spec:
1144               description: Desired state of the Certificate resource.
1145               type: object
1146               required:
1147                 - issuerRef
1148                 - secretName
1149               properties:
1150                 commonName:
1151                   description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1152                   type: string
1153                 dnsNames:
1154                   description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1155                   type: array
1156                   items:
1157                     type: string
1158                 duration:
1159                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1160                   type: string
1161                 emailSANs:
1162                   description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1163                   type: array
1164                   items:
1165                     type: string
1166                 encodeUsagesInRequest:
1167                   description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1168                   type: boolean
1169                 ipAddresses:
1170                   description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1171                   type: array
1172                   items:
1173                     type: string
1174                 isCA:
1175                   description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1176                   type: boolean
1177                 issuerRef:
1178                   description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1179                   type: object
1180                   required:
1181                     - name
1182                   properties:
1183                     group:
1184                       description: Group of the resource being referred to.
1185                       type: string
1186                     kind:
1187                       description: Kind of the resource being referred to.
1188                       type: string
1189                     name:
1190                       description: Name of the resource being referred to.
1191                       type: string
1192                 keyAlgorithm:
1193                   description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `rsa` or `ecdsa` If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for `ecdsa` key algorithm and key size of 2048 will be used for `rsa` key algorithm.
1194                   type: string
1195                   enum:
1196                     - rsa
1197                     - ecdsa
1198                 keyEncoding:
1199                   description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are `pkcs1` and `pkcs8` standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then `pkcs1` will be used by default.
1200                   type: string
1201                   enum:
1202                     - pkcs1
1203                     - pkcs8
1204                 keySize:
1205                   description: KeySize is the key bit size of the corresponding private key for this certificate. If `keyAlgorithm` is set to `rsa`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `keyAlgorithm` is set to `ecdsa`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1206                   type: integer
1207                 keystores:
1208                   description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1209                   type: object
1210                   properties:
1211                     jks:
1212                       description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1213                       type: object
1214                       required:
1215                         - create
1216                         - passwordSecretRef
1217                       properties:
1218                         create:
1219                           description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1220                           type: boolean
1221                         passwordSecretRef:
1222                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1223                           type: object
1224                           required:
1225                             - name
1226                           properties:
1227                             key:
1228                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1229                               type: string
1230                             name:
1231                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1232                               type: string
1233                     pkcs12:
1234                       description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1235                       type: object
1236                       required:
1237                         - create
1238                         - passwordSecretRef
1239                       properties:
1240                         create:
1241                           description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority.
1242                           type: boolean
1243                         passwordSecretRef:
1244                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1245                           type: object
1246                           required:
1247                             - name
1248                           properties:
1249                             key:
1250                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1251                               type: string
1252                             name:
1253                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1254                               type: string
1255                 privateKey:
1256                   description: Options to control private keys used for the Certificate.
1257                   type: object
1258                   properties:
1259                     rotationPolicy:
1260                       description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1261                       type: string
1262                 renewBefore:
1263                   description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1264                   type: string
1265                 revisionHistoryLimit:
1266                   description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1267                   type: integer
1268                   format: int32
1269                 secretName:
1270                   description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1271                   type: string
1272                 secretTemplate:
1273                   description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1274                   type: object
1275                   properties:
1276                     annotations:
1277                       description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1278                       type: object
1279                       additionalProperties:
1280                         type: string
1281                     labels:
1282                       description: Labels is a key value map to be copied to the target Kubernetes Secret.
1283                       type: object
1284                       additionalProperties:
1285                         type: string
1286                 subject:
1287                   description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1288                   type: object
1289                   properties:
1290                     countries:
1291                       description: Countries to be used on the Certificate.
1292                       type: array
1293                       items:
1294                         type: string
1295                     localities:
1296                       description: Cities to be used on the Certificate.
1297                       type: array
1298                       items:
1299                         type: string
1300                     organizationalUnits:
1301                       description: Organizational Units to be used on the Certificate.
1302                       type: array
1303                       items:
1304                         type: string
1305                     organizations:
1306                       description: Organizations to be used on the Certificate.
1307                       type: array
1308                       items:
1309                         type: string
1310                     postalCodes:
1311                       description: Postal codes to be used on the Certificate.
1312                       type: array
1313                       items:
1314                         type: string
1315                     provinces:
1316                       description: State/Provinces to be used on the Certificate.
1317                       type: array
1318                       items:
1319                         type: string
1320                     serialNumber:
1321                       description: Serial number to be used on the Certificate.
1322                       type: string
1323                     streetAddresses:
1324                       description: Street addresses to be used on the Certificate.
1325                       type: array
1326                       items:
1327                         type: string
1328                 uriSANs:
1329                   description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1330                   type: array
1331                   items:
1332                     type: string
1333                 usages:
1334                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1335                   type: array
1336                   items:
1337                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1338                     type: string
1339                     enum:
1340                       - signing
1341                       - digital signature
1342                       - content commitment
1343                       - key encipherment
1344                       - key agreement
1345                       - data encipherment
1346                       - cert sign
1347                       - crl sign
1348                       - encipher only
1349                       - decipher only
1350                       - any
1351                       - server auth
1352                       - client auth
1353                       - code signing
1354                       - email protection
1355                       - s/mime
1356                       - ipsec end system
1357                       - ipsec tunnel
1358                       - ipsec user
1359                       - timestamping
1360                       - ocsp signing
1361                       - microsoft sgc
1362                       - netscape sgc
1363             status:
1364               description: Status of the Certificate. This is set and managed automatically.
1365               type: object
1366               properties:
1367                 conditions:
1368                   description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1369                   type: array
1370                   items:
1371                     description: CertificateCondition contains condition information for an Certificate.
1372                     type: object
1373                     required:
1374                       - status
1375                       - type
1376                     properties:
1377                       lastTransitionTime:
1378                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1379                         type: string
1380                         format: date-time
1381                       message:
1382                         description: Message is a human readable description of the details of the last transition, complementing reason.
1383                         type: string
1384                       observedGeneration:
1385                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1386                         type: integer
1387                         format: int64
1388                       reason:
1389                         description: Reason is a brief machine readable explanation for the condition's last transition.
1390                         type: string
1391                       status:
1392                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
1393                         type: string
1394                         enum:
1395                           - "True"
1396                           - "False"
1397                           - Unknown
1398                       type:
1399                         description: Type of the condition, known values are (`Ready`, `Issuing`).
1400                         type: string
1401                 lastFailureTime:
1402                   description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1403                   type: string
1404                   format: date-time
1405                 nextPrivateKeySecretName:
1406                   description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1407                   type: string
1408                 notAfter:
1409                   description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1410                   type: string
1411                   format: date-time
1412                 notBefore:
1413                   description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1414                   type: string
1415                   format: date-time
1416                 renewalTime:
1417                   description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1418                   type: string
1419                   format: date-time
1420                 revision:
1421                   description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1422                   type: integer
1423       served: true
1424       storage: false
1425     - name: v1beta1
1426       subresources:
1427         status: {}
1428       additionalPrinterColumns:
1429         - jsonPath: .status.conditions[?(@.type=="Ready")].status
1430           name: Ready
1431           type: string
1432         - jsonPath: .spec.secretName
1433           name: Secret
1434           type: string
1435         - jsonPath: .spec.issuerRef.name
1436           name: Issuer
1437           priority: 1
1438           type: string
1439         - jsonPath: .status.conditions[?(@.type=="Ready")].message
1440           name: Status
1441           priority: 1
1442           type: string
1443         - jsonPath: .metadata.creationTimestamp
1444           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1445           name: Age
1446           type: date
1447       schema:
1448         openAPIV3Schema:
1449           description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1450           type: object
1451           required:
1452             - spec
1453           properties:
1454             apiVersion:
1455               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1456               type: string
1457             kind:
1458               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1459               type: string
1460             metadata:
1461               type: object
1462             spec:
1463               description: Desired state of the Certificate resource.
1464               type: object
1465               required:
1466                 - issuerRef
1467                 - secretName
1468               properties:
1469                 commonName:
1470                   description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1471                   type: string
1472                 dnsNames:
1473                   description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1474                   type: array
1475                   items:
1476                     type: string
1477                 duration:
1478                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1479                   type: string
1480                 emailSANs:
1481                   description: EmailSANs is a list of email subjectAltNames to be set on the Certificate.
1482                   type: array
1483                   items:
1484                     type: string
1485                 encodeUsagesInRequest:
1486                   description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1487                   type: boolean
1488                 ipAddresses:
1489                   description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1490                   type: array
1491                   items:
1492                     type: string
1493                 isCA:
1494                   description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1495                   type: boolean
1496                 issuerRef:
1497                   description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1498                   type: object
1499                   required:
1500                     - name
1501                   properties:
1502                     group:
1503                       description: Group of the resource being referred to.
1504                       type: string
1505                     kind:
1506                       description: Kind of the resource being referred to.
1507                       type: string
1508                     name:
1509                       description: Name of the resource being referred to.
1510                       type: string
1511                 keystores:
1512                   description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1513                   type: object
1514                   properties:
1515                     jks:
1516                       description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1517                       type: object
1518                       required:
1519                         - create
1520                         - passwordSecretRef
1521                       properties:
1522                         create:
1523                           description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1524                           type: boolean
1525                         passwordSecretRef:
1526                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1527                           type: object
1528                           required:
1529                             - name
1530                           properties:
1531                             key:
1532                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1533                               type: string
1534                             name:
1535                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1536                               type: string
1537                     pkcs12:
1538                       description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1539                       type: object
1540                       required:
1541                         - create
1542                         - passwordSecretRef
1543                       properties:
1544                         create:
1545                           description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance.
1546                           type: boolean
1547                         passwordSecretRef:
1548                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1549                           type: object
1550                           required:
1551                             - name
1552                           properties:
1553                             key:
1554                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1555                               type: string
1556                             name:
1557                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1558                               type: string
1559                 privateKey:
1560                   description: Options to control private keys used for the Certificate.
1561                   type: object
1562                   properties:
1563                     algorithm:
1564                       description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm.
1565                       type: string
1566                       enum:
1567                         - RSA
1568                         - ECDSA
1569                     encoding:
1570                       description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1571                       type: string
1572                       enum:
1573                         - PKCS1
1574                         - PKCS8
1575                     rotationPolicy:
1576                       description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1577                       type: string
1578                     size:
1579                       description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
1580                       type: integer
1581                 renewBefore:
1582                   description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1583                   type: string
1584                 revisionHistoryLimit:
1585                   description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1586                   type: integer
1587                   format: int32
1588                 secretName:
1589                   description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1590                   type: string
1591                 secretTemplate:
1592                   description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1593                   type: object
1594                   properties:
1595                     annotations:
1596                       description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1597                       type: object
1598                       additionalProperties:
1599                         type: string
1600                     labels:
1601                       description: Labels is a key value map to be copied to the target Kubernetes Secret.
1602                       type: object
1603                       additionalProperties:
1604                         type: string
1605                 subject:
1606                   description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1607                   type: object
1608                   properties:
1609                     countries:
1610                       description: Countries to be used on the Certificate.
1611                       type: array
1612                       items:
1613                         type: string
1614                     localities:
1615                       description: Cities to be used on the Certificate.
1616                       type: array
1617                       items:
1618                         type: string
1619                     organizationalUnits:
1620                       description: Organizational Units to be used on the Certificate.
1621                       type: array
1622                       items:
1623                         type: string
1624                     organizations:
1625                       description: Organizations to be used on the Certificate.
1626                       type: array
1627                       items:
1628                         type: string
1629                     postalCodes:
1630                       description: Postal codes to be used on the Certificate.
1631                       type: array
1632                       items:
1633                         type: string
1634                     provinces:
1635                       description: State/Provinces to be used on the Certificate.
1636                       type: array
1637                       items:
1638                         type: string
1639                     serialNumber:
1640                       description: Serial number to be used on the Certificate.
1641                       type: string
1642                     streetAddresses:
1643                       description: Street addresses to be used on the Certificate.
1644                       type: array
1645                       items:
1646                         type: string
1647                 uriSANs:
1648                   description: URISANs is a list of URI subjectAltNames to be set on the Certificate.
1649                   type: array
1650                   items:
1651                     type: string
1652                 usages:
1653                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1654                   type: array
1655                   items:
1656                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1657                     type: string
1658                     enum:
1659                       - signing
1660                       - digital signature
1661                       - content commitment
1662                       - key encipherment
1663                       - key agreement
1664                       - data encipherment
1665                       - cert sign
1666                       - crl sign
1667                       - encipher only
1668                       - decipher only
1669                       - any
1670                       - server auth
1671                       - client auth
1672                       - code signing
1673                       - email protection
1674                       - s/mime
1675                       - ipsec end system
1676                       - ipsec tunnel
1677                       - ipsec user
1678                       - timestamping
1679                       - ocsp signing
1680                       - microsoft sgc
1681                       - netscape sgc
1682             status:
1683               description: Status of the Certificate. This is set and managed automatically.
1684               type: object
1685               properties:
1686                 conditions:
1687                   description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
1688                   type: array
1689                   items:
1690                     description: CertificateCondition contains condition information for an Certificate.
1691                     type: object
1692                     required:
1693                       - status
1694                       - type
1695                     properties:
1696                       lastTransitionTime:
1697                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
1698                         type: string
1699                         format: date-time
1700                       message:
1701                         description: Message is a human readable description of the details of the last transition, complementing reason.
1702                         type: string
1703                       observedGeneration:
1704                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
1705                         type: integer
1706                         format: int64
1707                       reason:
1708                         description: Reason is a brief machine readable explanation for the condition's last transition.
1709                         type: string
1710                       status:
1711                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
1712                         type: string
1713                         enum:
1714                           - "True"
1715                           - "False"
1716                           - Unknown
1717                       type:
1718                         description: Type of the condition, known values are (`Ready`, `Issuing`).
1719                         type: string
1720                 lastFailureTime:
1721                   description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
1722                   type: string
1723                   format: date-time
1724                 nextPrivateKeySecretName:
1725                   description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
1726                   type: string
1727                 notAfter:
1728                   description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
1729                   type: string
1730                   format: date-time
1731                 notBefore:
1732                   description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
1733                   type: string
1734                   format: date-time
1735                 renewalTime:
1736                   description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
1737                   type: string
1738                   format: date-time
1739                 revision:
1740                   description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
1741                   type: integer
1742       served: true
1743       storage: false
1744     - name: v1
1745       subresources:
1746         status: {}
1747       additionalPrinterColumns:
1748         - jsonPath: .status.conditions[?(@.type=="Ready")].status
1749           name: Ready
1750           type: string
1751         - jsonPath: .spec.secretName
1752           name: Secret
1753           type: string
1754         - jsonPath: .spec.issuerRef.name
1755           name: Issuer
1756           priority: 1
1757           type: string
1758         - jsonPath: .status.conditions[?(@.type=="Ready")].message
1759           name: Status
1760           priority: 1
1761           type: string
1762         - jsonPath: .metadata.creationTimestamp
1763           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
1764           name: Age
1765           type: date
1766       schema:
1767         openAPIV3Schema:
1768           description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
1769           type: object
1770           required:
1771             - spec
1772           properties:
1773             apiVersion:
1774               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1775               type: string
1776             kind:
1777               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1778               type: string
1779             metadata:
1780               type: object
1781             spec:
1782               description: Desired state of the Certificate resource.
1783               type: object
1784               required:
1785                 - issuerRef
1786                 - secretName
1787               properties:
1788                 commonName:
1789                   description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
1790                   type: string
1791                 dnsNames:
1792                   description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
1793                   type: array
1794                   items:
1795                     type: string
1796                 duration:
1797                   description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1798                   type: string
1799                 emailAddresses:
1800                   description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
1801                   type: array
1802                   items:
1803                     type: string
1804                 encodeUsagesInRequest:
1805                   description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest
1806                   type: boolean
1807                 ipAddresses:
1808                   description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
1809                   type: array
1810                   items:
1811                     type: string
1812                 isCA:
1813                   description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`.
1814                   type: boolean
1815                 issuerRef:
1816                   description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times.
1817                   type: object
1818                   required:
1819                     - name
1820                   properties:
1821                     group:
1822                       description: Group of the resource being referred to.
1823                       type: string
1824                     kind:
1825                       description: Kind of the resource being referred to.
1826                       type: string
1827                     name:
1828                       description: Name of the resource being referred to.
1829                       type: string
1830                 keystores:
1831                   description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource.
1832                   type: object
1833                   properties:
1834                     jks:
1835                       description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
1836                       type: object
1837                       required:
1838                         - create
1839                         - passwordSecretRef
1840                       properties:
1841                         create:
1842                           description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
1843                           type: boolean
1844                         passwordSecretRef:
1845                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
1846                           type: object
1847                           required:
1848                             - name
1849                           properties:
1850                             key:
1851                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1852                               type: string
1853                             name:
1854                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1855                               type: string
1856                     pkcs12:
1857                       description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
1858                       type: object
1859                       required:
1860                         - create
1861                         - passwordSecretRef
1862                       properties:
1863                         create:
1864                           description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will only be updated upon re-issuance. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
1865                           type: boolean
1866                         passwordSecretRef:
1867                           description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
1868                           type: object
1869                           required:
1870                             - name
1871                           properties:
1872                             key:
1873                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
1874                               type: string
1875                             name:
1876                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1877                               type: string
1878                 privateKey:
1879                   description: Options to control private keys used for the Certificate.
1880                   type: object
1881                   properties:
1882                     algorithm:
1883                       description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm.
1884                       type: string
1885                       enum:
1886                         - RSA
1887                         - ECDSA
1888                         - Ed25519
1889                     encoding:
1890                       description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified.
1891                       type: string
1892                       enum:
1893                         - PKCS1
1894                         - PKCS8
1895                     rotationPolicy:
1896                       description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
1897                       type: string
1898                     size:
1899                       description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed.
1900                       type: integer
1901                 renewBefore:
1902                   description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
1903                   type: string
1904                 revisionHistoryLimit:
1905                   description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
1906                   type: integer
1907                   format: int32
1908                 secretName:
1909                   description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer.
1910                   type: string
1911                 secretTemplate:
1912                   description: SecretTemplate defines annotations and labels to be propagated to the Kubernetes Secret when it is created or updated. Once created, labels and annotations are not yet removed from the Secret when they are removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
1913                   type: object
1914                   properties:
1915                     annotations:
1916                       description: Annotations is a key value map to be copied to the target Kubernetes Secret.
1917                       type: object
1918                       additionalProperties:
1919                         type: string
1920                     labels:
1921                       description: Labels is a key value map to be copied to the target Kubernetes Secret.
1922                       type: object
1923                       additionalProperties:
1924                         type: string
1925                 subject:
1926                   description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
1927                   type: object
1928                   properties:
1929                     countries:
1930                       description: Countries to be used on the Certificate.
1931                       type: array
1932                       items:
1933                         type: string
1934                     localities:
1935                       description: Cities to be used on the Certificate.
1936                       type: array
1937                       items:
1938                         type: string
1939                     organizationalUnits:
1940                       description: Organizational Units to be used on the Certificate.
1941                       type: array
1942                       items:
1943                         type: string
1944                     organizations:
1945                       description: Organizations to be used on the Certificate.
1946                       type: array
1947                       items:
1948                         type: string
1949                     postalCodes:
1950                       description: Postal codes to be used on the Certificate.
1951                       type: array
1952                       items:
1953                         type: string
1954                     provinces:
1955                       description: State/Provinces to be used on the Certificate.
1956                       type: array
1957                       items:
1958                         type: string
1959                     serialNumber:
1960                       description: Serial number to be used on the Certificate.
1961                       type: string
1962                     streetAddresses:
1963                       description: Street addresses to be used on the Certificate.
1964                       type: array
1965                       items:
1966                         type: string
1967                 uris:
1968                   description: URIs is a list of URI subjectAltNames to be set on the Certificate.
1969                   type: array
1970                   items:
1971                     type: string
1972                 usages:
1973                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
1974                   type: array
1975                   items:
1976                     description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-      https://tools.ietf.org/html/rfc5280#section- Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
1977                     type: string
1978                     enum:
1979                       - signing
1980                       - digital signature
1981                       - content commitment
1982                       - key encipherment
1983                       - key agreement
1984                       - data encipherment
1985                       - cert sign
1986                       - crl sign
1987                       - encipher only
1988                       - decipher only
1989                       - any
1990                       - server auth
1991                       - client auth
1992                       - code signing
1993                       - email protection
1994                       - s/mime
1995                       - ipsec end system
1996                       - ipsec tunnel
1997                       - ipsec user
1998                       - timestamping
1999                       - ocsp signing
2000                       - microsoft sgc
2001                       - netscape sgc
2002             status:
2003               description: Status of the Certificate. This is set and managed automatically.
2004               type: object
2005               properties:
2006                 conditions:
2007                   description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
2008                   type: array
2009                   items:
2010                     description: CertificateCondition contains condition information for an Certificate.
2011                     type: object
2012                     required:
2013                       - status
2014                       - type
2015                     properties:
2016                       lastTransitionTime:
2017                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
2018                         type: string
2019                         format: date-time
2020                       message:
2021                         description: Message is a human readable description of the details of the last transition, complementing reason.
2022                         type: string
2023                       observedGeneration:
2024                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
2025                         type: integer
2026                         format: int64
2027                       reason:
2028                         description: Reason is a brief machine readable explanation for the condition's last transition.
2029                         type: string
2030                       status:
2031                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
2032                         type: string
2033                         enum:
2034                           - "True"
2035                           - "False"
2036                           - Unknown
2037                       type:
2038                         description: Type of the condition, known values are (`Ready`, `Issuing`).
2039                         type: string
2040                 lastFailureTime:
2041                   description: LastFailureTime is the time as recorded by the Certificate controller of the most recent failure to complete a CertificateRequest for this Certificate resource. If set, cert-manager will not re-request another Certificate until 1 hour has elapsed from this time.
2042                   type: string
2043                   format: date-time
2044                 nextPrivateKeySecretName:
2045                   description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
2046                   type: string
2047                 notAfter:
2048                   description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
2049                   type: string
2050                   format: date-time
2051                 notBefore:
2052                   description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid.
2053                   type: string
2054                   format: date-time
2055                 renewalTime:
2056                   description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
2057                   type: string
2058                   format: date-time
2059                 revision:
2060                   description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
2061                   type: integer
2062       served: true
2063       storage: true
2064 ---
2065 # Source: cert-manager/templates/templates.out
2066 apiVersion: apiextensions.k8s.io/v1
2067 kind: CustomResourceDefinition
2068 metadata:
2069   name: challenges.acme.cert-manager.io
2070   annotations:
2071     cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
2072   labels:
2073     app: 'cert-manager'
2074     app.kubernetes.io/name: 'cert-manager'
2075     app.kubernetes.io/instance: 'cert-manager'
2076     # Generated labels
2077     app.kubernetes.io/version: "v1.5.3"
2078 spec:
2079   group: acme.cert-manager.io
2080   names:
2081     kind: Challenge
2082     listKind: ChallengeList
2083     plural: challenges
2084     singular: challenge
2085     categories:
2086       - cert-manager
2087       - cert-manager-acme
2088   scope: Namespaced
2089   conversion:
2090     # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
2091     strategy: Webhook
2092     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
2093     webhook:
2094       # We don't actually support `v1beta1` but is listed here as it is a
2095       # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
2096       # API server reads the supported versions in order, so _should always_
2097       # attempt a `v1` request which is understood by the cert-manager webhook.
2098       # Any `v1beta1` request will return an error and fail closed for that
2099       # resource (the whole object request is rejected).
2100       # When we no longer support v1.16 we can remove `v1beta1` from this list.
2101       conversionReviewVersions: ["v1", "v1beta1"]
2102       clientConfig:
2103         #
2104         service:
2105           name: 'cert-manager-webhook'
2106           namespace: "cert-manager"
2107           path: /convert
2108           #
2109   versions:
2110     - additionalPrinterColumns:
2111         - jsonPath: .status.state
2112           name: State
2113           type: string
2114         - jsonPath: .spec.dnsName
2115           name: Domain
2116           type: string
2117         - jsonPath: .status.reason
2118           name: Reason
2119           priority: 1
2120           type: string
2121         - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
2122           jsonPath: .metadata.creationTimestamp
2123           name: Age
2124           type: date
2125       name: v1alpha2
2126       schema:
2127         openAPIV3Schema:
2128           description: Challenge is a type to represent a Challenge request with an ACME server
2129           type: object
2130           required:
2131             - metadata
2132           properties:
2133             apiVersion:
2134               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2135               type: string
2136             kind:
2137               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2138               type: string
2139             metadata:
2140               type: object
2141             spec:
2142               type: object
2143               required:
2144                 - authzURL
2145                 - dnsName
2146                 - issuerRef
2147                 - key
2148                 - solver
2149                 - token
2150                 - type
2151                 - url
2152               properties:
2153                 authzURL:
2154                   description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
2155                   type: string
2156                 dnsName:
2157                   description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
2158                   type: string
2159                 issuerRef:
2160                   description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
2161                   type: object
2162                   required:
2163                     - name
2164                   properties:
2165                     group:
2166                       description: Group of the resource being referred to.
2167                       type: string
2168                     kind:
2169                       description: Kind of the resource being referred to.
2170                       type: string
2171                     name:
2172                       description: Name of the resource being referred to.
2173                       type: string
2174                 key:
2175                   description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
2176                   type: string
2177                 solver:
2178                   description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
2179                   type: object
2180                   properties:
2181                     dns01:
2182                       description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
2183                       type: object
2184                       properties:
2185                         acmedns:
2186                           description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
2187                           type: object
2188                           required:
2189                             - accountSecretRef
2190                             - host
2191                           properties:
2192                             accountSecretRef:
2193                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2194                               type: object
2195                               required:
2196                                 - name
2197                               properties:
2198                                 key:
2199                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2200                                   type: string
2201                                 name:
2202                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2203                                   type: string
2204                             host:
2205                               type: string
2206                         akamai:
2207                           description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
2208                           type: object
2209                           required:
2210                             - accessTokenSecretRef
2211                             - clientSecretSecretRef
2212                             - clientTokenSecretRef
2213                             - serviceConsumerDomain
2214                           properties:
2215                             accessTokenSecretRef:
2216                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2217                               type: object
2218                               required:
2219                                 - name
2220                               properties:
2221                                 key:
2222                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2223                                   type: string
2224                                 name:
2225                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2226                                   type: string
2227                             clientSecretSecretRef:
2228                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2229                               type: object
2230                               required:
2231                                 - name
2232                               properties:
2233                                 key:
2234                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2235                                   type: string
2236                                 name:
2237                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2238                                   type: string
2239                             clientTokenSecretRef:
2240                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2241                               type: object
2242                               required:
2243                                 - name
2244                               properties:
2245                                 key:
2246                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2247                                   type: string
2248                                 name:
2249                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2250                                   type: string
2251                             serviceConsumerDomain:
2252                               type: string
2253                         azuredns:
2254                           description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
2255                           type: object
2256                           required:
2257                             - resourceGroupName
2258                             - subscriptionID
2259                           properties:
2260                             clientID:
2261                               description: if both this and ClientSecret are left unset MSI will be used
2262                               type: string
2263                             clientSecretSecretRef:
2264                               description: if both this and ClientID are left unset MSI will be used
2265                               type: object
2266                               required:
2267                                 - name
2268                               properties:
2269                                 key:
2270                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2271                                   type: string
2272                                 name:
2273                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2274                                   type: string
2275                             environment:
2276                               type: string
2277                               enum:
2278                                 - AzurePublicCloud
2279                                 - AzureChinaCloud
2280                                 - AzureGermanCloud
2281                                 - AzureUSGovernmentCloud
2282                             hostedZoneName:
2283                               type: string
2284                             resourceGroupName:
2285                               type: string
2286                             subscriptionID:
2287                               type: string
2288                             tenantID:
2289                               description: when specifying ClientID and ClientSecret then this field is also needed
2290                               type: string
2291                         clouddns:
2292                           description: Use the Google Cloud DNS API to manage DNS01 challenge records.
2293                           type: object
2294                           required:
2295                             - project
2296                           properties:
2297                             hostedZoneName:
2298                               description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
2299                               type: string
2300                             project:
2301                               type: string
2302                             serviceAccountSecretRef:
2303                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2304                               type: object
2305                               required:
2306                                 - name
2307                               properties:
2308                                 key:
2309                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2310                                   type: string
2311                                 name:
2312                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2313                                   type: string
2314                         cloudflare:
2315                           description: Use the Cloudflare API to manage DNS01 challenge records.
2316                           type: object
2317                           properties:
2318                             apiKeySecretRef:
2319                               description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
2320                               type: object
2321                               required:
2322                                 - name
2323                               properties:
2324                                 key:
2325                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2326                                   type: string
2327                                 name:
2328                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2329                                   type: string
2330                             apiTokenSecretRef:
2331                               description: API token used to authenticate with Cloudflare.
2332                               type: object
2333                               required:
2334                                 - name
2335                               properties:
2336                                 key:
2337                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2338                                   type: string
2339                                 name:
2340                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2341                                   type: string
2342                             email:
2343                               description: Email of the account, only required when using API key based authentication.
2344                               type: string
2345                         cnameStrategy:
2346                           description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
2347                           type: string
2348                           enum:
2349                             - None
2350                             - Follow
2351                         digitalocean:
2352                           description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
2353                           type: object
2354                           required:
2355                             - tokenSecretRef
2356                           properties:
2357                             tokenSecretRef:
2358                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
2359                               type: object
2360                               required:
2361                                 - name
2362                               properties:
2363                                 key:
2364                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2365                                   type: string
2366                                 name:
2367                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2368                                   type: string
2369                         rfc2136:
2370                           description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
2371                           type: object
2372                           required:
2373                             - nameserver
2374                           properties:
2375                             nameserver:
2376                               description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
2377                               type: string
2378                             tsigAlgorithm:
2379                               description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
2380                               type: string
2381                             tsigKeyName:
2382                               description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
2383                               type: string
2384                             tsigSecretSecretRef:
2385                               description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
2386                               type: object
2387                               required:
2388                                 - name
2389                               properties:
2390                                 key:
2391                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2392                                   type: string
2393                                 name:
2394                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2395                                   type: string
2396                         route53:
2397                           description: Use the AWS Route53 API to manage DNS01 challenge records.
2398                           type: object
2399                           required:
2400                             - region
2401                           properties:
2402                             accessKeyID:
2403                               description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
2404                               type: string
2405                             hostedZoneID:
2406                               description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
2407                               type: string
2408                             region:
2409                               description: Always set the region when using AccessKeyID and SecretAccessKey
2410                               type: string
2411                             role:
2412                               description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
2413                               type: string
2414                             secretAccessKeySecretRef:
2415                               description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
2416                               type: object
2417                               required:
2418                                 - name
2419                               properties:
2420                                 key:
2421                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
2422                                   type: string
2423                                 name:
2424                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
2425                                   type: string
2426                         webhook:
2427                           description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
2428                           type: object
2429                           required:
2430                             - groupName
2431                             - solverName
2432                           properties:
2433                             config:
2434                               description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
2435                               x-kubernetes-preserve-unknown-fields: true
2436                             groupName:
2437                               description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
2438                               type: string
2439                             solverName:
2440                               description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
2441                               type: string
2442                     http01:
2443                       description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
2444                       type: object
2445                       properties:
2446                         gatewayHTTPRoute:
2447                           description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
2448                           type: object
2449                           properties:
2450                             labels:
2451                               description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
2452                               type: object
2453                               additionalProperties:
2454                                 type: string
2455                             serviceType:
2456                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
2457                               type: string
2458                         ingress:
2459                           description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
2460                           type: object
2461                           properties:
2462                             class:
2463                               description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
2464                               type: string
2465                             ingressTemplate:
2466                               description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
2467                               type: object
2468                               properties:
2469                                 metadata:
2470                                   description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2471                                   type: object
2472                                   properties:
2473                                     annotations:
2474                                       description: Annotations that should be added to the created ACME HTTP01 solver ingress.
2475                                       type: object
2476                                       additionalProperties:
2477                                         type: string
2478                                     labels:
2479                                       description: Labels that should be added to the created ACME HTTP01 solver ingress.
2480                                       type: object
2481                                       additionalProperties:
2482                                         type: string
2483                             name:
2484                               description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
2485                               type: string
2486                             podTemplate:
2487                               description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
2488                               type: object
2489                               properties:
2490                                 metadata:
2491                                   description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
2492                                   type: object
2493                                   properties:
2494                                     annotations:
2495                                       description: Annotations that should be added to the create ACME HTTP01 solver pods.
2496                                       type: object
2497                                       additionalProperties:
2498                                         type: string
2499                                     labels:
2500                                       description: Labels that should be added to the created ACME HTTP01 solver pods.
2501                                       type: object
2502                                       additionalProperties:
2503                                         type: string
2504                                 spec:
2505                                   description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
2506                                   type: object
2507                                   properties:
2508                                     affinity:
2509                                       description: If specified, the pod's scheduling constraints
2510                                       type: object
2511                                       properties:
2512                                         nodeAffinity:
2513                                           description: Describes node affinity scheduling rules for the pod.
2514                                           type: object
2515                                           properties:
2516                                             preferredDuringSchedulingIgnoredDuringExecution:
2517                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
2518                                               type: array
2519                                               items:
2520                                                 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2521                                                 type: object
2522                                                 required:
2523                                                   - preference
2524                                                   - weight
2525                                                 properties:
2526                                                   preference:
2527                                                     description: A node selector term, associated with the corresponding weight.
2528                                                     type: object
2529                                                     properties:
2530                                                       matchExpressions:
2531                                                         description: A list of node selector requirements by node's labels.
2532                                                         type: array
2533                                                         items:
2534                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2535                                                           type: object
2536                                                           required:
2537                                                             - key
2538                                                             - operator
2539                                                           properties:
2540                                                             key:
2541                                                               description: The label key that the selector applies to.
2542                                                               type: string
2543                                                             operator:
2544                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2545                                                               type: string
2546                                                             values:
2547                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2548                                                               type: array
2549                                                               items:
2550                                                                 type: string
2551                                                       matchFields:
2552                                                         description: A list of node selector requirements by node's fields.
2553                                                         type: array
2554                                                         items:
2555                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2556                                                           type: object
2557                                                           required:
2558                                                             - key
2559                                                             - operator
2560                                                           properties:
2561                                                             key:
2562                                                               description: The label key that the selector applies to.
2563                                                               type: string
2564                                                             operator:
2565                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2566                                                               type: string
2567                                                             values:
2568                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2569                                                               type: array
2570                                                               items:
2571                                                                 type: string
2572                                                   weight:
2573                                                     description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2574                                                     type: integer
2575                                                     format: int32
2576                                             requiredDuringSchedulingIgnoredDuringExecution:
2577                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
2578                                               type: object
2579                                               required:
2580                                                 - nodeSelectorTerms
2581                                               properties:
2582                                                 nodeSelectorTerms:
2583                                                   description: Required. A list of node selector terms. The terms are ORed.
2584                                                   type: array
2585                                                   items:
2586                                                     description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2587                                                     type: object
2588                                                     properties:
2589                                                       matchExpressions:
2590                                                         description: A list of node selector requirements by node's labels.
2591                                                         type: array
2592                                                         items:
2593                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2594                                                           type: object
2595                                                           required:
2596                                                             - key
2597                                                             - operator
2598                                                           properties:
2599                                                             key:
2600                                                               description: The label key that the selector applies to.
2601                                                               type: string
2602                                                             operator:
2603                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2604                                                               type: string
2605                                                             values:
2606                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2607                                                               type: array
2608                                                               items:
2609                                                                 type: string
2610                                                       matchFields:
2611                                                         description: A list of node selector requirements by node's fields.
2612                                                         type: array
2613                                                         items:
2614                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2615                                                           type: object
2616                                                           required:
2617                                                             - key
2618                                                             - operator
2619                                                           properties:
2620                                                             key:
2621                                                               description: The label key that the selector applies to.
2622                                                               type: string
2623                                                             operator:
2624                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2625                                                               type: string
2626                                                             values:
2627                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
2628                                                               type: array
2629                                                               items:
2630                                                                 type: string
2631                                         podAffinity:
2632                                           description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2633                                           type: object
2634                                           properties:
2635                                             preferredDuringSchedulingIgnoredDuringExecution:
2636                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2637                                               type: array
2638                                               items:
2639                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2640                                                 type: object
2641                                                 required:
2642                                                   - podAffinityTerm
2643                                                   - weight
2644                                                 properties:
2645                                                   podAffinityTerm:
2646                                                     description: Required. A pod affinity term, associated with the corresponding weight.
2647                                                     type: object
2648                                                     required:
2649                                                       - topologyKey
2650                                                     properties:
2651                                                       labelSelector:
2652                                                         description: A label query over a set of resources, in this case pods.
2653                                                         type: object
2654                                                         properties:
2655                                                           matchExpressions:
2656                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2657                                                             type: array
2658                                                             items:
2659                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2660                                                               type: object
2661                                                               required:
2662                                                                 - key
2663                                                                 - operator
2664                                                               properties:
2665                                                                 key:
2666                                                                   description: key is the label key that the selector applies to.
2667                                                                   type: string
2668                                                                 operator:
2669                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2670                                                                   type: string
2671                                                                 values:
2672                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2673                                                                   type: array
2674                                                                   items:
2675                                                                     type: string
2676                                                           matchLabels:
2677                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2678                                                             type: object
2679                                                             additionalProperties:
2680                                                               type: string
2681                                                       namespaceSelector:
2682                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2683                                                         type: object
2684                                                         properties:
2685                                                           matchExpressions:
2686                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2687                                                             type: array
2688                                                             items:
2689                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2690                                                               type: object
2691                                                               required:
2692                                                                 - key
2693                                                                 - operator
2694                                                               properties:
2695                                                                 key:
2696                                                                   description: key is the label key that the selector applies to.
2697                                                                   type: string
2698                                                                 operator:
2699                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2700                                                                   type: string
2701                                                                 values:
2702                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2703                                                                   type: array
2704                                                                   items:
2705                                                                     type: string
2706                                                           matchLabels:
2707                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2708                                                             type: object
2709                                                             additionalProperties:
2710                                                               type: string
2711                                                       namespaces:
2712                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2713                                                         type: array
2714                                                         items:
2715                                                           type: string
2716                                                       topologyKey:
2717                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2718                                                         type: string
2719                                                   weight:
2720                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2721                                                     type: integer
2722                                                     format: int32
2723                                             requiredDuringSchedulingIgnoredDuringExecution:
2724                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2725                                               type: array
2726                                               items:
2727                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2728                                                 type: object
2729                                                 required:
2730                                                   - topologyKey
2731                                                 properties:
2732                                                   labelSelector:
2733                                                     description: A label query over a set of resources, in this case pods.
2734                                                     type: object
2735                                                     properties:
2736                                                       matchExpressions:
2737                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2738                                                         type: array
2739                                                         items:
2740                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2741                                                           type: object
2742                                                           required:
2743                                                             - key
2744                                                             - operator
2745                                                           properties:
2746                                                             key:
2747                                                               description: key is the label key that the selector applies to.
2748                                                               type: string
2749                                                             operator:
2750                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2751                                                               type: string
2752                                                             values:
2753                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2754                                                               type: array
2755                                                               items:
2756                                                                 type: string
2757                                                       matchLabels:
2758                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2759                                                         type: object
2760                                                         additionalProperties:
2761                                                           type: string
2762                                                   namespaceSelector:
2763                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2764                                                     type: object
2765                                                     properties:
2766                                                       matchExpressions:
2767                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2768                                                         type: array
2769                                                         items:
2770                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2771                                                           type: object
2772                                                           required:
2773                                                             - key
2774                                                             - operator
2775                                                           properties:
2776                                                             key:
2777                                                               description: key is the label key that the selector applies to.
2778                                                               type: string
2779                                                             operator:
2780                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2781                                                               type: string
2782                                                             values:
2783                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2784                                                               type: array
2785                                                               items:
2786                                                                 type: string
2787                                                       matchLabels:
2788                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2789                                                         type: object
2790                                                         additionalProperties:
2791                                                           type: string
2792                                                   namespaces:
2793                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2794                                                     type: array
2795                                                     items:
2796                                                       type: string
2797                                                   topologyKey:
2798                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2799                                                     type: string
2800                                         podAntiAffinity:
2801                                           description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2802                                           type: object
2803                                           properties:
2804                                             preferredDuringSchedulingIgnoredDuringExecution:
2805                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
2806                                               type: array
2807                                               items:
2808                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2809                                                 type: object
2810                                                 required:
2811                                                   - podAffinityTerm
2812                                                   - weight
2813                                                 properties:
2814                                                   podAffinityTerm:
2815                                                     description: Required. A pod affinity term, associated with the corresponding weight.
2816                                                     type: object
2817                                                     required:
2818                                                       - topologyKey
2819                                                     properties:
2820                                                       labelSelector:
2821                                                         description: A label query over a set of resources, in this case pods.
2822                                                         type: object
2823                                                         properties:
2824                                                           matchExpressions:
2825                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2826                                                             type: array
2827                                                             items:
2828                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2829                                                               type: object
2830                                                               required:
2831                                                                 - key
2832                                                                 - operator
2833                                                               properties:
2834                                                                 key:
2835                                                                   description: key is the label key that the selector applies to.
2836                                                                   type: string
2837                                                                 operator:
2838                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2839                                                                   type: string
2840                                                                 values:
2841                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2842                                                                   type: array
2843                                                                   items:
2844                                                                     type: string
2845                                                           matchLabels:
2846                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2847                                                             type: object
2848                                                             additionalProperties:
2849                                                               type: string
2850                                                       namespaceSelector:
2851                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2852                                                         type: object
2853                                                         properties:
2854                                                           matchExpressions:
2855                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2856                                                             type: array
2857                                                             items:
2858                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2859                                                               type: object
2860                                                               required:
2861                                                                 - key
2862                                                                 - operator
2863                                                               properties:
2864                                                                 key:
2865                                                                   description: key is the label key that the selector applies to.
2866                                                                   type: string
2867                                                                 operator:
2868                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2869                                                                   type: string
2870                                                                 values:
2871                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2872                                                                   type: array
2873                                                                   items:
2874                                                                     type: string
2875                                                           matchLabels:
2876                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2877                                                             type: object
2878                                                             additionalProperties:
2879                                                               type: string
2880                                                       namespaces:
2881                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2882                                                         type: array
2883                                                         items:
2884                                                           type: string
2885                                                       topologyKey:
2886                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2887                                                         type: string
2888                                                   weight:
2889                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
2890                                                     type: integer
2891                                                     format: int32
2892                                             requiredDuringSchedulingIgnoredDuringExecution:
2893                                               description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
2894                                               type: array
2895                                               items:
2896                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
2897                                                 type: object
2898                                                 required:
2899                                                   - topologyKey
2900                                                 properties:
2901                                                   labelSelector:
2902                                                     description: A label query over a set of resources, in this case pods.
2903                                                     type: object
2904                                                     properties:
2905                                                       matchExpressions:
2906                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2907                                                         type: array
2908                                                         items:
2909                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2910                                                           type: object
2911                                                           required:
2912                                                             - key
2913                                                             - operator
2914                                                           properties:
2915                                                             key:
2916                                                               description: key is the label key that the selector applies to.
2917                                                               type: string
2918                                                             operator:
2919                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2920                                                               type: string
2921                                                             values:
2922                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2923                                                               type: array
2924                                                               items:
2925                                                                 type: string
2926                                                       matchLabels:
2927                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2928                                                         type: object
2929                                                         additionalProperties:
2930                                                           type: string
2931                                                   namespaceSelector:
2932                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
2933                                                     type: object
2934                                                     properties:
2935                                                       matchExpressions:
2936                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
2937                                                         type: array
2938                                                         items:
2939                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
2940                                                           type: object
2941                                                           required:
2942                                                             - key
2943                                                             - operator
2944                                                           properties:
2945                                                             key:
2946                                                               description: key is the label key that the selector applies to.
2947                                                               type: string
2948                                                             operator:
2949                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2950                                                               type: string
2951                                                             values:
2952                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
2953                                                               type: array
2954                                                               items:
2955                                                                 type: string
2956                                                       matchLabels:
2957                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
2958                                                         type: object
2959                                                         additionalProperties:
2960                                                           type: string
2961                                                   namespaces:
2962                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
2963                                                     type: array
2964                                                     items:
2965                                                       type: string
2966                                                   topologyKey:
2967                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
2968                                                     type: string
2969                                     nodeSelector:
2970                                       description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
2971                                       type: object
2972                                       additionalProperties:
2973                                         type: string
2974                                     priorityClassName:
2975                                       description: If specified, the pod's priorityClassName.
2976                                       type: string
2977                                     serviceAccountName:
2978                                       description: If specified, the pod's service account
2979                                       type: string
2980                                     tolerations:
2981                                       description: If specified, the pod's tolerations.
2982                                       type: array
2983                                       items:
2984                                         description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
2985                                         type: object
2986                                         properties:
2987                                           effect:
2988                                             description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2989                                             type: string
2990                                           key:
2991                                             description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2992                                             type: string
2993                                           operator:
2994                                             description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
2995                                             type: string
2996                                           tolerationSeconds:
2997                                             description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
2998                                             type: integer
2999                                             format: int64
3000                                           value:
3001                                             description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3002                                             type: string
3003                             serviceType:
3004                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3005                               type: string
3006                     selector:
3007                       description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3008                       type: object
3009                       properties:
3010                         dnsNames:
3011                           description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3012                           type: array
3013                           items:
3014                             type: string
3015                         dnsZones:
3016                           description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3017                           type: array
3018                           items:
3019                             type: string
3020                         matchLabels:
3021                           description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3022                           type: object
3023                           additionalProperties:
3024                             type: string
3025                 token:
3026                   description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3027                   type: string
3028                 type:
3029                   description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3030                   type: string
3031                   enum:
3032                     - http-01
3033                     - dns-01
3034                 url:
3035                   description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3036                   type: string
3037                 wildcard:
3038                   description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
3039                   type: boolean
3040             status:
3041               type: object
3042               properties:
3043                 presented:
3044                   description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
3045                   type: boolean
3046                 processing:
3047                   description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
3048                   type: boolean
3049                 reason:
3050                   description: Reason contains human readable information on why the Challenge is in the current state.
3051                   type: string
3052                 state:
3053                   description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
3054                   type: string
3055                   enum:
3056                     - valid
3057                     - ready
3058                     - pending
3059                     - processing
3060                     - invalid
3061                     - expired
3062                     - errored
3063       served: true
3064       storage: false
3065       subresources:
3066         status: {}
3067     - additionalPrinterColumns:
3068         - jsonPath: .status.state
3069           name: State
3070           type: string
3071         - jsonPath: .spec.dnsName
3072           name: Domain
3073           type: string
3074         - jsonPath: .status.reason
3075           name: Reason
3076           priority: 1
3077           type: string
3078         - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
3079           jsonPath: .metadata.creationTimestamp
3080           name: Age
3081           type: date
3082       name: v1alpha3
3083       schema:
3084         openAPIV3Schema:
3085           description: Challenge is a type to represent a Challenge request with an ACME server
3086           type: object
3087           required:
3088             - metadata
3089           properties:
3090             apiVersion:
3091               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3092               type: string
3093             kind:
3094               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3095               type: string
3096             metadata:
3097               type: object
3098             spec:
3099               type: object
3100               required:
3101                 - authzURL
3102                 - dnsName
3103                 - issuerRef
3104                 - key
3105                 - solver
3106                 - token
3107                 - type
3108                 - url
3109               properties:
3110                 authzURL:
3111                   description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of.
3112                   type: string
3113                 dnsName:
3114                   description: DNSName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
3115                   type: string
3116                 issuerRef:
3117                   description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
3118                   type: object
3119                   required:
3120                     - name
3121                   properties:
3122                     group:
3123                       description: Group of the resource being referred to.
3124                       type: string
3125                     kind:
3126                       description: Kind of the resource being referred to.
3127                       type: string
3128                     name:
3129                       description: Name of the resource being referred to.
3130                       type: string
3131                 key:
3132                   description: 'Key is the ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
3133                   type: string
3134                 solver:
3135                   description: Solver contains the domain solving configuration that should be used to solve this challenge resource.
3136                   type: object
3137                   properties:
3138                     dns01:
3139                       description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
3140                       type: object
3141                       properties:
3142                         acmedns:
3143                           description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
3144                           type: object
3145                           required:
3146                             - accountSecretRef
3147                             - host
3148                           properties:
3149                             accountSecretRef:
3150                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3151                               type: object
3152                               required:
3153                                 - name
3154                               properties:
3155                                 key:
3156                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3157                                   type: string
3158                                 name:
3159                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3160                                   type: string
3161                             host:
3162                               type: string
3163                         akamai:
3164                           description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
3165                           type: object
3166                           required:
3167                             - accessTokenSecretRef
3168                             - clientSecretSecretRef
3169                             - clientTokenSecretRef
3170                             - serviceConsumerDomain
3171                           properties:
3172                             accessTokenSecretRef:
3173                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3174                               type: object
3175                               required:
3176                                 - name
3177                               properties:
3178                                 key:
3179                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3180                                   type: string
3181                                 name:
3182                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3183                                   type: string
3184                             clientSecretSecretRef:
3185                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3186                               type: object
3187                               required:
3188                                 - name
3189                               properties:
3190                                 key:
3191                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3192                                   type: string
3193                                 name:
3194                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3195                                   type: string
3196                             clientTokenSecretRef:
3197                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3198                               type: object
3199                               required:
3200                                 - name
3201                               properties:
3202                                 key:
3203                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3204                                   type: string
3205                                 name:
3206                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3207                                   type: string
3208                             serviceConsumerDomain:
3209                               type: string
3210                         azuredns:
3211                           description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
3212                           type: object
3213                           required:
3214                             - resourceGroupName
3215                             - subscriptionID
3216                           properties:
3217                             clientID:
3218                               description: if both this and ClientSecret are left unset MSI will be used
3219                               type: string
3220                             clientSecretSecretRef:
3221                               description: if both this and ClientID are left unset MSI will be used
3222                               type: object
3223                               required:
3224                                 - name
3225                               properties:
3226                                 key:
3227                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3228                                   type: string
3229                                 name:
3230                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3231                                   type: string
3232                             environment:
3233                               type: string
3234                               enum:
3235                                 - AzurePublicCloud
3236                                 - AzureChinaCloud
3237                                 - AzureGermanCloud
3238                                 - AzureUSGovernmentCloud
3239                             hostedZoneName:
3240                               type: string
3241                             resourceGroupName:
3242                               type: string
3243                             subscriptionID:
3244                               type: string
3245                             tenantID:
3246                               description: when specifying ClientID and ClientSecret then this field is also needed
3247                               type: string
3248                         clouddns:
3249                           description: Use the Google Cloud DNS API to manage DNS01 challenge records.
3250                           type: object
3251                           required:
3252                             - project
3253                           properties:
3254                             hostedZoneName:
3255                               description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
3256                               type: string
3257                             project:
3258                               type: string
3259                             serviceAccountSecretRef:
3260                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3261                               type: object
3262                               required:
3263                                 - name
3264                               properties:
3265                                 key:
3266                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3267                                   type: string
3268                                 name:
3269                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3270                                   type: string
3271                         cloudflare:
3272                           description: Use the Cloudflare API to manage DNS01 challenge records.
3273                           type: object
3274                           properties:
3275                             apiKeySecretRef:
3276                               description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
3277                               type: object
3278                               required:
3279                                 - name
3280                               properties:
3281                                 key:
3282                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3283                                   type: string
3284                                 name:
3285                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3286                                   type: string
3287                             apiTokenSecretRef:
3288                               description: API token used to authenticate with Cloudflare.
3289                               type: object
3290                               required:
3291                                 - name
3292                               properties:
3293                                 key:
3294                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3295                                   type: string
3296                                 name:
3297                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3298                                   type: string
3299                             email:
3300                               description: Email of the account, only required when using API key based authentication.
3301                               type: string
3302                         cnameStrategy:
3303                           description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
3304                           type: string
3305                           enum:
3306                             - None
3307                             - Follow
3308                         digitalocean:
3309                           description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
3310                           type: object
3311                           required:
3312                             - tokenSecretRef
3313                           properties:
3314                             tokenSecretRef:
3315                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
3316                               type: object
3317                               required:
3318                                 - name
3319                               properties:
3320                                 key:
3321                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3322                                   type: string
3323                                 name:
3324                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3325                                   type: string
3326                         rfc2136:
3327                           description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
3328                           type: object
3329                           required:
3330                             - nameserver
3331                           properties:
3332                             nameserver:
3333                               description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
3334                               type: string
3335                             tsigAlgorithm:
3336                               description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
3337                               type: string
3338                             tsigKeyName:
3339                               description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
3340                               type: string
3341                             tsigSecretSecretRef:
3342                               description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
3343                               type: object
3344                               required:
3345                                 - name
3346                               properties:
3347                                 key:
3348                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3349                                   type: string
3350                                 name:
3351                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3352                                   type: string
3353                         route53:
3354                           description: Use the AWS Route53 API to manage DNS01 challenge records.
3355                           type: object
3356                           required:
3357                             - region
3358                           properties:
3359                             accessKeyID:
3360                               description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
3361                               type: string
3362                             hostedZoneID:
3363                               description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
3364                               type: string
3365                             region:
3366                               description: Always set the region when using AccessKeyID and SecretAccessKey
3367                               type: string
3368                             role:
3369                               description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
3370                               type: string
3371                             secretAccessKeySecretRef:
3372                               description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
3373                               type: object
3374                               required:
3375                                 - name
3376                               properties:
3377                                 key:
3378                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
3379                                   type: string
3380                                 name:
3381                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
3382                                   type: string
3383                         webhook:
3384                           description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
3385                           type: object
3386                           required:
3387                             - groupName
3388                             - solverName
3389                           properties:
3390                             config:
3391                               description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
3392                               x-kubernetes-preserve-unknown-fields: true
3393                             groupName:
3394                               description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
3395                               type: string
3396                             solverName:
3397                               description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
3398                               type: string
3399                     http01:
3400                       description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
3401                       type: object
3402                       properties:
3403                         gatewayHTTPRoute:
3404                           description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
3405                           type: object
3406                           properties:
3407                             labels:
3408                               description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
3409                               type: object
3410                               additionalProperties:
3411                                 type: string
3412                             serviceType:
3413                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3414                               type: string
3415                         ingress:
3416                           description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
3417                           type: object
3418                           properties:
3419                             class:
3420                               description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
3421                               type: string
3422                             ingressTemplate:
3423                               description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
3424                               type: object
3425                               properties:
3426                                 metadata:
3427                                   description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3428                                   type: object
3429                                   properties:
3430                                     annotations:
3431                                       description: Annotations that should be added to the created ACME HTTP01 solver ingress.
3432                                       type: object
3433                                       additionalProperties:
3434                                         type: string
3435                                     labels:
3436                                       description: Labels that should be added to the created ACME HTTP01 solver ingress.
3437                                       type: object
3438                                       additionalProperties:
3439                                         type: string
3440                             name:
3441                               description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
3442                               type: string
3443                             podTemplate:
3444                               description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
3445                               type: object
3446                               properties:
3447                                 metadata:
3448                                   description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
3449                                   type: object
3450                                   properties:
3451                                     annotations:
3452                                       description: Annotations that should be added to the create ACME HTTP01 solver pods.
3453                                       type: object
3454                                       additionalProperties:
3455                                         type: string
3456                                     labels:
3457                                       description: Labels that should be added to the created ACME HTTP01 solver pods.
3458                                       type: object
3459                                       additionalProperties:
3460                                         type: string
3461                                 spec:
3462                                   description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
3463                                   type: object
3464                                   properties:
3465                                     affinity:
3466                                       description: If specified, the pod's scheduling constraints
3467                                       type: object
3468                                       properties:
3469                                         nodeAffinity:
3470                                           description: Describes node affinity scheduling rules for the pod.
3471                                           type: object
3472                                           properties:
3473                                             preferredDuringSchedulingIgnoredDuringExecution:
3474                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
3475                                               type: array
3476                                               items:
3477                                                 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
3478                                                 type: object
3479                                                 required:
3480                                                   - preference
3481                                                   - weight
3482                                                 properties:
3483                                                   preference:
3484                                                     description: A node selector term, associated with the corresponding weight.
3485                                                     type: object
3486                                                     properties:
3487                                                       matchExpressions:
3488                                                         description: A list of node selector requirements by node's labels.
3489                                                         type: array
3490                                                         items:
3491                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3492                                                           type: object
3493                                                           required:
3494                                                             - key
3495                                                             - operator
3496                                                           properties:
3497                                                             key:
3498                                                               description: The label key that the selector applies to.
3499                                                               type: string
3500                                                             operator:
3501                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3502                                                               type: string
3503                                                             values:
3504                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3505                                                               type: array
3506                                                               items:
3507                                                                 type: string
3508                                                       matchFields:
3509                                                         description: A list of node selector requirements by node's fields.
3510                                                         type: array
3511                                                         items:
3512                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3513                                                           type: object
3514                                                           required:
3515                                                             - key
3516                                                             - operator
3517                                                           properties:
3518                                                             key:
3519                                                               description: The label key that the selector applies to.
3520                                                               type: string
3521                                                             operator:
3522                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3523                                                               type: string
3524                                                             values:
3525                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3526                                                               type: array
3527                                                               items:
3528                                                                 type: string
3529                                                   weight:
3530                                                     description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
3531                                                     type: integer
3532                                                     format: int32
3533                                             requiredDuringSchedulingIgnoredDuringExecution:
3534                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
3535                                               type: object
3536                                               required:
3537                                                 - nodeSelectorTerms
3538                                               properties:
3539                                                 nodeSelectorTerms:
3540                                                   description: Required. A list of node selector terms. The terms are ORed.
3541                                                   type: array
3542                                                   items:
3543                                                     description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
3544                                                     type: object
3545                                                     properties:
3546                                                       matchExpressions:
3547                                                         description: A list of node selector requirements by node's labels.
3548                                                         type: array
3549                                                         items:
3550                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3551                                                           type: object
3552                                                           required:
3553                                                             - key
3554                                                             - operator
3555                                                           properties:
3556                                                             key:
3557                                                               description: The label key that the selector applies to.
3558                                                               type: string
3559                                                             operator:
3560                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3561                                                               type: string
3562                                                             values:
3563                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3564                                                               type: array
3565                                                               items:
3566                                                                 type: string
3567                                                       matchFields:
3568                                                         description: A list of node selector requirements by node's fields.
3569                                                         type: array
3570                                                         items:
3571                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3572                                                           type: object
3573                                                           required:
3574                                                             - key
3575                                                             - operator
3576                                                           properties:
3577                                                             key:
3578                                                               description: The label key that the selector applies to.
3579                                                               type: string
3580                                                             operator:
3581                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
3582                                                               type: string
3583                                                             values:
3584                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
3585                                                               type: array
3586                                                               items:
3587                                                                 type: string
3588                                         podAffinity:
3589                                           description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
3590                                           type: object
3591                                           properties:
3592                                             preferredDuringSchedulingIgnoredDuringExecution:
3593                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3594                                               type: array
3595                                               items:
3596                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3597                                                 type: object
3598                                                 required:
3599                                                   - podAffinityTerm
3600                                                   - weight
3601                                                 properties:
3602                                                   podAffinityTerm:
3603                                                     description: Required. A pod affinity term, associated with the corresponding weight.
3604                                                     type: object
3605                                                     required:
3606                                                       - topologyKey
3607                                                     properties:
3608                                                       labelSelector:
3609                                                         description: A label query over a set of resources, in this case pods.
3610                                                         type: object
3611                                                         properties:
3612                                                           matchExpressions:
3613                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3614                                                             type: array
3615                                                             items:
3616                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3617                                                               type: object
3618                                                               required:
3619                                                                 - key
3620                                                                 - operator
3621                                                               properties:
3622                                                                 key:
3623                                                                   description: key is the label key that the selector applies to.
3624                                                                   type: string
3625                                                                 operator:
3626                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3627                                                                   type: string
3628                                                                 values:
3629                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3630                                                                   type: array
3631                                                                   items:
3632                                                                     type: string
3633                                                           matchLabels:
3634                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3635                                                             type: object
3636                                                             additionalProperties:
3637                                                               type: string
3638                                                       namespaceSelector:
3639                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3640                                                         type: object
3641                                                         properties:
3642                                                           matchExpressions:
3643                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3644                                                             type: array
3645                                                             items:
3646                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3647                                                               type: object
3648                                                               required:
3649                                                                 - key
3650                                                                 - operator
3651                                                               properties:
3652                                                                 key:
3653                                                                   description: key is the label key that the selector applies to.
3654                                                                   type: string
3655                                                                 operator:
3656                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3657                                                                   type: string
3658                                                                 values:
3659                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3660                                                                   type: array
3661                                                                   items:
3662                                                                     type: string
3663                                                           matchLabels:
3664                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3665                                                             type: object
3666                                                             additionalProperties:
3667                                                               type: string
3668                                                       namespaces:
3669                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3670                                                         type: array
3671                                                         items:
3672                                                           type: string
3673                                                       topologyKey:
3674                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3675                                                         type: string
3676                                                   weight:
3677                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3678                                                     type: integer
3679                                                     format: int32
3680                                             requiredDuringSchedulingIgnoredDuringExecution:
3681                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3682                                               type: array
3683                                               items:
3684                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3685                                                 type: object
3686                                                 required:
3687                                                   - topologyKey
3688                                                 properties:
3689                                                   labelSelector:
3690                                                     description: A label query over a set of resources, in this case pods.
3691                                                     type: object
3692                                                     properties:
3693                                                       matchExpressions:
3694                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3695                                                         type: array
3696                                                         items:
3697                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3698                                                           type: object
3699                                                           required:
3700                                                             - key
3701                                                             - operator
3702                                                           properties:
3703                                                             key:
3704                                                               description: key is the label key that the selector applies to.
3705                                                               type: string
3706                                                             operator:
3707                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3708                                                               type: string
3709                                                             values:
3710                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3711                                                               type: array
3712                                                               items:
3713                                                                 type: string
3714                                                       matchLabels:
3715                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3716                                                         type: object
3717                                                         additionalProperties:
3718                                                           type: string
3719                                                   namespaceSelector:
3720                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3721                                                     type: object
3722                                                     properties:
3723                                                       matchExpressions:
3724                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3725                                                         type: array
3726                                                         items:
3727                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3728                                                           type: object
3729                                                           required:
3730                                                             - key
3731                                                             - operator
3732                                                           properties:
3733                                                             key:
3734                                                               description: key is the label key that the selector applies to.
3735                                                               type: string
3736                                                             operator:
3737                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3738                                                               type: string
3739                                                             values:
3740                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3741                                                               type: array
3742                                                               items:
3743                                                                 type: string
3744                                                       matchLabels:
3745                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3746                                                         type: object
3747                                                         additionalProperties:
3748                                                           type: string
3749                                                   namespaces:
3750                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3751                                                     type: array
3752                                                     items:
3753                                                       type: string
3754                                                   topologyKey:
3755                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3756                                                     type: string
3757                                         podAntiAffinity:
3758                                           description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
3759                                           type: object
3760                                           properties:
3761                                             preferredDuringSchedulingIgnoredDuringExecution:
3762                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
3763                                               type: array
3764                                               items:
3765                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
3766                                                 type: object
3767                                                 required:
3768                                                   - podAffinityTerm
3769                                                   - weight
3770                                                 properties:
3771                                                   podAffinityTerm:
3772                                                     description: Required. A pod affinity term, associated with the corresponding weight.
3773                                                     type: object
3774                                                     required:
3775                                                       - topologyKey
3776                                                     properties:
3777                                                       labelSelector:
3778                                                         description: A label query over a set of resources, in this case pods.
3779                                                         type: object
3780                                                         properties:
3781                                                           matchExpressions:
3782                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3783                                                             type: array
3784                                                             items:
3785                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3786                                                               type: object
3787                                                               required:
3788                                                                 - key
3789                                                                 - operator
3790                                                               properties:
3791                                                                 key:
3792                                                                   description: key is the label key that the selector applies to.
3793                                                                   type: string
3794                                                                 operator:
3795                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3796                                                                   type: string
3797                                                                 values:
3798                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3799                                                                   type: array
3800                                                                   items:
3801                                                                     type: string
3802                                                           matchLabels:
3803                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3804                                                             type: object
3805                                                             additionalProperties:
3806                                                               type: string
3807                                                       namespaceSelector:
3808                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3809                                                         type: object
3810                                                         properties:
3811                                                           matchExpressions:
3812                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3813                                                             type: array
3814                                                             items:
3815                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3816                                                               type: object
3817                                                               required:
3818                                                                 - key
3819                                                                 - operator
3820                                                               properties:
3821                                                                 key:
3822                                                                   description: key is the label key that the selector applies to.
3823                                                                   type: string
3824                                                                 operator:
3825                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3826                                                                   type: string
3827                                                                 values:
3828                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3829                                                                   type: array
3830                                                                   items:
3831                                                                     type: string
3832                                                           matchLabels:
3833                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3834                                                             type: object
3835                                                             additionalProperties:
3836                                                               type: string
3837                                                       namespaces:
3838                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3839                                                         type: array
3840                                                         items:
3841                                                           type: string
3842                                                       topologyKey:
3843                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3844                                                         type: string
3845                                                   weight:
3846                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
3847                                                     type: integer
3848                                                     format: int32
3849                                             requiredDuringSchedulingIgnoredDuringExecution:
3850                                               description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
3851                                               type: array
3852                                               items:
3853                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
3854                                                 type: object
3855                                                 required:
3856                                                   - topologyKey
3857                                                 properties:
3858                                                   labelSelector:
3859                                                     description: A label query over a set of resources, in this case pods.
3860                                                     type: object
3861                                                     properties:
3862                                                       matchExpressions:
3863                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3864                                                         type: array
3865                                                         items:
3866                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3867                                                           type: object
3868                                                           required:
3869                                                             - key
3870                                                             - operator
3871                                                           properties:
3872                                                             key:
3873                                                               description: key is the label key that the selector applies to.
3874                                                               type: string
3875                                                             operator:
3876                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3877                                                               type: string
3878                                                             values:
3879                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3880                                                               type: array
3881                                                               items:
3882                                                                 type: string
3883                                                       matchLabels:
3884                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3885                                                         type: object
3886                                                         additionalProperties:
3887                                                           type: string
3888                                                   namespaceSelector:
3889                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
3890                                                     type: object
3891                                                     properties:
3892                                                       matchExpressions:
3893                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
3894                                                         type: array
3895                                                         items:
3896                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
3897                                                           type: object
3898                                                           required:
3899                                                             - key
3900                                                             - operator
3901                                                           properties:
3902                                                             key:
3903                                                               description: key is the label key that the selector applies to.
3904                                                               type: string
3905                                                             operator:
3906                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
3907                                                               type: string
3908                                                             values:
3909                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
3910                                                               type: array
3911                                                               items:
3912                                                                 type: string
3913                                                       matchLabels:
3914                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
3915                                                         type: object
3916                                                         additionalProperties:
3917                                                           type: string
3918                                                   namespaces:
3919                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
3920                                                     type: array
3921                                                     items:
3922                                                       type: string
3923                                                   topologyKey:
3924                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
3925                                                     type: string
3926                                     nodeSelector:
3927                                       description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
3928                                       type: object
3929                                       additionalProperties:
3930                                         type: string
3931                                     priorityClassName:
3932                                       description: If specified, the pod's priorityClassName.
3933                                       type: string
3934                                     serviceAccountName:
3935                                       description: If specified, the pod's service account
3936                                       type: string
3937                                     tolerations:
3938                                       description: If specified, the pod's tolerations.
3939                                       type: array
3940                                       items:
3941                                         description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
3942                                         type: object
3943                                         properties:
3944                                           effect:
3945                                             description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3946                                             type: string
3947                                           key:
3948                                             description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3949                                             type: string
3950                                           operator:
3951                                             description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
3952                                             type: string
3953                                           tolerationSeconds:
3954                                             description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
3955                                             type: integer
3956                                             format: int64
3957                                           value:
3958                                             description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
3959                                             type: string
3960                             serviceType:
3961                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
3962                               type: string
3963                     selector:
3964                       description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
3965                       type: object
3966                       properties:
3967                         dnsNames:
3968                           description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3969                           type: array
3970                           items:
3971                             type: string
3972                         dnsZones:
3973                           description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
3974                           type: array
3975                           items:
3976                             type: string
3977                         matchLabels:
3978                           description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
3979                           type: object
3980                           additionalProperties:
3981                             type: string
3982                 token:
3983                   description: Token is the ACME challenge token for this challenge. This is the raw value returned from the ACME server.
3984                   type: string
3985                 type:
3986                   description: Type is the type of ACME challenge this resource represents. One of "http-01" or "dns-01".
3987                   type: string
3988                   enum:
3989                     - http-01
3990                     - dns-01
3991                 url:
3992                   description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
3993                   type: string
3994                 wildcard:
3995                   description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
3996                   type: boolean
3997             status:
3998               type: object
3999               properties:
4000                 presented:
4001                   description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4002                   type: boolean
4003                 processing:
4004                   description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4005                   type: boolean
4006                 reason:
4007                   description: Reason contains human readable information on why the Challenge is in the current state.
4008                   type: string
4009                 state:
4010                   description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4011                   type: string
4012                   enum:
4013                     - valid
4014                     - ready
4015                     - pending
4016                     - processing
4017                     - invalid
4018                     - expired
4019                     - errored
4020       served: true
4021       storage: false
4022       subresources:
4023         status: {}
4024     - additionalPrinterColumns:
4025         - jsonPath: .status.state
4026           name: State
4027           type: string
4028         - jsonPath: .spec.dnsName
4029           name: Domain
4030           type: string
4031         - jsonPath: .status.reason
4032           name: Reason
4033           priority: 1
4034           type: string
4035         - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4036           jsonPath: .metadata.creationTimestamp
4037           name: Age
4038           type: date
4039       name: v1beta1
4040       schema:
4041         openAPIV3Schema:
4042           description: Challenge is a type to represent a Challenge request with an ACME server
4043           type: object
4044           required:
4045             - metadata
4046             - spec
4047           properties:
4048             apiVersion:
4049               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4050               type: string
4051             kind:
4052               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4053               type: string
4054             metadata:
4055               type: object
4056             spec:
4057               type: object
4058               required:
4059                 - authorizationURL
4060                 - dnsName
4061                 - issuerRef
4062                 - key
4063                 - solver
4064                 - token
4065                 - type
4066                 - url
4067               properties:
4068                 authorizationURL:
4069                   description: The URL to the ACME Authorization resource that this challenge is a part of.
4070                   type: string
4071                 dnsName:
4072                   description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
4073                   type: string
4074                 issuerRef:
4075                   description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
4076                   type: object
4077                   required:
4078                     - name
4079                   properties:
4080                     group:
4081                       description: Group of the resource being referred to.
4082                       type: string
4083                     kind:
4084                       description: Kind of the resource being referred to.
4085                       type: string
4086                     name:
4087                       description: Name of the resource being referred to.
4088                       type: string
4089                 key:
4090                   description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
4091                   type: string
4092                 solver:
4093                   description: Contains the domain solving configuration that should be used to solve this challenge resource.
4094                   type: object
4095                   properties:
4096                     dns01:
4097                       description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
4098                       type: object
4099                       properties:
4100                         acmeDNS:
4101                           description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
4102                           type: object
4103                           required:
4104                             - accountSecretRef
4105                             - host
4106                           properties:
4107                             accountSecretRef:
4108                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4109                               type: object
4110                               required:
4111                                 - name
4112                               properties:
4113                                 key:
4114                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4115                                   type: string
4116                                 name:
4117                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4118                                   type: string
4119                             host:
4120                               type: string
4121                         akamai:
4122                           description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
4123                           type: object
4124                           required:
4125                             - accessTokenSecretRef
4126                             - clientSecretSecretRef
4127                             - clientTokenSecretRef
4128                             - serviceConsumerDomain
4129                           properties:
4130                             accessTokenSecretRef:
4131                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4132                               type: object
4133                               required:
4134                                 - name
4135                               properties:
4136                                 key:
4137                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4138                                   type: string
4139                                 name:
4140                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4141                                   type: string
4142                             clientSecretSecretRef:
4143                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4144                               type: object
4145                               required:
4146                                 - name
4147                               properties:
4148                                 key:
4149                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4150                                   type: string
4151                                 name:
4152                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4153                                   type: string
4154                             clientTokenSecretRef:
4155                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4156                               type: object
4157                               required:
4158                                 - name
4159                               properties:
4160                                 key:
4161                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4162                                   type: string
4163                                 name:
4164                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4165                                   type: string
4166                             serviceConsumerDomain:
4167                               type: string
4168                         azureDNS:
4169                           description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
4170                           type: object
4171                           required:
4172                             - resourceGroupName
4173                             - subscriptionID
4174                           properties:
4175                             clientID:
4176                               description: if both this and ClientSecret are left unset MSI will be used
4177                               type: string
4178                             clientSecretSecretRef:
4179                               description: if both this and ClientID are left unset MSI will be used
4180                               type: object
4181                               required:
4182                                 - name
4183                               properties:
4184                                 key:
4185                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4186                                   type: string
4187                                 name:
4188                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4189                                   type: string
4190                             environment:
4191                               type: string
4192                               enum:
4193                                 - AzurePublicCloud
4194                                 - AzureChinaCloud
4195                                 - AzureGermanCloud
4196                                 - AzureUSGovernmentCloud
4197                             hostedZoneName:
4198                               type: string
4199                             resourceGroupName:
4200                               type: string
4201                             subscriptionID:
4202                               type: string
4203                             tenantID:
4204                               description: when specifying ClientID and ClientSecret then this field is also needed
4205                               type: string
4206                         cloudDNS:
4207                           description: Use the Google Cloud DNS API to manage DNS01 challenge records.
4208                           type: object
4209                           required:
4210                             - project
4211                           properties:
4212                             hostedZoneName:
4213                               description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
4214                               type: string
4215                             project:
4216                               type: string
4217                             serviceAccountSecretRef:
4218                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4219                               type: object
4220                               required:
4221                                 - name
4222                               properties:
4223                                 key:
4224                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4225                                   type: string
4226                                 name:
4227                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4228                                   type: string
4229                         cloudflare:
4230                           description: Use the Cloudflare API to manage DNS01 challenge records.
4231                           type: object
4232                           properties:
4233                             apiKeySecretRef:
4234                               description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
4235                               type: object
4236                               required:
4237                                 - name
4238                               properties:
4239                                 key:
4240                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4241                                   type: string
4242                                 name:
4243                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4244                                   type: string
4245                             apiTokenSecretRef:
4246                               description: API token used to authenticate with Cloudflare.
4247                               type: object
4248                               required:
4249                                 - name
4250                               properties:
4251                                 key:
4252                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4253                                   type: string
4254                                 name:
4255                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4256                                   type: string
4257                             email:
4258                               description: Email of the account, only required when using API key based authentication.
4259                               type: string
4260                         cnameStrategy:
4261                           description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
4262                           type: string
4263                           enum:
4264                             - None
4265                             - Follow
4266                         digitalocean:
4267                           description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
4268                           type: object
4269                           required:
4270                             - tokenSecretRef
4271                           properties:
4272                             tokenSecretRef:
4273                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
4274                               type: object
4275                               required:
4276                                 - name
4277                               properties:
4278                                 key:
4279                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4280                                   type: string
4281                                 name:
4282                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4283                                   type: string
4284                         rfc2136:
4285                           description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
4286                           type: object
4287                           required:
4288                             - nameserver
4289                           properties:
4290                             nameserver:
4291                               description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
4292                               type: string
4293                             tsigAlgorithm:
4294                               description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
4295                               type: string
4296                             tsigKeyName:
4297                               description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
4298                               type: string
4299                             tsigSecretSecretRef:
4300                               description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
4301                               type: object
4302                               required:
4303                                 - name
4304                               properties:
4305                                 key:
4306                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4307                                   type: string
4308                                 name:
4309                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4310                                   type: string
4311                         route53:
4312                           description: Use the AWS Route53 API to manage DNS01 challenge records.
4313                           type: object
4314                           required:
4315                             - region
4316                           properties:
4317                             accessKeyID:
4318                               description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
4319                               type: string
4320                             hostedZoneID:
4321                               description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
4322                               type: string
4323                             region:
4324                               description: Always set the region when using AccessKeyID and SecretAccessKey
4325                               type: string
4326                             role:
4327                               description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
4328                               type: string
4329                             secretAccessKeySecretRef:
4330                               description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
4331                               type: object
4332                               required:
4333                                 - name
4334                               properties:
4335                                 key:
4336                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
4337                                   type: string
4338                                 name:
4339                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
4340                                   type: string
4341                         webhook:
4342                           description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
4343                           type: object
4344                           required:
4345                             - groupName
4346                             - solverName
4347                           properties:
4348                             config:
4349                               description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
4350                               x-kubernetes-preserve-unknown-fields: true
4351                             groupName:
4352                               description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
4353                               type: string
4354                             solverName:
4355                               description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
4356                               type: string
4357                     http01:
4358                       description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
4359                       type: object
4360                       properties:
4361                         gatewayHTTPRoute:
4362                           description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
4363                           type: object
4364                           properties:
4365                             labels:
4366                               description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
4367                               type: object
4368                               additionalProperties:
4369                                 type: string
4370                             serviceType:
4371                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4372                               type: string
4373                         ingress:
4374                           description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
4375                           type: object
4376                           properties:
4377                             class:
4378                               description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
4379                               type: string
4380                             ingressTemplate:
4381                               description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
4382                               type: object
4383                               properties:
4384                                 metadata:
4385                                   description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4386                                   type: object
4387                                   properties:
4388                                     annotations:
4389                                       description: Annotations that should be added to the created ACME HTTP01 solver ingress.
4390                                       type: object
4391                                       additionalProperties:
4392                                         type: string
4393                                     labels:
4394                                       description: Labels that should be added to the created ACME HTTP01 solver ingress.
4395                                       type: object
4396                                       additionalProperties:
4397                                         type: string
4398                             name:
4399                               description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
4400                               type: string
4401                             podTemplate:
4402                               description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
4403                               type: object
4404                               properties:
4405                                 metadata:
4406                                   description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
4407                                   type: object
4408                                   properties:
4409                                     annotations:
4410                                       description: Annotations that should be added to the create ACME HTTP01 solver pods.
4411                                       type: object
4412                                       additionalProperties:
4413                                         type: string
4414                                     labels:
4415                                       description: Labels that should be added to the created ACME HTTP01 solver pods.
4416                                       type: object
4417                                       additionalProperties:
4418                                         type: string
4419                                 spec:
4420                                   description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
4421                                   type: object
4422                                   properties:
4423                                     affinity:
4424                                       description: If specified, the pod's scheduling constraints
4425                                       type: object
4426                                       properties:
4427                                         nodeAffinity:
4428                                           description: Describes node affinity scheduling rules for the pod.
4429                                           type: object
4430                                           properties:
4431                                             preferredDuringSchedulingIgnoredDuringExecution:
4432                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
4433                                               type: array
4434                                               items:
4435                                                 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
4436                                                 type: object
4437                                                 required:
4438                                                   - preference
4439                                                   - weight
4440                                                 properties:
4441                                                   preference:
4442                                                     description: A node selector term, associated with the corresponding weight.
4443                                                     type: object
4444                                                     properties:
4445                                                       matchExpressions:
4446                                                         description: A list of node selector requirements by node's labels.
4447                                                         type: array
4448                                                         items:
4449                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4450                                                           type: object
4451                                                           required:
4452                                                             - key
4453                                                             - operator
4454                                                           properties:
4455                                                             key:
4456                                                               description: The label key that the selector applies to.
4457                                                               type: string
4458                                                             operator:
4459                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4460                                                               type: string
4461                                                             values:
4462                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4463                                                               type: array
4464                                                               items:
4465                                                                 type: string
4466                                                       matchFields:
4467                                                         description: A list of node selector requirements by node's fields.
4468                                                         type: array
4469                                                         items:
4470                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4471                                                           type: object
4472                                                           required:
4473                                                             - key
4474                                                             - operator
4475                                                           properties:
4476                                                             key:
4477                                                               description: The label key that the selector applies to.
4478                                                               type: string
4479                                                             operator:
4480                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4481                                                               type: string
4482                                                             values:
4483                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4484                                                               type: array
4485                                                               items:
4486                                                                 type: string
4487                                                   weight:
4488                                                     description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
4489                                                     type: integer
4490                                                     format: int32
4491                                             requiredDuringSchedulingIgnoredDuringExecution:
4492                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
4493                                               type: object
4494                                               required:
4495                                                 - nodeSelectorTerms
4496                                               properties:
4497                                                 nodeSelectorTerms:
4498                                                   description: Required. A list of node selector terms. The terms are ORed.
4499                                                   type: array
4500                                                   items:
4501                                                     description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
4502                                                     type: object
4503                                                     properties:
4504                                                       matchExpressions:
4505                                                         description: A list of node selector requirements by node's labels.
4506                                                         type: array
4507                                                         items:
4508                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4509                                                           type: object
4510                                                           required:
4511                                                             - key
4512                                                             - operator
4513                                                           properties:
4514                                                             key:
4515                                                               description: The label key that the selector applies to.
4516                                                               type: string
4517                                                             operator:
4518                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4519                                                               type: string
4520                                                             values:
4521                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4522                                                               type: array
4523                                                               items:
4524                                                                 type: string
4525                                                       matchFields:
4526                                                         description: A list of node selector requirements by node's fields.
4527                                                         type: array
4528                                                         items:
4529                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4530                                                           type: object
4531                                                           required:
4532                                                             - key
4533                                                             - operator
4534                                                           properties:
4535                                                             key:
4536                                                               description: The label key that the selector applies to.
4537                                                               type: string
4538                                                             operator:
4539                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
4540                                                               type: string
4541                                                             values:
4542                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
4543                                                               type: array
4544                                                               items:
4545                                                                 type: string
4546                                         podAffinity:
4547                                           description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
4548                                           type: object
4549                                           properties:
4550                                             preferredDuringSchedulingIgnoredDuringExecution:
4551                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4552                                               type: array
4553                                               items:
4554                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4555                                                 type: object
4556                                                 required:
4557                                                   - podAffinityTerm
4558                                                   - weight
4559                                                 properties:
4560                                                   podAffinityTerm:
4561                                                     description: Required. A pod affinity term, associated with the corresponding weight.
4562                                                     type: object
4563                                                     required:
4564                                                       - topologyKey
4565                                                     properties:
4566                                                       labelSelector:
4567                                                         description: A label query over a set of resources, in this case pods.
4568                                                         type: object
4569                                                         properties:
4570                                                           matchExpressions:
4571                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4572                                                             type: array
4573                                                             items:
4574                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4575                                                               type: object
4576                                                               required:
4577                                                                 - key
4578                                                                 - operator
4579                                                               properties:
4580                                                                 key:
4581                                                                   description: key is the label key that the selector applies to.
4582                                                                   type: string
4583                                                                 operator:
4584                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4585                                                                   type: string
4586                                                                 values:
4587                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4588                                                                   type: array
4589                                                                   items:
4590                                                                     type: string
4591                                                           matchLabels:
4592                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4593                                                             type: object
4594                                                             additionalProperties:
4595                                                               type: string
4596                                                       namespaceSelector:
4597                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4598                                                         type: object
4599                                                         properties:
4600                                                           matchExpressions:
4601                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4602                                                             type: array
4603                                                             items:
4604                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4605                                                               type: object
4606                                                               required:
4607                                                                 - key
4608                                                                 - operator
4609                                                               properties:
4610                                                                 key:
4611                                                                   description: key is the label key that the selector applies to.
4612                                                                   type: string
4613                                                                 operator:
4614                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4615                                                                   type: string
4616                                                                 values:
4617                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4618                                                                   type: array
4619                                                                   items:
4620                                                                     type: string
4621                                                           matchLabels:
4622                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4623                                                             type: object
4624                                                             additionalProperties:
4625                                                               type: string
4626                                                       namespaces:
4627                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4628                                                         type: array
4629                                                         items:
4630                                                           type: string
4631                                                       topologyKey:
4632                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4633                                                         type: string
4634                                                   weight:
4635                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4636                                                     type: integer
4637                                                     format: int32
4638                                             requiredDuringSchedulingIgnoredDuringExecution:
4639                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4640                                               type: array
4641                                               items:
4642                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4643                                                 type: object
4644                                                 required:
4645                                                   - topologyKey
4646                                                 properties:
4647                                                   labelSelector:
4648                                                     description: A label query over a set of resources, in this case pods.
4649                                                     type: object
4650                                                     properties:
4651                                                       matchExpressions:
4652                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4653                                                         type: array
4654                                                         items:
4655                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4656                                                           type: object
4657                                                           required:
4658                                                             - key
4659                                                             - operator
4660                                                           properties:
4661                                                             key:
4662                                                               description: key is the label key that the selector applies to.
4663                                                               type: string
4664                                                             operator:
4665                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4666                                                               type: string
4667                                                             values:
4668                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4669                                                               type: array
4670                                                               items:
4671                                                                 type: string
4672                                                       matchLabels:
4673                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4674                                                         type: object
4675                                                         additionalProperties:
4676                                                           type: string
4677                                                   namespaceSelector:
4678                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4679                                                     type: object
4680                                                     properties:
4681                                                       matchExpressions:
4682                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4683                                                         type: array
4684                                                         items:
4685                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4686                                                           type: object
4687                                                           required:
4688                                                             - key
4689                                                             - operator
4690                                                           properties:
4691                                                             key:
4692                                                               description: key is the label key that the selector applies to.
4693                                                               type: string
4694                                                             operator:
4695                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4696                                                               type: string
4697                                                             values:
4698                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4699                                                               type: array
4700                                                               items:
4701                                                                 type: string
4702                                                       matchLabels:
4703                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4704                                                         type: object
4705                                                         additionalProperties:
4706                                                           type: string
4707                                                   namespaces:
4708                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4709                                                     type: array
4710                                                     items:
4711                                                       type: string
4712                                                   topologyKey:
4713                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4714                                                     type: string
4715                                         podAntiAffinity:
4716                                           description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
4717                                           type: object
4718                                           properties:
4719                                             preferredDuringSchedulingIgnoredDuringExecution:
4720                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
4721                                               type: array
4722                                               items:
4723                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
4724                                                 type: object
4725                                                 required:
4726                                                   - podAffinityTerm
4727                                                   - weight
4728                                                 properties:
4729                                                   podAffinityTerm:
4730                                                     description: Required. A pod affinity term, associated with the corresponding weight.
4731                                                     type: object
4732                                                     required:
4733                                                       - topologyKey
4734                                                     properties:
4735                                                       labelSelector:
4736                                                         description: A label query over a set of resources, in this case pods.
4737                                                         type: object
4738                                                         properties:
4739                                                           matchExpressions:
4740                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4741                                                             type: array
4742                                                             items:
4743                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4744                                                               type: object
4745                                                               required:
4746                                                                 - key
4747                                                                 - operator
4748                                                               properties:
4749                                                                 key:
4750                                                                   description: key is the label key that the selector applies to.
4751                                                                   type: string
4752                                                                 operator:
4753                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4754                                                                   type: string
4755                                                                 values:
4756                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4757                                                                   type: array
4758                                                                   items:
4759                                                                     type: string
4760                                                           matchLabels:
4761                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4762                                                             type: object
4763                                                             additionalProperties:
4764                                                               type: string
4765                                                       namespaceSelector:
4766                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4767                                                         type: object
4768                                                         properties:
4769                                                           matchExpressions:
4770                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4771                                                             type: array
4772                                                             items:
4773                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4774                                                               type: object
4775                                                               required:
4776                                                                 - key
4777                                                                 - operator
4778                                                               properties:
4779                                                                 key:
4780                                                                   description: key is the label key that the selector applies to.
4781                                                                   type: string
4782                                                                 operator:
4783                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4784                                                                   type: string
4785                                                                 values:
4786                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4787                                                                   type: array
4788                                                                   items:
4789                                                                     type: string
4790                                                           matchLabels:
4791                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4792                                                             type: object
4793                                                             additionalProperties:
4794                                                               type: string
4795                                                       namespaces:
4796                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4797                                                         type: array
4798                                                         items:
4799                                                           type: string
4800                                                       topologyKey:
4801                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4802                                                         type: string
4803                                                   weight:
4804                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
4805                                                     type: integer
4806                                                     format: int32
4807                                             requiredDuringSchedulingIgnoredDuringExecution:
4808                                               description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
4809                                               type: array
4810                                               items:
4811                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
4812                                                 type: object
4813                                                 required:
4814                                                   - topologyKey
4815                                                 properties:
4816                                                   labelSelector:
4817                                                     description: A label query over a set of resources, in this case pods.
4818                                                     type: object
4819                                                     properties:
4820                                                       matchExpressions:
4821                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4822                                                         type: array
4823                                                         items:
4824                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4825                                                           type: object
4826                                                           required:
4827                                                             - key
4828                                                             - operator
4829                                                           properties:
4830                                                             key:
4831                                                               description: key is the label key that the selector applies to.
4832                                                               type: string
4833                                                             operator:
4834                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4835                                                               type: string
4836                                                             values:
4837                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4838                                                               type: array
4839                                                               items:
4840                                                                 type: string
4841                                                       matchLabels:
4842                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4843                                                         type: object
4844                                                         additionalProperties:
4845                                                           type: string
4846                                                   namespaceSelector:
4847                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
4848                                                     type: object
4849                                                     properties:
4850                                                       matchExpressions:
4851                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
4852                                                         type: array
4853                                                         items:
4854                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
4855                                                           type: object
4856                                                           required:
4857                                                             - key
4858                                                             - operator
4859                                                           properties:
4860                                                             key:
4861                                                               description: key is the label key that the selector applies to.
4862                                                               type: string
4863                                                             operator:
4864                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
4865                                                               type: string
4866                                                             values:
4867                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
4868                                                               type: array
4869                                                               items:
4870                                                                 type: string
4871                                                       matchLabels:
4872                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
4873                                                         type: object
4874                                                         additionalProperties:
4875                                                           type: string
4876                                                   namespaces:
4877                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
4878                                                     type: array
4879                                                     items:
4880                                                       type: string
4881                                                   topologyKey:
4882                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
4883                                                     type: string
4884                                     nodeSelector:
4885                                       description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
4886                                       type: object
4887                                       additionalProperties:
4888                                         type: string
4889                                     priorityClassName:
4890                                       description: If specified, the pod's priorityClassName.
4891                                       type: string
4892                                     serviceAccountName:
4893                                       description: If specified, the pod's service account
4894                                       type: string
4895                                     tolerations:
4896                                       description: If specified, the pod's tolerations.
4897                                       type: array
4898                                       items:
4899                                         description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
4900                                         type: object
4901                                         properties:
4902                                           effect:
4903                                             description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
4904                                             type: string
4905                                           key:
4906                                             description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
4907                                             type: string
4908                                           operator:
4909                                             description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
4910                                             type: string
4911                                           tolerationSeconds:
4912                                             description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
4913                                             type: integer
4914                                             format: int64
4915                                           value:
4916                                             description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
4917                                             type: string
4918                             serviceType:
4919                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
4920                               type: string
4921                     selector:
4922                       description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
4923                       type: object
4924                       properties:
4925                         dnsNames:
4926                           description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4927                           type: array
4928                           items:
4929                             type: string
4930                         dnsZones:
4931                           description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
4932                           type: array
4933                           items:
4934                             type: string
4935                         matchLabels:
4936                           description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
4937                           type: object
4938                           additionalProperties:
4939                             type: string
4940                 token:
4941                   description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
4942                   type: string
4943                 type:
4944                   description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
4945                   type: string
4946                   enum:
4947                     - HTTP-01
4948                     - DNS-01
4949                 url:
4950                   description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
4951                   type: string
4952                 wildcard:
4953                   description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
4954                   type: boolean
4955             status:
4956               type: object
4957               properties:
4958                 presented:
4959                   description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
4960                   type: boolean
4961                 processing:
4962                   description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
4963                   type: boolean
4964                 reason:
4965                   description: Contains human readable information on why the Challenge is in the current state.
4966                   type: string
4967                 state:
4968                   description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
4969                   type: string
4970                   enum:
4971                     - valid
4972                     - ready
4973                     - pending
4974                     - processing
4975                     - invalid
4976                     - expired
4977                     - errored
4978       served: true
4979       storage: false
4980       subresources:
4981         status: {}
4982     - additionalPrinterColumns:
4983         - jsonPath: .status.state
4984           name: State
4985           type: string
4986         - jsonPath: .spec.dnsName
4987           name: Domain
4988           type: string
4989         - jsonPath: .status.reason
4990           name: Reason
4991           priority: 1
4992           type: string
4993         - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
4994           jsonPath: .metadata.creationTimestamp
4995           name: Age
4996           type: date
4997       name: v1
4998       schema:
4999         openAPIV3Schema:
5000           description: Challenge is a type to represent a Challenge request with an ACME server
5001           type: object
5002           required:
5003             - metadata
5004             - spec
5005           properties:
5006             apiVersion:
5007               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
5008               type: string
5009             kind:
5010               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
5011               type: string
5012             metadata:
5013               type: object
5014             spec:
5015               type: object
5016               required:
5017                 - authorizationURL
5018                 - dnsName
5019                 - issuerRef
5020                 - key
5021                 - solver
5022                 - token
5023                 - type
5024                 - url
5025               properties:
5026                 authorizationURL:
5027                   description: The URL to the ACME Authorization resource that this challenge is a part of.
5028                   type: string
5029                 dnsName:
5030                   description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
5031                   type: string
5032                 issuerRef:
5033                   description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
5034                   type: object
5035                   required:
5036                     - name
5037                   properties:
5038                     group:
5039                       description: Group of the resource being referred to.
5040                       type: string
5041                     kind:
5042                       description: Kind of the resource being referred to.
5043                       type: string
5044                     name:
5045                       description: Name of the resource being referred to.
5046                       type: string
5047                 key:
5048                   description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.'
5049                   type: string
5050                 solver:
5051                   description: Contains the domain solving configuration that should be used to solve this challenge resource.
5052                   type: object
5053                   properties:
5054                     dns01:
5055                       description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
5056                       type: object
5057                       properties:
5058                         acmeDNS:
5059                           description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
5060                           type: object
5061                           required:
5062                             - accountSecretRef
5063                             - host
5064                           properties:
5065                             accountSecretRef:
5066                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5067                               type: object
5068                               required:
5069                                 - name
5070                               properties:
5071                                 key:
5072                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5073                                   type: string
5074                                 name:
5075                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5076                                   type: string
5077                             host:
5078                               type: string
5079                         akamai:
5080                           description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
5081                           type: object
5082                           required:
5083                             - accessTokenSecretRef
5084                             - clientSecretSecretRef
5085                             - clientTokenSecretRef
5086                             - serviceConsumerDomain
5087                           properties:
5088                             accessTokenSecretRef:
5089                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5090                               type: object
5091                               required:
5092                                 - name
5093                               properties:
5094                                 key:
5095                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5096                                   type: string
5097                                 name:
5098                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5099                                   type: string
5100                             clientSecretSecretRef:
5101                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5102                               type: object
5103                               required:
5104                                 - name
5105                               properties:
5106                                 key:
5107                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5108                                   type: string
5109                                 name:
5110                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5111                                   type: string
5112                             clientTokenSecretRef:
5113                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5114                               type: object
5115                               required:
5116                                 - name
5117                               properties:
5118                                 key:
5119                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5120                                   type: string
5121                                 name:
5122                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5123                                   type: string
5124                             serviceConsumerDomain:
5125                               type: string
5126                         azureDNS:
5127                           description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
5128                           type: object
5129                           required:
5130                             - resourceGroupName
5131                             - subscriptionID
5132                           properties:
5133                             clientID:
5134                               description: if both this and ClientSecret are left unset MSI will be used
5135                               type: string
5136                             clientSecretSecretRef:
5137                               description: if both this and ClientID are left unset MSI will be used
5138                               type: object
5139                               required:
5140                                 - name
5141                               properties:
5142                                 key:
5143                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5144                                   type: string
5145                                 name:
5146                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5147                                   type: string
5148                             environment:
5149                               type: string
5150                               enum:
5151                                 - AzurePublicCloud
5152                                 - AzureChinaCloud
5153                                 - AzureGermanCloud
5154                                 - AzureUSGovernmentCloud
5155                             hostedZoneName:
5156                               type: string
5157                             resourceGroupName:
5158                               type: string
5159                             subscriptionID:
5160                               type: string
5161                             tenantID:
5162                               description: when specifying ClientID and ClientSecret then this field is also needed
5163                               type: string
5164                         cloudDNS:
5165                           description: Use the Google Cloud DNS API to manage DNS01 challenge records.
5166                           type: object
5167                           required:
5168                             - project
5169                           properties:
5170                             hostedZoneName:
5171                               description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
5172                               type: string
5173                             project:
5174                               type: string
5175                             serviceAccountSecretRef:
5176                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5177                               type: object
5178                               required:
5179                                 - name
5180                               properties:
5181                                 key:
5182                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5183                                   type: string
5184                                 name:
5185                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5186                                   type: string
5187                         cloudflare:
5188                           description: Use the Cloudflare API to manage DNS01 challenge records.
5189                           type: object
5190                           properties:
5191                             apiKeySecretRef:
5192                               description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
5193                               type: object
5194                               required:
5195                                 - name
5196                               properties:
5197                                 key:
5198                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5199                                   type: string
5200                                 name:
5201                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5202                                   type: string
5203                             apiTokenSecretRef:
5204                               description: API token used to authenticate with Cloudflare.
5205                               type: object
5206                               required:
5207                                 - name
5208                               properties:
5209                                 key:
5210                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5211                                   type: string
5212                                 name:
5213                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5214                                   type: string
5215                             email:
5216                               description: Email of the account, only required when using API key based authentication.
5217                               type: string
5218                         cnameStrategy:
5219                           description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
5220                           type: string
5221                           enum:
5222                             - None
5223                             - Follow
5224                         digitalocean:
5225                           description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
5226                           type: object
5227                           required:
5228                             - tokenSecretRef
5229                           properties:
5230                             tokenSecretRef:
5231                               description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
5232                               type: object
5233                               required:
5234                                 - name
5235                               properties:
5236                                 key:
5237                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5238                                   type: string
5239                                 name:
5240                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5241                                   type: string
5242                         rfc2136:
5243                           description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
5244                           type: object
5245                           required:
5246                             - nameserver
5247                           properties:
5248                             nameserver:
5249                               description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
5250                               type: string
5251                             tsigAlgorithm:
5252                               description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
5253                               type: string
5254                             tsigKeyName:
5255                               description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
5256                               type: string
5257                             tsigSecretSecretRef:
5258                               description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
5259                               type: object
5260                               required:
5261                                 - name
5262                               properties:
5263                                 key:
5264                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5265                                   type: string
5266                                 name:
5267                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5268                                   type: string
5269                         route53:
5270                           description: Use the AWS Route53 API to manage DNS01 challenge records.
5271                           type: object
5272                           required:
5273                             - region
5274                           properties:
5275                             accessKeyID:
5276                               description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
5277                               type: string
5278                             hostedZoneID:
5279                               description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
5280                               type: string
5281                             region:
5282                               description: Always set the region when using AccessKeyID and SecretAccessKey
5283                               type: string
5284                             role:
5285                               description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
5286                               type: string
5287                             secretAccessKeySecretRef:
5288                               description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
5289                               type: object
5290                               required:
5291                                 - name
5292                               properties:
5293                                 key:
5294                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
5295                                   type: string
5296                                 name:
5297                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
5298                                   type: string
5299                         webhook:
5300                           description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
5301                           type: object
5302                           required:
5303                             - groupName
5304                             - solverName
5305                           properties:
5306                             config:
5307                               description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
5308                               x-kubernetes-preserve-unknown-fields: true
5309                             groupName:
5310                               description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
5311                               type: string
5312                             solverName:
5313                               description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
5314                               type: string
5315                     http01:
5316                       description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
5317                       type: object
5318                       properties:
5319                         gatewayHTTPRoute:
5320                           description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
5321                           type: object
5322                           properties:
5323                             labels:
5324                               description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
5325                               type: object
5326                               additionalProperties:
5327                                 type: string
5328                             serviceType:
5329                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5330                               type: string
5331                         ingress:
5332                           description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
5333                           type: object
5334                           properties:
5335                             class:
5336                               description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
5337                               type: string
5338                             ingressTemplate:
5339                               description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
5340                               type: object
5341                               properties:
5342                                 metadata:
5343                                   description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5344                                   type: object
5345                                   properties:
5346                                     annotations:
5347                                       description: Annotations that should be added to the created ACME HTTP01 solver ingress.
5348                                       type: object
5349                                       additionalProperties:
5350                                         type: string
5351                                     labels:
5352                                       description: Labels that should be added to the created ACME HTTP01 solver ingress.
5353                                       type: object
5354                                       additionalProperties:
5355                                         type: string
5356                             name:
5357                               description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
5358                               type: string
5359                             podTemplate:
5360                               description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
5361                               type: object
5362                               properties:
5363                                 metadata:
5364                                   description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
5365                                   type: object
5366                                   properties:
5367                                     annotations:
5368                                       description: Annotations that should be added to the create ACME HTTP01 solver pods.
5369                                       type: object
5370                                       additionalProperties:
5371                                         type: string
5372                                     labels:
5373                                       description: Labels that should be added to the created ACME HTTP01 solver pods.
5374                                       type: object
5375                                       additionalProperties:
5376                                         type: string
5377                                 spec:
5378                                   description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
5379                                   type: object
5380                                   properties:
5381                                     affinity:
5382                                       description: If specified, the pod's scheduling constraints
5383                                       type: object
5384                                       properties:
5385                                         nodeAffinity:
5386                                           description: Describes node affinity scheduling rules for the pod.
5387                                           type: object
5388                                           properties:
5389                                             preferredDuringSchedulingIgnoredDuringExecution:
5390                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
5391                                               type: array
5392                                               items:
5393                                                 description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
5394                                                 type: object
5395                                                 required:
5396                                                   - preference
5397                                                   - weight
5398                                                 properties:
5399                                                   preference:
5400                                                     description: A node selector term, associated with the corresponding weight.
5401                                                     type: object
5402                                                     properties:
5403                                                       matchExpressions:
5404                                                         description: A list of node selector requirements by node's labels.
5405                                                         type: array
5406                                                         items:
5407                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5408                                                           type: object
5409                                                           required:
5410                                                             - key
5411                                                             - operator
5412                                                           properties:
5413                                                             key:
5414                                                               description: The label key that the selector applies to.
5415                                                               type: string
5416                                                             operator:
5417                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5418                                                               type: string
5419                                                             values:
5420                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5421                                                               type: array
5422                                                               items:
5423                                                                 type: string
5424                                                       matchFields:
5425                                                         description: A list of node selector requirements by node's fields.
5426                                                         type: array
5427                                                         items:
5428                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5429                                                           type: object
5430                                                           required:
5431                                                             - key
5432                                                             - operator
5433                                                           properties:
5434                                                             key:
5435                                                               description: The label key that the selector applies to.
5436                                                               type: string
5437                                                             operator:
5438                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5439                                                               type: string
5440                                                             values:
5441                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5442                                                               type: array
5443                                                               items:
5444                                                                 type: string
5445                                                   weight:
5446                                                     description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
5447                                                     type: integer
5448                                                     format: int32
5449                                             requiredDuringSchedulingIgnoredDuringExecution:
5450                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
5451                                               type: object
5452                                               required:
5453                                                 - nodeSelectorTerms
5454                                               properties:
5455                                                 nodeSelectorTerms:
5456                                                   description: Required. A list of node selector terms. The terms are ORed.
5457                                                   type: array
5458                                                   items:
5459                                                     description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
5460                                                     type: object
5461                                                     properties:
5462                                                       matchExpressions:
5463                                                         description: A list of node selector requirements by node's labels.
5464                                                         type: array
5465                                                         items:
5466                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5467                                                           type: object
5468                                                           required:
5469                                                             - key
5470                                                             - operator
5471                                                           properties:
5472                                                             key:
5473                                                               description: The label key that the selector applies to.
5474                                                               type: string
5475                                                             operator:
5476                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5477                                                               type: string
5478                                                             values:
5479                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5480                                                               type: array
5481                                                               items:
5482                                                                 type: string
5483                                                       matchFields:
5484                                                         description: A list of node selector requirements by node's fields.
5485                                                         type: array
5486                                                         items:
5487                                                           description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5488                                                           type: object
5489                                                           required:
5490                                                             - key
5491                                                             - operator
5492                                                           properties:
5493                                                             key:
5494                                                               description: The label key that the selector applies to.
5495                                                               type: string
5496                                                             operator:
5497                                                               description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
5498                                                               type: string
5499                                                             values:
5500                                                               description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
5501                                                               type: array
5502                                                               items:
5503                                                                 type: string
5504                                         podAffinity:
5505                                           description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
5506                                           type: object
5507                                           properties:
5508                                             preferredDuringSchedulingIgnoredDuringExecution:
5509                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5510                                               type: array
5511                                               items:
5512                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5513                                                 type: object
5514                                                 required:
5515                                                   - podAffinityTerm
5516                                                   - weight
5517                                                 properties:
5518                                                   podAffinityTerm:
5519                                                     description: Required. A pod affinity term, associated with the corresponding weight.
5520                                                     type: object
5521                                                     required:
5522                                                       - topologyKey
5523                                                     properties:
5524                                                       labelSelector:
5525                                                         description: A label query over a set of resources, in this case pods.
5526                                                         type: object
5527                                                         properties:
5528                                                           matchExpressions:
5529                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5530                                                             type: array
5531                                                             items:
5532                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5533                                                               type: object
5534                                                               required:
5535                                                                 - key
5536                                                                 - operator
5537                                                               properties:
5538                                                                 key:
5539                                                                   description: key is the label key that the selector applies to.
5540                                                                   type: string
5541                                                                 operator:
5542                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5543                                                                   type: string
5544                                                                 values:
5545                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5546                                                                   type: array
5547                                                                   items:
5548                                                                     type: string
5549                                                           matchLabels:
5550                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5551                                                             type: object
5552                                                             additionalProperties:
5553                                                               type: string
5554                                                       namespaceSelector:
5555                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5556                                                         type: object
5557                                                         properties:
5558                                                           matchExpressions:
5559                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5560                                                             type: array
5561                                                             items:
5562                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5563                                                               type: object
5564                                                               required:
5565                                                                 - key
5566                                                                 - operator
5567                                                               properties:
5568                                                                 key:
5569                                                                   description: key is the label key that the selector applies to.
5570                                                                   type: string
5571                                                                 operator:
5572                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5573                                                                   type: string
5574                                                                 values:
5575                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5576                                                                   type: array
5577                                                                   items:
5578                                                                     type: string
5579                                                           matchLabels:
5580                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5581                                                             type: object
5582                                                             additionalProperties:
5583                                                               type: string
5584                                                       namespaces:
5585                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5586                                                         type: array
5587                                                         items:
5588                                                           type: string
5589                                                       topologyKey:
5590                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5591                                                         type: string
5592                                                   weight:
5593                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5594                                                     type: integer
5595                                                     format: int32
5596                                             requiredDuringSchedulingIgnoredDuringExecution:
5597                                               description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5598                                               type: array
5599                                               items:
5600                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5601                                                 type: object
5602                                                 required:
5603                                                   - topologyKey
5604                                                 properties:
5605                                                   labelSelector:
5606                                                     description: A label query over a set of resources, in this case pods.
5607                                                     type: object
5608                                                     properties:
5609                                                       matchExpressions:
5610                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5611                                                         type: array
5612                                                         items:
5613                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5614                                                           type: object
5615                                                           required:
5616                                                             - key
5617                                                             - operator
5618                                                           properties:
5619                                                             key:
5620                                                               description: key is the label key that the selector applies to.
5621                                                               type: string
5622                                                             operator:
5623                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5624                                                               type: string
5625                                                             values:
5626                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5627                                                               type: array
5628                                                               items:
5629                                                                 type: string
5630                                                       matchLabels:
5631                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5632                                                         type: object
5633                                                         additionalProperties:
5634                                                           type: string
5635                                                   namespaceSelector:
5636                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5637                                                     type: object
5638                                                     properties:
5639                                                       matchExpressions:
5640                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5641                                                         type: array
5642                                                         items:
5643                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5644                                                           type: object
5645                                                           required:
5646                                                             - key
5647                                                             - operator
5648                                                           properties:
5649                                                             key:
5650                                                               description: key is the label key that the selector applies to.
5651                                                               type: string
5652                                                             operator:
5653                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5654                                                               type: string
5655                                                             values:
5656                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5657                                                               type: array
5658                                                               items:
5659                                                                 type: string
5660                                                       matchLabels:
5661                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5662                                                         type: object
5663                                                         additionalProperties:
5664                                                           type: string
5665                                                   namespaces:
5666                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5667                                                     type: array
5668                                                     items:
5669                                                       type: string
5670                                                   topologyKey:
5671                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5672                                                     type: string
5673                                         podAntiAffinity:
5674                                           description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
5675                                           type: object
5676                                           properties:
5677                                             preferredDuringSchedulingIgnoredDuringExecution:
5678                                               description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
5679                                               type: array
5680                                               items:
5681                                                 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
5682                                                 type: object
5683                                                 required:
5684                                                   - podAffinityTerm
5685                                                   - weight
5686                                                 properties:
5687                                                   podAffinityTerm:
5688                                                     description: Required. A pod affinity term, associated with the corresponding weight.
5689                                                     type: object
5690                                                     required:
5691                                                       - topologyKey
5692                                                     properties:
5693                                                       labelSelector:
5694                                                         description: A label query over a set of resources, in this case pods.
5695                                                         type: object
5696                                                         properties:
5697                                                           matchExpressions:
5698                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5699                                                             type: array
5700                                                             items:
5701                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5702                                                               type: object
5703                                                               required:
5704                                                                 - key
5705                                                                 - operator
5706                                                               properties:
5707                                                                 key:
5708                                                                   description: key is the label key that the selector applies to.
5709                                                                   type: string
5710                                                                 operator:
5711                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5712                                                                   type: string
5713                                                                 values:
5714                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5715                                                                   type: array
5716                                                                   items:
5717                                                                     type: string
5718                                                           matchLabels:
5719                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5720                                                             type: object
5721                                                             additionalProperties:
5722                                                               type: string
5723                                                       namespaceSelector:
5724                                                         description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5725                                                         type: object
5726                                                         properties:
5727                                                           matchExpressions:
5728                                                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5729                                                             type: array
5730                                                             items:
5731                                                               description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5732                                                               type: object
5733                                                               required:
5734                                                                 - key
5735                                                                 - operator
5736                                                               properties:
5737                                                                 key:
5738                                                                   description: key is the label key that the selector applies to.
5739                                                                   type: string
5740                                                                 operator:
5741                                                                   description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5742                                                                   type: string
5743                                                                 values:
5744                                                                   description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5745                                                                   type: array
5746                                                                   items:
5747                                                                     type: string
5748                                                           matchLabels:
5749                                                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5750                                                             type: object
5751                                                             additionalProperties:
5752                                                               type: string
5753                                                       namespaces:
5754                                                         description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5755                                                         type: array
5756                                                         items:
5757                                                           type: string
5758                                                       topologyKey:
5759                                                         description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5760                                                         type: string
5761                                                   weight:
5762                                                     description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
5763                                                     type: integer
5764                                                     format: int32
5765                                             requiredDuringSchedulingIgnoredDuringExecution:
5766                                               description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
5767                                               type: array
5768                                               items:
5769                                                 description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
5770                                                 type: object
5771                                                 required:
5772                                                   - topologyKey
5773                                                 properties:
5774                                                   labelSelector:
5775                                                     description: A label query over a set of resources, in this case pods.
5776                                                     type: object
5777                                                     properties:
5778                                                       matchExpressions:
5779                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5780                                                         type: array
5781                                                         items:
5782                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5783                                                           type: object
5784                                                           required:
5785                                                             - key
5786                                                             - operator
5787                                                           properties:
5788                                                             key:
5789                                                               description: key is the label key that the selector applies to.
5790                                                               type: string
5791                                                             operator:
5792                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5793                                                               type: string
5794                                                             values:
5795                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5796                                                               type: array
5797                                                               items:
5798                                                                 type: string
5799                                                       matchLabels:
5800                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5801                                                         type: object
5802                                                         additionalProperties:
5803                                                           type: string
5804                                                   namespaceSelector:
5805                                                     description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
5806                                                     type: object
5807                                                     properties:
5808                                                       matchExpressions:
5809                                                         description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
5810                                                         type: array
5811                                                         items:
5812                                                           description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
5813                                                           type: object
5814                                                           required:
5815                                                             - key
5816                                                             - operator
5817                                                           properties:
5818                                                             key:
5819                                                               description: key is the label key that the selector applies to.
5820                                                               type: string
5821                                                             operator:
5822                                                               description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
5823                                                               type: string
5824                                                             values:
5825                                                               description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
5826                                                               type: array
5827                                                               items:
5828                                                                 type: string
5829                                                       matchLabels:
5830                                                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
5831                                                         type: object
5832                                                         additionalProperties:
5833                                                           type: string
5834                                                   namespaces:
5835                                                     description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
5836                                                     type: array
5837                                                     items:
5838                                                       type: string
5839                                                   topologyKey:
5840                                                     description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
5841                                                     type: string
5842                                     nodeSelector:
5843                                       description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
5844                                       type: object
5845                                       additionalProperties:
5846                                         type: string
5847                                     priorityClassName:
5848                                       description: If specified, the pod's priorityClassName.
5849                                       type: string
5850                                     serviceAccountName:
5851                                       description: If specified, the pod's service account
5852                                       type: string
5853                                     tolerations:
5854                                       description: If specified, the pod's tolerations.
5855                                       type: array
5856                                       items:
5857                                         description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
5858                                         type: object
5859                                         properties:
5860                                           effect:
5861                                             description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
5862                                             type: string
5863                                           key:
5864                                             description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
5865                                             type: string
5866                                           operator:
5867                                             description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
5868                                             type: string
5869                                           tolerationSeconds:
5870                                             description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
5871                                             type: integer
5872                                             format: int64
5873                                           value:
5874                                             description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
5875                                             type: string
5876                             serviceType:
5877                               description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
5878                               type: string
5879                     selector:
5880                       description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
5881                       type: object
5882                       properties:
5883                         dnsNames:
5884                           description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5885                           type: array
5886                           items:
5887                             type: string
5888                         dnsZones:
5889                           description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
5890                           type: array
5891                           items:
5892                             type: string
5893                         matchLabels:
5894                           description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
5895                           type: object
5896                           additionalProperties:
5897                             type: string
5898                 token:
5899                   description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
5900                   type: string
5901                 type:
5902                   description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
5903                   type: string
5904                   enum:
5905                     - HTTP-01
5906                     - DNS-01
5907                 url:
5908                   description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
5909                   type: string
5910                 wildcard:
5911                   description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
5912                   type: boolean
5913             status:
5914               type: object
5915               properties:
5916                 presented:
5917                   description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
5918                   type: boolean
5919                 processing:
5920                   description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
5921                   type: boolean
5922                 reason:
5923                   description: Contains human readable information on why the Challenge is in the current state.
5924                   type: string
5925                 state:
5926                   description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
5927                   type: string
5928                   enum:
5929                     - valid
5930                     - ready
5931                     - pending
5932                     - processing
5933                     - invalid
5934                     - expired
5935                     - errored
5936       served: true
5937       storage: true
5938       subresources:
5939         status: {}
5940 ---
5941 # Source: cert-manager/templates/templates.out
5942 apiVersion: apiextensions.k8s.io/v1
5943 kind: CustomResourceDefinition
5944 metadata:
5945   name: clusterissuers.cert-manager.io
5946   annotations:
5947     cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
5948   labels:
5949     app: 'cert-manager'
5950     app.kubernetes.io/name: 'cert-manager'
5951     app.kubernetes.io/instance: 'cert-manager'
5952     # Generated labels
5953     app.kubernetes.io/version: "v1.5.3"
5954 spec:
5955   group: cert-manager.io
5956   names:
5957     kind: ClusterIssuer
5958     listKind: ClusterIssuerList
5959     plural: clusterissuers
5960     singular: clusterissuer
5961     categories:
5962       - cert-manager
5963   scope: Cluster
5964   conversion:
5965     # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
5966     strategy: Webhook
5967     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
5968     webhook:
5969       # We don't actually support `v1beta1` but is listed here as it is a
5970       # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
5971       # API server reads the supported versions in order, so _should always_
5972       # attempt a `v1` request which is understood by the cert-manager webhook.
5973       # Any `v1beta1` request will return an error and fail closed for that
5974       # resource (the whole object request is rejected).
5975       # When we no longer support v1.16 we can remove `v1beta1` from this list.
5976       conversionReviewVersions: ["v1", "v1beta1"]
5977       clientConfig:
5978         #
5979         service:
5980           name: 'cert-manager-webhook'
5981           namespace: "cert-manager"
5982           path: /convert
5983           #
5984   versions:
5985     - name: v1alpha2
5986       subresources:
5987         status: {}
5988       additionalPrinterColumns:
5989         - jsonPath: .status.conditions[?(@.type=="Ready")].status
5990           name: Ready
5991           type: string
5992         - jsonPath: .status.conditions[?(@.type=="Ready")].message
5993           name: Status
5994           priority: 1
5995           type: string
5996         - jsonPath: .metadata.creationTimestamp
5997           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
5998           name: Age
5999           type: date
6000       schema:
6001         openAPIV3Schema:
6002           description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
6003           type: object
6004           properties:
6005             apiVersion:
6006               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6007               type: string
6008             kind:
6009               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6010               type: string
6011             metadata:
6012               type: object
6013             spec:
6014               description: Desired state of the ClusterIssuer resource.
6015               type: object
6016               properties:
6017                 acme:
6018                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
6019                   type: object
6020                   required:
6021                     - privateKeySecretRef
6022                     - server
6023                   properties:
6024                     disableAccountKeyGeneration:
6025                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
6026                       type: boolean
6027                     email:
6028                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
6029                       type: string
6030                     enableDurationFeature:
6031                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
6032                       type: boolean
6033                     externalAccountBinding:
6034                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
6035                       type: object
6036                       required:
6037                         - keyID
6038                         - keySecretRef
6039                       properties:
6040                         keyAlgorithm:
6041                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
6042                           type: string
6043                           enum:
6044                             - HS256
6045                             - HS384
6046                             - HS512
6047                         keyID:
6048                           description: keyID is the ID of the CA key that the External Account is bound to.
6049                           type: string
6050                         keySecretRef:
6051                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
6052                           type: object
6053                           required:
6054                             - name
6055                           properties:
6056                             key:
6057                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6058                               type: string
6059                             name:
6060                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6061                               type: string
6062                     preferredChain:
6063                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
6064                       type: string
6065                       maxLength: 64
6066                     privateKeySecretRef:
6067                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
6068                       type: object
6069                       required:
6070                         - name
6071                       properties:
6072                         key:
6073                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6074                           type: string
6075                         name:
6076                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6077                           type: string
6078                     server:
6079                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
6080                       type: string
6081                     skipTLSVerify:
6082                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
6083                       type: boolean
6084                     solvers:
6085                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
6086                       type: array
6087                       items:
6088                         description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
6089                         type: object
6090                         properties:
6091                           dns01:
6092                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
6093                             type: object
6094                             properties:
6095                               acmedns:
6096                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
6097                                 type: object
6098                                 required:
6099                                   - accountSecretRef
6100                                   - host
6101                                 properties:
6102                                   accountSecretRef:
6103                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6104                                     type: object
6105                                     required:
6106                                       - name
6107                                     properties:
6108                                       key:
6109                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6110                                         type: string
6111                                       name:
6112                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6113                                         type: string
6114                                   host:
6115                                     type: string
6116                               akamai:
6117                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
6118                                 type: object
6119                                 required:
6120                                   - accessTokenSecretRef
6121                                   - clientSecretSecretRef
6122                                   - clientTokenSecretRef
6123                                   - serviceConsumerDomain
6124                                 properties:
6125                                   accessTokenSecretRef:
6126                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6127                                     type: object
6128                                     required:
6129                                       - name
6130                                     properties:
6131                                       key:
6132                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6133                                         type: string
6134                                       name:
6135                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6136                                         type: string
6137                                   clientSecretSecretRef:
6138                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6139                                     type: object
6140                                     required:
6141                                       - name
6142                                     properties:
6143                                       key:
6144                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6145                                         type: string
6146                                       name:
6147                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6148                                         type: string
6149                                   clientTokenSecretRef:
6150                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6151                                     type: object
6152                                     required:
6153                                       - name
6154                                     properties:
6155                                       key:
6156                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6157                                         type: string
6158                                       name:
6159                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6160                                         type: string
6161                                   serviceConsumerDomain:
6162                                     type: string
6163                               azuredns:
6164                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
6165                                 type: object
6166                                 required:
6167                                   - resourceGroupName
6168                                   - subscriptionID
6169                                 properties:
6170                                   clientID:
6171                                     description: if both this and ClientSecret are left unset MSI will be used
6172                                     type: string
6173                                   clientSecretSecretRef:
6174                                     description: if both this and ClientID are left unset MSI will be used
6175                                     type: object
6176                                     required:
6177                                       - name
6178                                     properties:
6179                                       key:
6180                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6181                                         type: string
6182                                       name:
6183                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6184                                         type: string
6185                                   environment:
6186                                     type: string
6187                                     enum:
6188                                       - AzurePublicCloud
6189                                       - AzureChinaCloud
6190                                       - AzureGermanCloud
6191                                       - AzureUSGovernmentCloud
6192                                   hostedZoneName:
6193                                     type: string
6194                                   resourceGroupName:
6195                                     type: string
6196                                   subscriptionID:
6197                                     type: string
6198                                   tenantID:
6199                                     description: when specifying ClientID and ClientSecret then this field is also needed
6200                                     type: string
6201                               clouddns:
6202                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
6203                                 type: object
6204                                 required:
6205                                   - project
6206                                 properties:
6207                                   hostedZoneName:
6208                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
6209                                     type: string
6210                                   project:
6211                                     type: string
6212                                   serviceAccountSecretRef:
6213                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6214                                     type: object
6215                                     required:
6216                                       - name
6217                                     properties:
6218                                       key:
6219                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6220                                         type: string
6221                                       name:
6222                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6223                                         type: string
6224                               cloudflare:
6225                                 description: Use the Cloudflare API to manage DNS01 challenge records.
6226                                 type: object
6227                                 properties:
6228                                   apiKeySecretRef:
6229                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
6230                                     type: object
6231                                     required:
6232                                       - name
6233                                     properties:
6234                                       key:
6235                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6236                                         type: string
6237                                       name:
6238                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6239                                         type: string
6240                                   apiTokenSecretRef:
6241                                     description: API token used to authenticate with Cloudflare.
6242                                     type: object
6243                                     required:
6244                                       - name
6245                                     properties:
6246                                       key:
6247                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6248                                         type: string
6249                                       name:
6250                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6251                                         type: string
6252                                   email:
6253                                     description: Email of the account, only required when using API key based authentication.
6254                                     type: string
6255                               cnameStrategy:
6256                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
6257                                 type: string
6258                                 enum:
6259                                   - None
6260                                   - Follow
6261                               digitalocean:
6262                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
6263                                 type: object
6264                                 required:
6265                                   - tokenSecretRef
6266                                 properties:
6267                                   tokenSecretRef:
6268                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
6269                                     type: object
6270                                     required:
6271                                       - name
6272                                     properties:
6273                                       key:
6274                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6275                                         type: string
6276                                       name:
6277                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6278                                         type: string
6279                               rfc2136:
6280                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
6281                                 type: object
6282                                 required:
6283                                   - nameserver
6284                                 properties:
6285                                   nameserver:
6286                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
6287                                     type: string
6288                                   tsigAlgorithm:
6289                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
6290                                     type: string
6291                                   tsigKeyName:
6292                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
6293                                     type: string
6294                                   tsigSecretSecretRef:
6295                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
6296                                     type: object
6297                                     required:
6298                                       - name
6299                                     properties:
6300                                       key:
6301                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6302                                         type: string
6303                                       name:
6304                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6305                                         type: string
6306                               route53:
6307                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
6308                                 type: object
6309                                 required:
6310                                   - region
6311                                 properties:
6312                                   accessKeyID:
6313                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
6314                                     type: string
6315                                   hostedZoneID:
6316                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
6317                                     type: string
6318                                   region:
6319                                     description: Always set the region when using AccessKeyID and SecretAccessKey
6320                                     type: string
6321                                   role:
6322                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
6323                                     type: string
6324                                   secretAccessKeySecretRef:
6325                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
6326                                     type: object
6327                                     required:
6328                                       - name
6329                                     properties:
6330                                       key:
6331                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6332                                         type: string
6333                                       name:
6334                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
6335                                         type: string
6336                               webhook:
6337                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
6338                                 type: object
6339                                 required:
6340                                   - groupName
6341                                   - solverName
6342                                 properties:
6343                                   config:
6344                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
6345                                     x-kubernetes-preserve-unknown-fields: true
6346                                   groupName:
6347                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
6348                                     type: string
6349                                   solverName:
6350                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
6351                                     type: string
6352                           http01:
6353                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
6354                             type: object
6355                             properties:
6356                               gatewayHTTPRoute:
6357                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
6358                                 type: object
6359                                 properties:
6360                                   labels:
6361                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
6362                                     type: object
6363                                     additionalProperties:
6364                                       type: string
6365                                   serviceType:
6366                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6367                                     type: string
6368                               ingress:
6369                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
6370                                 type: object
6371                                 properties:
6372                                   class:
6373                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
6374                                     type: string
6375                                   ingressTemplate:
6376                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
6377                                     type: object
6378                                     properties:
6379                                       metadata:
6380                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6381                                         type: object
6382                                         properties:
6383                                           annotations:
6384                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
6385                                             type: object
6386                                             additionalProperties:
6387                                               type: string
6388                                           labels:
6389                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
6390                                             type: object
6391                                             additionalProperties:
6392                                               type: string
6393                                   name:
6394                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
6395                                     type: string
6396                                   podTemplate:
6397                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
6398                                     type: object
6399                                     properties:
6400                                       metadata:
6401                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
6402                                         type: object
6403                                         properties:
6404                                           annotations:
6405                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
6406                                             type: object
6407                                             additionalProperties:
6408                                               type: string
6409                                           labels:
6410                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
6411                                             type: object
6412                                             additionalProperties:
6413                                               type: string
6414                                       spec:
6415                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
6416                                         type: object
6417                                         properties:
6418                                           affinity:
6419                                             description: If specified, the pod's scheduling constraints
6420                                             type: object
6421                                             properties:
6422                                               nodeAffinity:
6423                                                 description: Describes node affinity scheduling rules for the pod.
6424                                                 type: object
6425                                                 properties:
6426                                                   preferredDuringSchedulingIgnoredDuringExecution:
6427                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
6428                                                     type: array
6429                                                     items:
6430                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
6431                                                       type: object
6432                                                       required:
6433                                                         - preference
6434                                                         - weight
6435                                                       properties:
6436                                                         preference:
6437                                                           description: A node selector term, associated with the corresponding weight.
6438                                                           type: object
6439                                                           properties:
6440                                                             matchExpressions:
6441                                                               description: A list of node selector requirements by node's labels.
6442                                                               type: array
6443                                                               items:
6444                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6445                                                                 type: object
6446                                                                 required:
6447                                                                   - key
6448                                                                   - operator
6449                                                                 properties:
6450                                                                   key:
6451                                                                     description: The label key that the selector applies to.
6452                                                                     type: string
6453                                                                   operator:
6454                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6455                                                                     type: string
6456                                                                   values:
6457                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6458                                                                     type: array
6459                                                                     items:
6460                                                                       type: string
6461                                                             matchFields:
6462                                                               description: A list of node selector requirements by node's fields.
6463                                                               type: array
6464                                                               items:
6465                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6466                                                                 type: object
6467                                                                 required:
6468                                                                   - key
6469                                                                   - operator
6470                                                                 properties:
6471                                                                   key:
6472                                                                     description: The label key that the selector applies to.
6473                                                                     type: string
6474                                                                   operator:
6475                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6476                                                                     type: string
6477                                                                   values:
6478                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6479                                                                     type: array
6480                                                                     items:
6481                                                                       type: string
6482                                                         weight:
6483                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
6484                                                           type: integer
6485                                                           format: int32
6486                                                   requiredDuringSchedulingIgnoredDuringExecution:
6487                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
6488                                                     type: object
6489                                                     required:
6490                                                       - nodeSelectorTerms
6491                                                     properties:
6492                                                       nodeSelectorTerms:
6493                                                         description: Required. A list of node selector terms. The terms are ORed.
6494                                                         type: array
6495                                                         items:
6496                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
6497                                                           type: object
6498                                                           properties:
6499                                                             matchExpressions:
6500                                                               description: A list of node selector requirements by node's labels.
6501                                                               type: array
6502                                                               items:
6503                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6504                                                                 type: object
6505                                                                 required:
6506                                                                   - key
6507                                                                   - operator
6508                                                                 properties:
6509                                                                   key:
6510                                                                     description: The label key that the selector applies to.
6511                                                                     type: string
6512                                                                   operator:
6513                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6514                                                                     type: string
6515                                                                   values:
6516                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6517                                                                     type: array
6518                                                                     items:
6519                                                                       type: string
6520                                                             matchFields:
6521                                                               description: A list of node selector requirements by node's fields.
6522                                                               type: array
6523                                                               items:
6524                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6525                                                                 type: object
6526                                                                 required:
6527                                                                   - key
6528                                                                   - operator
6529                                                                 properties:
6530                                                                   key:
6531                                                                     description: The label key that the selector applies to.
6532                                                                     type: string
6533                                                                   operator:
6534                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
6535                                                                     type: string
6536                                                                   values:
6537                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
6538                                                                     type: array
6539                                                                     items:
6540                                                                       type: string
6541                                               podAffinity:
6542                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
6543                                                 type: object
6544                                                 properties:
6545                                                   preferredDuringSchedulingIgnoredDuringExecution:
6546                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6547                                                     type: array
6548                                                     items:
6549                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6550                                                       type: object
6551                                                       required:
6552                                                         - podAffinityTerm
6553                                                         - weight
6554                                                       properties:
6555                                                         podAffinityTerm:
6556                                                           description: Required. A pod affinity term, associated with the corresponding weight.
6557                                                           type: object
6558                                                           required:
6559                                                             - topologyKey
6560                                                           properties:
6561                                                             labelSelector:
6562                                                               description: A label query over a set of resources, in this case pods.
6563                                                               type: object
6564                                                               properties:
6565                                                                 matchExpressions:
6566                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6567                                                                   type: array
6568                                                                   items:
6569                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6570                                                                     type: object
6571                                                                     required:
6572                                                                       - key
6573                                                                       - operator
6574                                                                     properties:
6575                                                                       key:
6576                                                                         description: key is the label key that the selector applies to.
6577                                                                         type: string
6578                                                                       operator:
6579                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6580                                                                         type: string
6581                                                                       values:
6582                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6583                                                                         type: array
6584                                                                         items:
6585                                                                           type: string
6586                                                                 matchLabels:
6587                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6588                                                                   type: object
6589                                                                   additionalProperties:
6590                                                                     type: string
6591                                                             namespaceSelector:
6592                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6593                                                               type: object
6594                                                               properties:
6595                                                                 matchExpressions:
6596                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6597                                                                   type: array
6598                                                                   items:
6599                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6600                                                                     type: object
6601                                                                     required:
6602                                                                       - key
6603                                                                       - operator
6604                                                                     properties:
6605                                                                       key:
6606                                                                         description: key is the label key that the selector applies to.
6607                                                                         type: string
6608                                                                       operator:
6609                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6610                                                                         type: string
6611                                                                       values:
6612                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6613                                                                         type: array
6614                                                                         items:
6615                                                                           type: string
6616                                                                 matchLabels:
6617                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6618                                                                   type: object
6619                                                                   additionalProperties:
6620                                                                     type: string
6621                                                             namespaces:
6622                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6623                                                               type: array
6624                                                               items:
6625                                                                 type: string
6626                                                             topologyKey:
6627                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6628                                                               type: string
6629                                                         weight:
6630                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6631                                                           type: integer
6632                                                           format: int32
6633                                                   requiredDuringSchedulingIgnoredDuringExecution:
6634                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6635                                                     type: array
6636                                                     items:
6637                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6638                                                       type: object
6639                                                       required:
6640                                                         - topologyKey
6641                                                       properties:
6642                                                         labelSelector:
6643                                                           description: A label query over a set of resources, in this case pods.
6644                                                           type: object
6645                                                           properties:
6646                                                             matchExpressions:
6647                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6648                                                               type: array
6649                                                               items:
6650                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6651                                                                 type: object
6652                                                                 required:
6653                                                                   - key
6654                                                                   - operator
6655                                                                 properties:
6656                                                                   key:
6657                                                                     description: key is the label key that the selector applies to.
6658                                                                     type: string
6659                                                                   operator:
6660                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6661                                                                     type: string
6662                                                                   values:
6663                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6664                                                                     type: array
6665                                                                     items:
6666                                                                       type: string
6667                                                             matchLabels:
6668                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6669                                                               type: object
6670                                                               additionalProperties:
6671                                                                 type: string
6672                                                         namespaceSelector:
6673                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6674                                                           type: object
6675                                                           properties:
6676                                                             matchExpressions:
6677                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6678                                                               type: array
6679                                                               items:
6680                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6681                                                                 type: object
6682                                                                 required:
6683                                                                   - key
6684                                                                   - operator
6685                                                                 properties:
6686                                                                   key:
6687                                                                     description: key is the label key that the selector applies to.
6688                                                                     type: string
6689                                                                   operator:
6690                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6691                                                                     type: string
6692                                                                   values:
6693                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6694                                                                     type: array
6695                                                                     items:
6696                                                                       type: string
6697                                                             matchLabels:
6698                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6699                                                               type: object
6700                                                               additionalProperties:
6701                                                                 type: string
6702                                                         namespaces:
6703                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6704                                                           type: array
6705                                                           items:
6706                                                             type: string
6707                                                         topologyKey:
6708                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6709                                                           type: string
6710                                               podAntiAffinity:
6711                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
6712                                                 type: object
6713                                                 properties:
6714                                                   preferredDuringSchedulingIgnoredDuringExecution:
6715                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
6716                                                     type: array
6717                                                     items:
6718                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
6719                                                       type: object
6720                                                       required:
6721                                                         - podAffinityTerm
6722                                                         - weight
6723                                                       properties:
6724                                                         podAffinityTerm:
6725                                                           description: Required. A pod affinity term, associated with the corresponding weight.
6726                                                           type: object
6727                                                           required:
6728                                                             - topologyKey
6729                                                           properties:
6730                                                             labelSelector:
6731                                                               description: A label query over a set of resources, in this case pods.
6732                                                               type: object
6733                                                               properties:
6734                                                                 matchExpressions:
6735                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6736                                                                   type: array
6737                                                                   items:
6738                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6739                                                                     type: object
6740                                                                     required:
6741                                                                       - key
6742                                                                       - operator
6743                                                                     properties:
6744                                                                       key:
6745                                                                         description: key is the label key that the selector applies to.
6746                                                                         type: string
6747                                                                       operator:
6748                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6749                                                                         type: string
6750                                                                       values:
6751                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6752                                                                         type: array
6753                                                                         items:
6754                                                                           type: string
6755                                                                 matchLabels:
6756                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6757                                                                   type: object
6758                                                                   additionalProperties:
6759                                                                     type: string
6760                                                             namespaceSelector:
6761                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6762                                                               type: object
6763                                                               properties:
6764                                                                 matchExpressions:
6765                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6766                                                                   type: array
6767                                                                   items:
6768                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6769                                                                     type: object
6770                                                                     required:
6771                                                                       - key
6772                                                                       - operator
6773                                                                     properties:
6774                                                                       key:
6775                                                                         description: key is the label key that the selector applies to.
6776                                                                         type: string
6777                                                                       operator:
6778                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6779                                                                         type: string
6780                                                                       values:
6781                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6782                                                                         type: array
6783                                                                         items:
6784                                                                           type: string
6785                                                                 matchLabels:
6786                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6787                                                                   type: object
6788                                                                   additionalProperties:
6789                                                                     type: string
6790                                                             namespaces:
6791                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6792                                                               type: array
6793                                                               items:
6794                                                                 type: string
6795                                                             topologyKey:
6796                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6797                                                               type: string
6798                                                         weight:
6799                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
6800                                                           type: integer
6801                                                           format: int32
6802                                                   requiredDuringSchedulingIgnoredDuringExecution:
6803                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
6804                                                     type: array
6805                                                     items:
6806                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
6807                                                       type: object
6808                                                       required:
6809                                                         - topologyKey
6810                                                       properties:
6811                                                         labelSelector:
6812                                                           description: A label query over a set of resources, in this case pods.
6813                                                           type: object
6814                                                           properties:
6815                                                             matchExpressions:
6816                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6817                                                               type: array
6818                                                               items:
6819                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6820                                                                 type: object
6821                                                                 required:
6822                                                                   - key
6823                                                                   - operator
6824                                                                 properties:
6825                                                                   key:
6826                                                                     description: key is the label key that the selector applies to.
6827                                                                     type: string
6828                                                                   operator:
6829                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6830                                                                     type: string
6831                                                                   values:
6832                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6833                                                                     type: array
6834                                                                     items:
6835                                                                       type: string
6836                                                             matchLabels:
6837                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6838                                                               type: object
6839                                                               additionalProperties:
6840                                                                 type: string
6841                                                         namespaceSelector:
6842                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
6843                                                           type: object
6844                                                           properties:
6845                                                             matchExpressions:
6846                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
6847                                                               type: array
6848                                                               items:
6849                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
6850                                                                 type: object
6851                                                                 required:
6852                                                                   - key
6853                                                                   - operator
6854                                                                 properties:
6855                                                                   key:
6856                                                                     description: key is the label key that the selector applies to.
6857                                                                     type: string
6858                                                                   operator:
6859                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
6860                                                                     type: string
6861                                                                   values:
6862                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
6863                                                                     type: array
6864                                                                     items:
6865                                                                       type: string
6866                                                             matchLabels:
6867                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
6868                                                               type: object
6869                                                               additionalProperties:
6870                                                                 type: string
6871                                                         namespaces:
6872                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
6873                                                           type: array
6874                                                           items:
6875                                                             type: string
6876                                                         topologyKey:
6877                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
6878                                                           type: string
6879                                           nodeSelector:
6880                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
6881                                             type: object
6882                                             additionalProperties:
6883                                               type: string
6884                                           priorityClassName:
6885                                             description: If specified, the pod's priorityClassName.
6886                                             type: string
6887                                           serviceAccountName:
6888                                             description: If specified, the pod's service account
6889                                             type: string
6890                                           tolerations:
6891                                             description: If specified, the pod's tolerations.
6892                                             type: array
6893                                             items:
6894                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
6895                                               type: object
6896                                               properties:
6897                                                 effect:
6898                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
6899                                                   type: string
6900                                                 key:
6901                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
6902                                                   type: string
6903                                                 operator:
6904                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
6905                                                   type: string
6906                                                 tolerationSeconds:
6907                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
6908                                                   type: integer
6909                                                   format: int64
6910                                                 value:
6911                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
6912                                                   type: string
6913                                   serviceType:
6914                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
6915                                     type: string
6916                           selector:
6917                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
6918                             type: object
6919                             properties:
6920                               dnsNames:
6921                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6922                                 type: array
6923                                 items:
6924                                   type: string
6925                               dnsZones:
6926                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
6927                                 type: array
6928                                 items:
6929                                   type: string
6930                               matchLabels:
6931                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
6932                                 type: object
6933                                 additionalProperties:
6934                                   type: string
6935                 ca:
6936                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
6937                   type: object
6938                   required:
6939                     - secretName
6940                   properties:
6941                     crlDistributionPoints:
6942                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
6943                       type: array
6944                       items:
6945                         type: string
6946                     ocspServers:
6947                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
6948                       type: array
6949                       items:
6950                         type: string
6951                     secretName:
6952                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
6953                       type: string
6954                 selfSigned:
6955                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
6956                   type: object
6957                   properties:
6958                     crlDistributionPoints:
6959                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
6960                       type: array
6961                       items:
6962                         type: string
6963                 vault:
6964                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
6965                   type: object
6966                   required:
6967                     - auth
6968                     - path
6969                     - server
6970                   properties:
6971                     auth:
6972                       description: Auth configures how cert-manager authenticates with the Vault server.
6973                       type: object
6974                       properties:
6975                         appRole:
6976                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
6977                           type: object
6978                           required:
6979                             - path
6980                             - roleId
6981                             - secretRef
6982                           properties:
6983                             path:
6984                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
6985                               type: string
6986                             roleId:
6987                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
6988                               type: string
6989                             secretRef:
6990                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
6991                               type: object
6992                               required:
6993                                 - name
6994                               properties:
6995                                 key:
6996                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
6997                                   type: string
6998                                 name:
6999                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7000                                   type: string
7001                         kubernetes:
7002                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
7003                           type: object
7004                           required:
7005                             - role
7006                             - secretRef
7007                           properties:
7008                             mountPath:
7009                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
7010                               type: string
7011                             role:
7012                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
7013                               type: string
7014                             secretRef:
7015                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
7016                               type: object
7017                               required:
7018                                 - name
7019                               properties:
7020                                 key:
7021                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7022                                   type: string
7023                                 name:
7024                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7025                                   type: string
7026                         tokenSecretRef:
7027                           description: TokenSecretRef authenticates with Vault by presenting a token.
7028                           type: object
7029                           required:
7030                             - name
7031                           properties:
7032                             key:
7033                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7034                               type: string
7035                             name:
7036                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7037                               type: string
7038                     caBundle:
7039                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
7040                       type: string
7041                       format: byte
7042                     namespace:
7043                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
7044                       type: string
7045                     path:
7046                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
7047                       type: string
7048                     server:
7049                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
7050                       type: string
7051                 venafi:
7052                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
7053                   type: object
7054                   required:
7055                     - zone
7056                   properties:
7057                     cloud:
7058                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
7059                       type: object
7060                       required:
7061                         - apiTokenSecretRef
7062                       properties:
7063                         apiTokenSecretRef:
7064                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
7065                           type: object
7066                           required:
7067                             - name
7068                           properties:
7069                             key:
7070                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7071                               type: string
7072                             name:
7073                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7074                               type: string
7075                         url:
7076                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
7077                           type: string
7078                     tpp:
7079                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
7080                       type: object
7081                       required:
7082                         - credentialsRef
7083                         - url
7084                       properties:
7085                         caBundle:
7086                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
7087                           type: string
7088                           format: byte
7089                         credentialsRef:
7090                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
7091                           type: object
7092                           required:
7093                             - name
7094                           properties:
7095                             name:
7096                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7097                               type: string
7098                         url:
7099                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
7100                           type: string
7101                     zone:
7102                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
7103                       type: string
7104             status:
7105               description: Status of the ClusterIssuer. This is set and managed automatically.
7106               type: object
7107               properties:
7108                 acme:
7109                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
7110                   type: object
7111                   properties:
7112                     lastRegisteredEmail:
7113                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
7114                       type: string
7115                     uri:
7116                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
7117                       type: string
7118                 conditions:
7119                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
7120                   type: array
7121                   items:
7122                     description: IssuerCondition contains condition information for an Issuer.
7123                     type: object
7124                     required:
7125                       - status
7126                       - type
7127                     properties:
7128                       lastTransitionTime:
7129                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
7130                         type: string
7131                         format: date-time
7132                       message:
7133                         description: Message is a human readable description of the details of the last transition, complementing reason.
7134                         type: string
7135                       observedGeneration:
7136                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
7137                         type: integer
7138                         format: int64
7139                       reason:
7140                         description: Reason is a brief machine readable explanation for the condition's last transition.
7141                         type: string
7142                       status:
7143                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
7144                         type: string
7145                         enum:
7146                           - "True"
7147                           - "False"
7148                           - Unknown
7149                       type:
7150                         description: Type of the condition, known values are (`Ready`).
7151                         type: string
7152       served: true
7153       storage: false
7154     - name: v1alpha3
7155       subresources:
7156         status: {}
7157       additionalPrinterColumns:
7158         - jsonPath: .status.conditions[?(@.type=="Ready")].status
7159           name: Ready
7160           type: string
7161         - jsonPath: .status.conditions[?(@.type=="Ready")].message
7162           name: Status
7163           priority: 1
7164           type: string
7165         - jsonPath: .metadata.creationTimestamp
7166           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
7167           name: Age
7168           type: date
7169       schema:
7170         openAPIV3Schema:
7171           description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
7172           type: object
7173           properties:
7174             apiVersion:
7175               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
7176               type: string
7177             kind:
7178               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
7179               type: string
7180             metadata:
7181               type: object
7182             spec:
7183               description: Desired state of the ClusterIssuer resource.
7184               type: object
7185               properties:
7186                 acme:
7187                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
7188                   type: object
7189                   required:
7190                     - privateKeySecretRef
7191                     - server
7192                   properties:
7193                     disableAccountKeyGeneration:
7194                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
7195                       type: boolean
7196                     email:
7197                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
7198                       type: string
7199                     enableDurationFeature:
7200                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
7201                       type: boolean
7202                     externalAccountBinding:
7203                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
7204                       type: object
7205                       required:
7206                         - keyID
7207                         - keySecretRef
7208                       properties:
7209                         keyAlgorithm:
7210                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
7211                           type: string
7212                           enum:
7213                             - HS256
7214                             - HS384
7215                             - HS512
7216                         keyID:
7217                           description: keyID is the ID of the CA key that the External Account is bound to.
7218                           type: string
7219                         keySecretRef:
7220                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
7221                           type: object
7222                           required:
7223                             - name
7224                           properties:
7225                             key:
7226                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7227                               type: string
7228                             name:
7229                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7230                               type: string
7231                     preferredChain:
7232                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
7233                       type: string
7234                       maxLength: 64
7235                     privateKeySecretRef:
7236                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
7237                       type: object
7238                       required:
7239                         - name
7240                       properties:
7241                         key:
7242                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7243                           type: string
7244                         name:
7245                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7246                           type: string
7247                     server:
7248                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
7249                       type: string
7250                     skipTLSVerify:
7251                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
7252                       type: boolean
7253                     solvers:
7254                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
7255                       type: array
7256                       items:
7257                         description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
7258                         type: object
7259                         properties:
7260                           dns01:
7261                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
7262                             type: object
7263                             properties:
7264                               acmedns:
7265                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
7266                                 type: object
7267                                 required:
7268                                   - accountSecretRef
7269                                   - host
7270                                 properties:
7271                                   accountSecretRef:
7272                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7273                                     type: object
7274                                     required:
7275                                       - name
7276                                     properties:
7277                                       key:
7278                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7279                                         type: string
7280                                       name:
7281                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7282                                         type: string
7283                                   host:
7284                                     type: string
7285                               akamai:
7286                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
7287                                 type: object
7288                                 required:
7289                                   - accessTokenSecretRef
7290                                   - clientSecretSecretRef
7291                                   - clientTokenSecretRef
7292                                   - serviceConsumerDomain
7293                                 properties:
7294                                   accessTokenSecretRef:
7295                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7296                                     type: object
7297                                     required:
7298                                       - name
7299                                     properties:
7300                                       key:
7301                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7302                                         type: string
7303                                       name:
7304                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7305                                         type: string
7306                                   clientSecretSecretRef:
7307                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7308                                     type: object
7309                                     required:
7310                                       - name
7311                                     properties:
7312                                       key:
7313                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7314                                         type: string
7315                                       name:
7316                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7317                                         type: string
7318                                   clientTokenSecretRef:
7319                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7320                                     type: object
7321                                     required:
7322                                       - name
7323                                     properties:
7324                                       key:
7325                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7326                                         type: string
7327                                       name:
7328                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7329                                         type: string
7330                                   serviceConsumerDomain:
7331                                     type: string
7332                               azuredns:
7333                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
7334                                 type: object
7335                                 required:
7336                                   - resourceGroupName
7337                                   - subscriptionID
7338                                 properties:
7339                                   clientID:
7340                                     description: if both this and ClientSecret are left unset MSI will be used
7341                                     type: string
7342                                   clientSecretSecretRef:
7343                                     description: if both this and ClientID are left unset MSI will be used
7344                                     type: object
7345                                     required:
7346                                       - name
7347                                     properties:
7348                                       key:
7349                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7350                                         type: string
7351                                       name:
7352                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7353                                         type: string
7354                                   environment:
7355                                     type: string
7356                                     enum:
7357                                       - AzurePublicCloud
7358                                       - AzureChinaCloud
7359                                       - AzureGermanCloud
7360                                       - AzureUSGovernmentCloud
7361                                   hostedZoneName:
7362                                     type: string
7363                                   resourceGroupName:
7364                                     type: string
7365                                   subscriptionID:
7366                                     type: string
7367                                   tenantID:
7368                                     description: when specifying ClientID and ClientSecret then this field is also needed
7369                                     type: string
7370                               clouddns:
7371                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
7372                                 type: object
7373                                 required:
7374                                   - project
7375                                 properties:
7376                                   hostedZoneName:
7377                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
7378                                     type: string
7379                                   project:
7380                                     type: string
7381                                   serviceAccountSecretRef:
7382                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7383                                     type: object
7384                                     required:
7385                                       - name
7386                                     properties:
7387                                       key:
7388                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7389                                         type: string
7390                                       name:
7391                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7392                                         type: string
7393                               cloudflare:
7394                                 description: Use the Cloudflare API to manage DNS01 challenge records.
7395                                 type: object
7396                                 properties:
7397                                   apiKeySecretRef:
7398                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
7399                                     type: object
7400                                     required:
7401                                       - name
7402                                     properties:
7403                                       key:
7404                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7405                                         type: string
7406                                       name:
7407                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7408                                         type: string
7409                                   apiTokenSecretRef:
7410                                     description: API token used to authenticate with Cloudflare.
7411                                     type: object
7412                                     required:
7413                                       - name
7414                                     properties:
7415                                       key:
7416                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7417                                         type: string
7418                                       name:
7419                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7420                                         type: string
7421                                   email:
7422                                     description: Email of the account, only required when using API key based authentication.
7423                                     type: string
7424                               cnameStrategy:
7425                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
7426                                 type: string
7427                                 enum:
7428                                   - None
7429                                   - Follow
7430                               digitalocean:
7431                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
7432                                 type: object
7433                                 required:
7434                                   - tokenSecretRef
7435                                 properties:
7436                                   tokenSecretRef:
7437                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
7438                                     type: object
7439                                     required:
7440                                       - name
7441                                     properties:
7442                                       key:
7443                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7444                                         type: string
7445                                       name:
7446                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7447                                         type: string
7448                               rfc2136:
7449                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
7450                                 type: object
7451                                 required:
7452                                   - nameserver
7453                                 properties:
7454                                   nameserver:
7455                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
7456                                     type: string
7457                                   tsigAlgorithm:
7458                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
7459                                     type: string
7460                                   tsigKeyName:
7461                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
7462                                     type: string
7463                                   tsigSecretSecretRef:
7464                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
7465                                     type: object
7466                                     required:
7467                                       - name
7468                                     properties:
7469                                       key:
7470                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7471                                         type: string
7472                                       name:
7473                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7474                                         type: string
7475                               route53:
7476                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
7477                                 type: object
7478                                 required:
7479                                   - region
7480                                 properties:
7481                                   accessKeyID:
7482                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
7483                                     type: string
7484                                   hostedZoneID:
7485                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
7486                                     type: string
7487                                   region:
7488                                     description: Always set the region when using AccessKeyID and SecretAccessKey
7489                                     type: string
7490                                   role:
7491                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
7492                                     type: string
7493                                   secretAccessKeySecretRef:
7494                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
7495                                     type: object
7496                                     required:
7497                                       - name
7498                                     properties:
7499                                       key:
7500                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
7501                                         type: string
7502                                       name:
7503                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
7504                                         type: string
7505                               webhook:
7506                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
7507                                 type: object
7508                                 required:
7509                                   - groupName
7510                                   - solverName
7511                                 properties:
7512                                   config:
7513                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
7514                                     x-kubernetes-preserve-unknown-fields: true
7515                                   groupName:
7516                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
7517                                     type: string
7518                                   solverName:
7519                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
7520                                     type: string
7521                           http01:
7522                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
7523                             type: object
7524                             properties:
7525                               gatewayHTTPRoute:
7526                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
7527                                 type: object
7528                                 properties:
7529                                   labels:
7530                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
7531                                     type: object
7532                                     additionalProperties:
7533                                       type: string
7534                                   serviceType:
7535                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
7536                                     type: string
7537                               ingress:
7538                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
7539                                 type: object
7540                                 properties:
7541                                   class:
7542                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
7543                                     type: string
7544                                   ingressTemplate:
7545                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
7546                                     type: object
7547                                     properties:
7548                                       metadata:
7549                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7550                                         type: object
7551                                         properties:
7552                                           annotations:
7553                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
7554                                             type: object
7555                                             additionalProperties:
7556                                               type: string
7557                                           labels:
7558                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
7559                                             type: object
7560                                             additionalProperties:
7561                                               type: string
7562                                   name:
7563                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
7564                                     type: string
7565                                   podTemplate:
7566                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
7567                                     type: object
7568                                     properties:
7569                                       metadata:
7570                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
7571                                         type: object
7572                                         properties:
7573                                           annotations:
7574                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
7575                                             type: object
7576                                             additionalProperties:
7577                                               type: string
7578                                           labels:
7579                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
7580                                             type: object
7581                                             additionalProperties:
7582                                               type: string
7583                                       spec:
7584                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
7585                                         type: object
7586                                         properties:
7587                                           affinity:
7588                                             description: If specified, the pod's scheduling constraints
7589                                             type: object
7590                                             properties:
7591                                               nodeAffinity:
7592                                                 description: Describes node affinity scheduling rules for the pod.
7593                                                 type: object
7594                                                 properties:
7595                                                   preferredDuringSchedulingIgnoredDuringExecution:
7596                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
7597                                                     type: array
7598                                                     items:
7599                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
7600                                                       type: object
7601                                                       required:
7602                                                         - preference
7603                                                         - weight
7604                                                       properties:
7605                                                         preference:
7606                                                           description: A node selector term, associated with the corresponding weight.
7607                                                           type: object
7608                                                           properties:
7609                                                             matchExpressions:
7610                                                               description: A list of node selector requirements by node's labels.
7611                                                               type: array
7612                                                               items:
7613                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7614                                                                 type: object
7615                                                                 required:
7616                                                                   - key
7617                                                                   - operator
7618                                                                 properties:
7619                                                                   key:
7620                                                                     description: The label key that the selector applies to.
7621                                                                     type: string
7622                                                                   operator:
7623                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7624                                                                     type: string
7625                                                                   values:
7626                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7627                                                                     type: array
7628                                                                     items:
7629                                                                       type: string
7630                                                             matchFields:
7631                                                               description: A list of node selector requirements by node's fields.
7632                                                               type: array
7633                                                               items:
7634                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7635                                                                 type: object
7636                                                                 required:
7637                                                                   - key
7638                                                                   - operator
7639                                                                 properties:
7640                                                                   key:
7641                                                                     description: The label key that the selector applies to.
7642                                                                     type: string
7643                                                                   operator:
7644                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7645                                                                     type: string
7646                                                                   values:
7647                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7648                                                                     type: array
7649                                                                     items:
7650                                                                       type: string
7651                                                         weight:
7652                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
7653                                                           type: integer
7654                                                           format: int32
7655                                                   requiredDuringSchedulingIgnoredDuringExecution:
7656                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
7657                                                     type: object
7658                                                     required:
7659                                                       - nodeSelectorTerms
7660                                                     properties:
7661                                                       nodeSelectorTerms:
7662                                                         description: Required. A list of node selector terms. The terms are ORed.
7663                                                         type: array
7664                                                         items:
7665                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
7666                                                           type: object
7667                                                           properties:
7668                                                             matchExpressions:
7669                                                               description: A list of node selector requirements by node's labels.
7670                                                               type: array
7671                                                               items:
7672                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7673                                                                 type: object
7674                                                                 required:
7675                                                                   - key
7676                                                                   - operator
7677                                                                 properties:
7678                                                                   key:
7679                                                                     description: The label key that the selector applies to.
7680                                                                     type: string
7681                                                                   operator:
7682                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7683                                                                     type: string
7684                                                                   values:
7685                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7686                                                                     type: array
7687                                                                     items:
7688                                                                       type: string
7689                                                             matchFields:
7690                                                               description: A list of node selector requirements by node's fields.
7691                                                               type: array
7692                                                               items:
7693                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7694                                                                 type: object
7695                                                                 required:
7696                                                                   - key
7697                                                                   - operator
7698                                                                 properties:
7699                                                                   key:
7700                                                                     description: The label key that the selector applies to.
7701                                                                     type: string
7702                                                                   operator:
7703                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
7704                                                                     type: string
7705                                                                   values:
7706                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
7707                                                                     type: array
7708                                                                     items:
7709                                                                       type: string
7710                                               podAffinity:
7711                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
7712                                                 type: object
7713                                                 properties:
7714                                                   preferredDuringSchedulingIgnoredDuringExecution:
7715                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7716                                                     type: array
7717                                                     items:
7718                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7719                                                       type: object
7720                                                       required:
7721                                                         - podAffinityTerm
7722                                                         - weight
7723                                                       properties:
7724                                                         podAffinityTerm:
7725                                                           description: Required. A pod affinity term, associated with the corresponding weight.
7726                                                           type: object
7727                                                           required:
7728                                                             - topologyKey
7729                                                           properties:
7730                                                             labelSelector:
7731                                                               description: A label query over a set of resources, in this case pods.
7732                                                               type: object
7733                                                               properties:
7734                                                                 matchExpressions:
7735                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7736                                                                   type: array
7737                                                                   items:
7738                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7739                                                                     type: object
7740                                                                     required:
7741                                                                       - key
7742                                                                       - operator
7743                                                                     properties:
7744                                                                       key:
7745                                                                         description: key is the label key that the selector applies to.
7746                                                                         type: string
7747                                                                       operator:
7748                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7749                                                                         type: string
7750                                                                       values:
7751                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7752                                                                         type: array
7753                                                                         items:
7754                                                                           type: string
7755                                                                 matchLabels:
7756                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7757                                                                   type: object
7758                                                                   additionalProperties:
7759                                                                     type: string
7760                                                             namespaceSelector:
7761                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7762                                                               type: object
7763                                                               properties:
7764                                                                 matchExpressions:
7765                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7766                                                                   type: array
7767                                                                   items:
7768                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7769                                                                     type: object
7770                                                                     required:
7771                                                                       - key
7772                                                                       - operator
7773                                                                     properties:
7774                                                                       key:
7775                                                                         description: key is the label key that the selector applies to.
7776                                                                         type: string
7777                                                                       operator:
7778                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7779                                                                         type: string
7780                                                                       values:
7781                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7782                                                                         type: array
7783                                                                         items:
7784                                                                           type: string
7785                                                                 matchLabels:
7786                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7787                                                                   type: object
7788                                                                   additionalProperties:
7789                                                                     type: string
7790                                                             namespaces:
7791                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7792                                                               type: array
7793                                                               items:
7794                                                                 type: string
7795                                                             topologyKey:
7796                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7797                                                               type: string
7798                                                         weight:
7799                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7800                                                           type: integer
7801                                                           format: int32
7802                                                   requiredDuringSchedulingIgnoredDuringExecution:
7803                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7804                                                     type: array
7805                                                     items:
7806                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7807                                                       type: object
7808                                                       required:
7809                                                         - topologyKey
7810                                                       properties:
7811                                                         labelSelector:
7812                                                           description: A label query over a set of resources, in this case pods.
7813                                                           type: object
7814                                                           properties:
7815                                                             matchExpressions:
7816                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7817                                                               type: array
7818                                                               items:
7819                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7820                                                                 type: object
7821                                                                 required:
7822                                                                   - key
7823                                                                   - operator
7824                                                                 properties:
7825                                                                   key:
7826                                                                     description: key is the label key that the selector applies to.
7827                                                                     type: string
7828                                                                   operator:
7829                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7830                                                                     type: string
7831                                                                   values:
7832                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7833                                                                     type: array
7834                                                                     items:
7835                                                                       type: string
7836                                                             matchLabels:
7837                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7838                                                               type: object
7839                                                               additionalProperties:
7840                                                                 type: string
7841                                                         namespaceSelector:
7842                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7843                                                           type: object
7844                                                           properties:
7845                                                             matchExpressions:
7846                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7847                                                               type: array
7848                                                               items:
7849                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7850                                                                 type: object
7851                                                                 required:
7852                                                                   - key
7853                                                                   - operator
7854                                                                 properties:
7855                                                                   key:
7856                                                                     description: key is the label key that the selector applies to.
7857                                                                     type: string
7858                                                                   operator:
7859                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7860                                                                     type: string
7861                                                                   values:
7862                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7863                                                                     type: array
7864                                                                     items:
7865                                                                       type: string
7866                                                             matchLabels:
7867                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7868                                                               type: object
7869                                                               additionalProperties:
7870                                                                 type: string
7871                                                         namespaces:
7872                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7873                                                           type: array
7874                                                           items:
7875                                                             type: string
7876                                                         topologyKey:
7877                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7878                                                           type: string
7879                                               podAntiAffinity:
7880                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
7881                                                 type: object
7882                                                 properties:
7883                                                   preferredDuringSchedulingIgnoredDuringExecution:
7884                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
7885                                                     type: array
7886                                                     items:
7887                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
7888                                                       type: object
7889                                                       required:
7890                                                         - podAffinityTerm
7891                                                         - weight
7892                                                       properties:
7893                                                         podAffinityTerm:
7894                                                           description: Required. A pod affinity term, associated with the corresponding weight.
7895                                                           type: object
7896                                                           required:
7897                                                             - topologyKey
7898                                                           properties:
7899                                                             labelSelector:
7900                                                               description: A label query over a set of resources, in this case pods.
7901                                                               type: object
7902                                                               properties:
7903                                                                 matchExpressions:
7904                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7905                                                                   type: array
7906                                                                   items:
7907                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7908                                                                     type: object
7909                                                                     required:
7910                                                                       - key
7911                                                                       - operator
7912                                                                     properties:
7913                                                                       key:
7914                                                                         description: key is the label key that the selector applies to.
7915                                                                         type: string
7916                                                                       operator:
7917                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7918                                                                         type: string
7919                                                                       values:
7920                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7921                                                                         type: array
7922                                                                         items:
7923                                                                           type: string
7924                                                                 matchLabels:
7925                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7926                                                                   type: object
7927                                                                   additionalProperties:
7928                                                                     type: string
7929                                                             namespaceSelector:
7930                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
7931                                                               type: object
7932                                                               properties:
7933                                                                 matchExpressions:
7934                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7935                                                                   type: array
7936                                                                   items:
7937                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7938                                                                     type: object
7939                                                                     required:
7940                                                                       - key
7941                                                                       - operator
7942                                                                     properties:
7943                                                                       key:
7944                                                                         description: key is the label key that the selector applies to.
7945                                                                         type: string
7946                                                                       operator:
7947                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7948                                                                         type: string
7949                                                                       values:
7950                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
7951                                                                         type: array
7952                                                                         items:
7953                                                                           type: string
7954                                                                 matchLabels:
7955                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
7956                                                                   type: object
7957                                                                   additionalProperties:
7958                                                                     type: string
7959                                                             namespaces:
7960                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
7961                                                               type: array
7962                                                               items:
7963                                                                 type: string
7964                                                             topologyKey:
7965                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
7966                                                               type: string
7967                                                         weight:
7968                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
7969                                                           type: integer
7970                                                           format: int32
7971                                                   requiredDuringSchedulingIgnoredDuringExecution:
7972                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
7973                                                     type: array
7974                                                     items:
7975                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
7976                                                       type: object
7977                                                       required:
7978                                                         - topologyKey
7979                                                       properties:
7980                                                         labelSelector:
7981                                                           description: A label query over a set of resources, in this case pods.
7982                                                           type: object
7983                                                           properties:
7984                                                             matchExpressions:
7985                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
7986                                                               type: array
7987                                                               items:
7988                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
7989                                                                 type: object
7990                                                                 required:
7991                                                                   - key
7992                                                                   - operator
7993                                                                 properties:
7994                                                                   key:
7995                                                                     description: key is the label key that the selector applies to.
7996                                                                     type: string
7997                                                                   operator:
7998                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
7999                                                                     type: string
8000                                                                   values:
8001                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8002                                                                     type: array
8003                                                                     items:
8004                                                                       type: string
8005                                                             matchLabels:
8006                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8007                                                               type: object
8008                                                               additionalProperties:
8009                                                                 type: string
8010                                                         namespaceSelector:
8011                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8012                                                           type: object
8013                                                           properties:
8014                                                             matchExpressions:
8015                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8016                                                               type: array
8017                                                               items:
8018                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8019                                                                 type: object
8020                                                                 required:
8021                                                                   - key
8022                                                                   - operator
8023                                                                 properties:
8024                                                                   key:
8025                                                                     description: key is the label key that the selector applies to.
8026                                                                     type: string
8027                                                                   operator:
8028                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8029                                                                     type: string
8030                                                                   values:
8031                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8032                                                                     type: array
8033                                                                     items:
8034                                                                       type: string
8035                                                             matchLabels:
8036                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8037                                                               type: object
8038                                                               additionalProperties:
8039                                                                 type: string
8040                                                         namespaces:
8041                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8042                                                           type: array
8043                                                           items:
8044                                                             type: string
8045                                                         topologyKey:
8046                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8047                                                           type: string
8048                                           nodeSelector:
8049                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
8050                                             type: object
8051                                             additionalProperties:
8052                                               type: string
8053                                           priorityClassName:
8054                                             description: If specified, the pod's priorityClassName.
8055                                             type: string
8056                                           serviceAccountName:
8057                                             description: If specified, the pod's service account
8058                                             type: string
8059                                           tolerations:
8060                                             description: If specified, the pod's tolerations.
8061                                             type: array
8062                                             items:
8063                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
8064                                               type: object
8065                                               properties:
8066                                                 effect:
8067                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
8068                                                   type: string
8069                                                 key:
8070                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
8071                                                   type: string
8072                                                 operator:
8073                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
8074                                                   type: string
8075                                                 tolerationSeconds:
8076                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
8077                                                   type: integer
8078                                                   format: int64
8079                                                 value:
8080                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
8081                                                   type: string
8082                                   serviceType:
8083                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8084                                     type: string
8085                           selector:
8086                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
8087                             type: object
8088                             properties:
8089                               dnsNames:
8090                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8091                                 type: array
8092                                 items:
8093                                   type: string
8094                               dnsZones:
8095                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
8096                                 type: array
8097                                 items:
8098                                   type: string
8099                               matchLabels:
8100                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
8101                                 type: object
8102                                 additionalProperties:
8103                                   type: string
8104                 ca:
8105                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
8106                   type: object
8107                   required:
8108                     - secretName
8109                   properties:
8110                     crlDistributionPoints:
8111                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
8112                       type: array
8113                       items:
8114                         type: string
8115                     ocspServers:
8116                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
8117                       type: array
8118                       items:
8119                         type: string
8120                     secretName:
8121                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
8122                       type: string
8123                 selfSigned:
8124                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
8125                   type: object
8126                   properties:
8127                     crlDistributionPoints:
8128                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
8129                       type: array
8130                       items:
8131                         type: string
8132                 vault:
8133                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
8134                   type: object
8135                   required:
8136                     - auth
8137                     - path
8138                     - server
8139                   properties:
8140                     auth:
8141                       description: Auth configures how cert-manager authenticates with the Vault server.
8142                       type: object
8143                       properties:
8144                         appRole:
8145                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
8146                           type: object
8147                           required:
8148                             - path
8149                             - roleId
8150                             - secretRef
8151                           properties:
8152                             path:
8153                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
8154                               type: string
8155                             roleId:
8156                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
8157                               type: string
8158                             secretRef:
8159                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
8160                               type: object
8161                               required:
8162                                 - name
8163                               properties:
8164                                 key:
8165                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8166                                   type: string
8167                                 name:
8168                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8169                                   type: string
8170                         kubernetes:
8171                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
8172                           type: object
8173                           required:
8174                             - role
8175                             - secretRef
8176                           properties:
8177                             mountPath:
8178                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
8179                               type: string
8180                             role:
8181                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
8182                               type: string
8183                             secretRef:
8184                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
8185                               type: object
8186                               required:
8187                                 - name
8188                               properties:
8189                                 key:
8190                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8191                                   type: string
8192                                 name:
8193                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8194                                   type: string
8195                         tokenSecretRef:
8196                           description: TokenSecretRef authenticates with Vault by presenting a token.
8197                           type: object
8198                           required:
8199                             - name
8200                           properties:
8201                             key:
8202                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8203                               type: string
8204                             name:
8205                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8206                               type: string
8207                     caBundle:
8208                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
8209                       type: string
8210                       format: byte
8211                     namespace:
8212                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
8213                       type: string
8214                     path:
8215                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
8216                       type: string
8217                     server:
8218                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
8219                       type: string
8220                 venafi:
8221                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
8222                   type: object
8223                   required:
8224                     - zone
8225                   properties:
8226                     cloud:
8227                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
8228                       type: object
8229                       required:
8230                         - apiTokenSecretRef
8231                       properties:
8232                         apiTokenSecretRef:
8233                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
8234                           type: object
8235                           required:
8236                             - name
8237                           properties:
8238                             key:
8239                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8240                               type: string
8241                             name:
8242                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8243                               type: string
8244                         url:
8245                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
8246                           type: string
8247                     tpp:
8248                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
8249                       type: object
8250                       required:
8251                         - credentialsRef
8252                         - url
8253                       properties:
8254                         caBundle:
8255                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
8256                           type: string
8257                           format: byte
8258                         credentialsRef:
8259                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
8260                           type: object
8261                           required:
8262                             - name
8263                           properties:
8264                             name:
8265                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8266                               type: string
8267                         url:
8268                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
8269                           type: string
8270                     zone:
8271                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
8272                       type: string
8273             status:
8274               description: Status of the ClusterIssuer. This is set and managed automatically.
8275               type: object
8276               properties:
8277                 acme:
8278                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
8279                   type: object
8280                   properties:
8281                     lastRegisteredEmail:
8282                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
8283                       type: string
8284                     uri:
8285                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
8286                       type: string
8287                 conditions:
8288                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
8289                   type: array
8290                   items:
8291                     description: IssuerCondition contains condition information for an Issuer.
8292                     type: object
8293                     required:
8294                       - status
8295                       - type
8296                     properties:
8297                       lastTransitionTime:
8298                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
8299                         type: string
8300                         format: date-time
8301                       message:
8302                         description: Message is a human readable description of the details of the last transition, complementing reason.
8303                         type: string
8304                       observedGeneration:
8305                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
8306                         type: integer
8307                         format: int64
8308                       reason:
8309                         description: Reason is a brief machine readable explanation for the condition's last transition.
8310                         type: string
8311                       status:
8312                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
8313                         type: string
8314                         enum:
8315                           - "True"
8316                           - "False"
8317                           - Unknown
8318                       type:
8319                         description: Type of the condition, known values are (`Ready`).
8320                         type: string
8321       served: true
8322       storage: false
8323     - name: v1beta1
8324       subresources:
8325         status: {}
8326       additionalPrinterColumns:
8327         - jsonPath: .status.conditions[?(@.type=="Ready")].status
8328           name: Ready
8329           type: string
8330         - jsonPath: .status.conditions[?(@.type=="Ready")].message
8331           name: Status
8332           priority: 1
8333           type: string
8334         - jsonPath: .metadata.creationTimestamp
8335           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
8336           name: Age
8337           type: date
8338       schema:
8339         openAPIV3Schema:
8340           description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
8341           type: object
8342           required:
8343             - spec
8344           properties:
8345             apiVersion:
8346               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8347               type: string
8348             kind:
8349               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8350               type: string
8351             metadata:
8352               type: object
8353             spec:
8354               description: Desired state of the ClusterIssuer resource.
8355               type: object
8356               properties:
8357                 acme:
8358                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
8359                   type: object
8360                   required:
8361                     - privateKeySecretRef
8362                     - server
8363                   properties:
8364                     disableAccountKeyGeneration:
8365                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
8366                       type: boolean
8367                     email:
8368                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
8369                       type: string
8370                     enableDurationFeature:
8371                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
8372                       type: boolean
8373                     externalAccountBinding:
8374                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
8375                       type: object
8376                       required:
8377                         - keyID
8378                         - keySecretRef
8379                       properties:
8380                         keyAlgorithm:
8381                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
8382                           type: string
8383                           enum:
8384                             - HS256
8385                             - HS384
8386                             - HS512
8387                         keyID:
8388                           description: keyID is the ID of the CA key that the External Account is bound to.
8389                           type: string
8390                         keySecretRef:
8391                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
8392                           type: object
8393                           required:
8394                             - name
8395                           properties:
8396                             key:
8397                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8398                               type: string
8399                             name:
8400                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8401                               type: string
8402                     preferredChain:
8403                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
8404                       type: string
8405                       maxLength: 64
8406                     privateKeySecretRef:
8407                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
8408                       type: object
8409                       required:
8410                         - name
8411                       properties:
8412                         key:
8413                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8414                           type: string
8415                         name:
8416                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8417                           type: string
8418                     server:
8419                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
8420                       type: string
8421                     skipTLSVerify:
8422                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
8423                       type: boolean
8424                     solvers:
8425                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
8426                       type: array
8427                       items:
8428                         description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
8429                         type: object
8430                         properties:
8431                           dns01:
8432                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
8433                             type: object
8434                             properties:
8435                               acmeDNS:
8436                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
8437                                 type: object
8438                                 required:
8439                                   - accountSecretRef
8440                                   - host
8441                                 properties:
8442                                   accountSecretRef:
8443                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8444                                     type: object
8445                                     required:
8446                                       - name
8447                                     properties:
8448                                       key:
8449                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8450                                         type: string
8451                                       name:
8452                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8453                                         type: string
8454                                   host:
8455                                     type: string
8456                               akamai:
8457                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
8458                                 type: object
8459                                 required:
8460                                   - accessTokenSecretRef
8461                                   - clientSecretSecretRef
8462                                   - clientTokenSecretRef
8463                                   - serviceConsumerDomain
8464                                 properties:
8465                                   accessTokenSecretRef:
8466                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8467                                     type: object
8468                                     required:
8469                                       - name
8470                                     properties:
8471                                       key:
8472                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8473                                         type: string
8474                                       name:
8475                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8476                                         type: string
8477                                   clientSecretSecretRef:
8478                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8479                                     type: object
8480                                     required:
8481                                       - name
8482                                     properties:
8483                                       key:
8484                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8485                                         type: string
8486                                       name:
8487                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8488                                         type: string
8489                                   clientTokenSecretRef:
8490                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8491                                     type: object
8492                                     required:
8493                                       - name
8494                                     properties:
8495                                       key:
8496                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8497                                         type: string
8498                                       name:
8499                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8500                                         type: string
8501                                   serviceConsumerDomain:
8502                                     type: string
8503                               azureDNS:
8504                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
8505                                 type: object
8506                                 required:
8507                                   - resourceGroupName
8508                                   - subscriptionID
8509                                 properties:
8510                                   clientID:
8511                                     description: if both this and ClientSecret are left unset MSI will be used
8512                                     type: string
8513                                   clientSecretSecretRef:
8514                                     description: if both this and ClientID are left unset MSI will be used
8515                                     type: object
8516                                     required:
8517                                       - name
8518                                     properties:
8519                                       key:
8520                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8521                                         type: string
8522                                       name:
8523                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8524                                         type: string
8525                                   environment:
8526                                     type: string
8527                                     enum:
8528                                       - AzurePublicCloud
8529                                       - AzureChinaCloud
8530                                       - AzureGermanCloud
8531                                       - AzureUSGovernmentCloud
8532                                   hostedZoneName:
8533                                     type: string
8534                                   resourceGroupName:
8535                                     type: string
8536                                   subscriptionID:
8537                                     type: string
8538                                   tenantID:
8539                                     description: when specifying ClientID and ClientSecret then this field is also needed
8540                                     type: string
8541                               cloudDNS:
8542                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
8543                                 type: object
8544                                 required:
8545                                   - project
8546                                 properties:
8547                                   hostedZoneName:
8548                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
8549                                     type: string
8550                                   project:
8551                                     type: string
8552                                   serviceAccountSecretRef:
8553                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8554                                     type: object
8555                                     required:
8556                                       - name
8557                                     properties:
8558                                       key:
8559                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8560                                         type: string
8561                                       name:
8562                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8563                                         type: string
8564                               cloudflare:
8565                                 description: Use the Cloudflare API to manage DNS01 challenge records.
8566                                 type: object
8567                                 properties:
8568                                   apiKeySecretRef:
8569                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
8570                                     type: object
8571                                     required:
8572                                       - name
8573                                     properties:
8574                                       key:
8575                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8576                                         type: string
8577                                       name:
8578                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8579                                         type: string
8580                                   apiTokenSecretRef:
8581                                     description: API token used to authenticate with Cloudflare.
8582                                     type: object
8583                                     required:
8584                                       - name
8585                                     properties:
8586                                       key:
8587                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8588                                         type: string
8589                                       name:
8590                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8591                                         type: string
8592                                   email:
8593                                     description: Email of the account, only required when using API key based authentication.
8594                                     type: string
8595                               cnameStrategy:
8596                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
8597                                 type: string
8598                                 enum:
8599                                   - None
8600                                   - Follow
8601                               digitalocean:
8602                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
8603                                 type: object
8604                                 required:
8605                                   - tokenSecretRef
8606                                 properties:
8607                                   tokenSecretRef:
8608                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
8609                                     type: object
8610                                     required:
8611                                       - name
8612                                     properties:
8613                                       key:
8614                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8615                                         type: string
8616                                       name:
8617                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8618                                         type: string
8619                               rfc2136:
8620                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
8621                                 type: object
8622                                 required:
8623                                   - nameserver
8624                                 properties:
8625                                   nameserver:
8626                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
8627                                     type: string
8628                                   tsigAlgorithm:
8629                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
8630                                     type: string
8631                                   tsigKeyName:
8632                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
8633                                     type: string
8634                                   tsigSecretSecretRef:
8635                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
8636                                     type: object
8637                                     required:
8638                                       - name
8639                                     properties:
8640                                       key:
8641                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8642                                         type: string
8643                                       name:
8644                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8645                                         type: string
8646                               route53:
8647                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
8648                                 type: object
8649                                 required:
8650                                   - region
8651                                 properties:
8652                                   accessKeyID:
8653                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
8654                                     type: string
8655                                   hostedZoneID:
8656                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
8657                                     type: string
8658                                   region:
8659                                     description: Always set the region when using AccessKeyID and SecretAccessKey
8660                                     type: string
8661                                   role:
8662                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
8663                                     type: string
8664                                   secretAccessKeySecretRef:
8665                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
8666                                     type: object
8667                                     required:
8668                                       - name
8669                                     properties:
8670                                       key:
8671                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
8672                                         type: string
8673                                       name:
8674                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
8675                                         type: string
8676                               webhook:
8677                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
8678                                 type: object
8679                                 required:
8680                                   - groupName
8681                                   - solverName
8682                                 properties:
8683                                   config:
8684                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
8685                                     x-kubernetes-preserve-unknown-fields: true
8686                                   groupName:
8687                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
8688                                     type: string
8689                                   solverName:
8690                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
8691                                     type: string
8692                           http01:
8693                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
8694                             type: object
8695                             properties:
8696                               gatewayHTTPRoute:
8697                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
8698                                 type: object
8699                                 properties:
8700                                   labels:
8701                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
8702                                     type: object
8703                                     additionalProperties:
8704                                       type: string
8705                                   serviceType:
8706                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
8707                                     type: string
8708                               ingress:
8709                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
8710                                 type: object
8711                                 properties:
8712                                   class:
8713                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
8714                                     type: string
8715                                   ingressTemplate:
8716                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
8717                                     type: object
8718                                     properties:
8719                                       metadata:
8720                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8721                                         type: object
8722                                         properties:
8723                                           annotations:
8724                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
8725                                             type: object
8726                                             additionalProperties:
8727                                               type: string
8728                                           labels:
8729                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
8730                                             type: object
8731                                             additionalProperties:
8732                                               type: string
8733                                   name:
8734                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
8735                                     type: string
8736                                   podTemplate:
8737                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
8738                                     type: object
8739                                     properties:
8740                                       metadata:
8741                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
8742                                         type: object
8743                                         properties:
8744                                           annotations:
8745                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
8746                                             type: object
8747                                             additionalProperties:
8748                                               type: string
8749                                           labels:
8750                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
8751                                             type: object
8752                                             additionalProperties:
8753                                               type: string
8754                                       spec:
8755                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
8756                                         type: object
8757                                         properties:
8758                                           affinity:
8759                                             description: If specified, the pod's scheduling constraints
8760                                             type: object
8761                                             properties:
8762                                               nodeAffinity:
8763                                                 description: Describes node affinity scheduling rules for the pod.
8764                                                 type: object
8765                                                 properties:
8766                                                   preferredDuringSchedulingIgnoredDuringExecution:
8767                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
8768                                                     type: array
8769                                                     items:
8770                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
8771                                                       type: object
8772                                                       required:
8773                                                         - preference
8774                                                         - weight
8775                                                       properties:
8776                                                         preference:
8777                                                           description: A node selector term, associated with the corresponding weight.
8778                                                           type: object
8779                                                           properties:
8780                                                             matchExpressions:
8781                                                               description: A list of node selector requirements by node's labels.
8782                                                               type: array
8783                                                               items:
8784                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8785                                                                 type: object
8786                                                                 required:
8787                                                                   - key
8788                                                                   - operator
8789                                                                 properties:
8790                                                                   key:
8791                                                                     description: The label key that the selector applies to.
8792                                                                     type: string
8793                                                                   operator:
8794                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8795                                                                     type: string
8796                                                                   values:
8797                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8798                                                                     type: array
8799                                                                     items:
8800                                                                       type: string
8801                                                             matchFields:
8802                                                               description: A list of node selector requirements by node's fields.
8803                                                               type: array
8804                                                               items:
8805                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8806                                                                 type: object
8807                                                                 required:
8808                                                                   - key
8809                                                                   - operator
8810                                                                 properties:
8811                                                                   key:
8812                                                                     description: The label key that the selector applies to.
8813                                                                     type: string
8814                                                                   operator:
8815                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8816                                                                     type: string
8817                                                                   values:
8818                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8819                                                                     type: array
8820                                                                     items:
8821                                                                       type: string
8822                                                         weight:
8823                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
8824                                                           type: integer
8825                                                           format: int32
8826                                                   requiredDuringSchedulingIgnoredDuringExecution:
8827                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
8828                                                     type: object
8829                                                     required:
8830                                                       - nodeSelectorTerms
8831                                                     properties:
8832                                                       nodeSelectorTerms:
8833                                                         description: Required. A list of node selector terms. The terms are ORed.
8834                                                         type: array
8835                                                         items:
8836                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
8837                                                           type: object
8838                                                           properties:
8839                                                             matchExpressions:
8840                                                               description: A list of node selector requirements by node's labels.
8841                                                               type: array
8842                                                               items:
8843                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8844                                                                 type: object
8845                                                                 required:
8846                                                                   - key
8847                                                                   - operator
8848                                                                 properties:
8849                                                                   key:
8850                                                                     description: The label key that the selector applies to.
8851                                                                     type: string
8852                                                                   operator:
8853                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8854                                                                     type: string
8855                                                                   values:
8856                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8857                                                                     type: array
8858                                                                     items:
8859                                                                       type: string
8860                                                             matchFields:
8861                                                               description: A list of node selector requirements by node's fields.
8862                                                               type: array
8863                                                               items:
8864                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8865                                                                 type: object
8866                                                                 required:
8867                                                                   - key
8868                                                                   - operator
8869                                                                 properties:
8870                                                                   key:
8871                                                                     description: The label key that the selector applies to.
8872                                                                     type: string
8873                                                                   operator:
8874                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
8875                                                                     type: string
8876                                                                   values:
8877                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
8878                                                                     type: array
8879                                                                     items:
8880                                                                       type: string
8881                                               podAffinity:
8882                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
8883                                                 type: object
8884                                                 properties:
8885                                                   preferredDuringSchedulingIgnoredDuringExecution:
8886                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
8887                                                     type: array
8888                                                     items:
8889                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
8890                                                       type: object
8891                                                       required:
8892                                                         - podAffinityTerm
8893                                                         - weight
8894                                                       properties:
8895                                                         podAffinityTerm:
8896                                                           description: Required. A pod affinity term, associated with the corresponding weight.
8897                                                           type: object
8898                                                           required:
8899                                                             - topologyKey
8900                                                           properties:
8901                                                             labelSelector:
8902                                                               description: A label query over a set of resources, in this case pods.
8903                                                               type: object
8904                                                               properties:
8905                                                                 matchExpressions:
8906                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8907                                                                   type: array
8908                                                                   items:
8909                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8910                                                                     type: object
8911                                                                     required:
8912                                                                       - key
8913                                                                       - operator
8914                                                                     properties:
8915                                                                       key:
8916                                                                         description: key is the label key that the selector applies to.
8917                                                                         type: string
8918                                                                       operator:
8919                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8920                                                                         type: string
8921                                                                       values:
8922                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8923                                                                         type: array
8924                                                                         items:
8925                                                                           type: string
8926                                                                 matchLabels:
8927                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8928                                                                   type: object
8929                                                                   additionalProperties:
8930                                                                     type: string
8931                                                             namespaceSelector:
8932                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
8933                                                               type: object
8934                                                               properties:
8935                                                                 matchExpressions:
8936                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8937                                                                   type: array
8938                                                                   items:
8939                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8940                                                                     type: object
8941                                                                     required:
8942                                                                       - key
8943                                                                       - operator
8944                                                                     properties:
8945                                                                       key:
8946                                                                         description: key is the label key that the selector applies to.
8947                                                                         type: string
8948                                                                       operator:
8949                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
8950                                                                         type: string
8951                                                                       values:
8952                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
8953                                                                         type: array
8954                                                                         items:
8955                                                                           type: string
8956                                                                 matchLabels:
8957                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
8958                                                                   type: object
8959                                                                   additionalProperties:
8960                                                                     type: string
8961                                                             namespaces:
8962                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
8963                                                               type: array
8964                                                               items:
8965                                                                 type: string
8966                                                             topologyKey:
8967                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
8968                                                               type: string
8969                                                         weight:
8970                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
8971                                                           type: integer
8972                                                           format: int32
8973                                                   requiredDuringSchedulingIgnoredDuringExecution:
8974                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
8975                                                     type: array
8976                                                     items:
8977                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
8978                                                       type: object
8979                                                       required:
8980                                                         - topologyKey
8981                                                       properties:
8982                                                         labelSelector:
8983                                                           description: A label query over a set of resources, in this case pods.
8984                                                           type: object
8985                                                           properties:
8986                                                             matchExpressions:
8987                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
8988                                                               type: array
8989                                                               items:
8990                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
8991                                                                 type: object
8992                                                                 required:
8993                                                                   - key
8994                                                                   - operator
8995                                                                 properties:
8996                                                                   key:
8997                                                                     description: key is the label key that the selector applies to.
8998                                                                     type: string
8999                                                                   operator:
9000                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9001                                                                     type: string
9002                                                                   values:
9003                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9004                                                                     type: array
9005                                                                     items:
9006                                                                       type: string
9007                                                             matchLabels:
9008                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9009                                                               type: object
9010                                                               additionalProperties:
9011                                                                 type: string
9012                                                         namespaceSelector:
9013                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9014                                                           type: object
9015                                                           properties:
9016                                                             matchExpressions:
9017                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9018                                                               type: array
9019                                                               items:
9020                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9021                                                                 type: object
9022                                                                 required:
9023                                                                   - key
9024                                                                   - operator
9025                                                                 properties:
9026                                                                   key:
9027                                                                     description: key is the label key that the selector applies to.
9028                                                                     type: string
9029                                                                   operator:
9030                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9031                                                                     type: string
9032                                                                   values:
9033                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9034                                                                     type: array
9035                                                                     items:
9036                                                                       type: string
9037                                                             matchLabels:
9038                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9039                                                               type: object
9040                                                               additionalProperties:
9041                                                                 type: string
9042                                                         namespaces:
9043                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9044                                                           type: array
9045                                                           items:
9046                                                             type: string
9047                                                         topologyKey:
9048                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9049                                                           type: string
9050                                               podAntiAffinity:
9051                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
9052                                                 type: object
9053                                                 properties:
9054                                                   preferredDuringSchedulingIgnoredDuringExecution:
9055                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
9056                                                     type: array
9057                                                     items:
9058                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
9059                                                       type: object
9060                                                       required:
9061                                                         - podAffinityTerm
9062                                                         - weight
9063                                                       properties:
9064                                                         podAffinityTerm:
9065                                                           description: Required. A pod affinity term, associated with the corresponding weight.
9066                                                           type: object
9067                                                           required:
9068                                                             - topologyKey
9069                                                           properties:
9070                                                             labelSelector:
9071                                                               description: A label query over a set of resources, in this case pods.
9072                                                               type: object
9073                                                               properties:
9074                                                                 matchExpressions:
9075                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9076                                                                   type: array
9077                                                                   items:
9078                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9079                                                                     type: object
9080                                                                     required:
9081                                                                       - key
9082                                                                       - operator
9083                                                                     properties:
9084                                                                       key:
9085                                                                         description: key is the label key that the selector applies to.
9086                                                                         type: string
9087                                                                       operator:
9088                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9089                                                                         type: string
9090                                                                       values:
9091                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9092                                                                         type: array
9093                                                                         items:
9094                                                                           type: string
9095                                                                 matchLabels:
9096                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9097                                                                   type: object
9098                                                                   additionalProperties:
9099                                                                     type: string
9100                                                             namespaceSelector:
9101                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9102                                                               type: object
9103                                                               properties:
9104                                                                 matchExpressions:
9105                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9106                                                                   type: array
9107                                                                   items:
9108                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9109                                                                     type: object
9110                                                                     required:
9111                                                                       - key
9112                                                                       - operator
9113                                                                     properties:
9114                                                                       key:
9115                                                                         description: key is the label key that the selector applies to.
9116                                                                         type: string
9117                                                                       operator:
9118                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9119                                                                         type: string
9120                                                                       values:
9121                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9122                                                                         type: array
9123                                                                         items:
9124                                                                           type: string
9125                                                                 matchLabels:
9126                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9127                                                                   type: object
9128                                                                   additionalProperties:
9129                                                                     type: string
9130                                                             namespaces:
9131                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9132                                                               type: array
9133                                                               items:
9134                                                                 type: string
9135                                                             topologyKey:
9136                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9137                                                               type: string
9138                                                         weight:
9139                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
9140                                                           type: integer
9141                                                           format: int32
9142                                                   requiredDuringSchedulingIgnoredDuringExecution:
9143                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
9144                                                     type: array
9145                                                     items:
9146                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
9147                                                       type: object
9148                                                       required:
9149                                                         - topologyKey
9150                                                       properties:
9151                                                         labelSelector:
9152                                                           description: A label query over a set of resources, in this case pods.
9153                                                           type: object
9154                                                           properties:
9155                                                             matchExpressions:
9156                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9157                                                               type: array
9158                                                               items:
9159                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9160                                                                 type: object
9161                                                                 required:
9162                                                                   - key
9163                                                                   - operator
9164                                                                 properties:
9165                                                                   key:
9166                                                                     description: key is the label key that the selector applies to.
9167                                                                     type: string
9168                                                                   operator:
9169                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9170                                                                     type: string
9171                                                                   values:
9172                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9173                                                                     type: array
9174                                                                     items:
9175                                                                       type: string
9176                                                             matchLabels:
9177                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9178                                                               type: object
9179                                                               additionalProperties:
9180                                                                 type: string
9181                                                         namespaceSelector:
9182                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
9183                                                           type: object
9184                                                           properties:
9185                                                             matchExpressions:
9186                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
9187                                                               type: array
9188                                                               items:
9189                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9190                                                                 type: object
9191                                                                 required:
9192                                                                   - key
9193                                                                   - operator
9194                                                                 properties:
9195                                                                   key:
9196                                                                     description: key is the label key that the selector applies to.
9197                                                                     type: string
9198                                                                   operator:
9199                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
9200                                                                     type: string
9201                                                                   values:
9202                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
9203                                                                     type: array
9204                                                                     items:
9205                                                                       type: string
9206                                                             matchLabels:
9207                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
9208                                                               type: object
9209                                                               additionalProperties:
9210                                                                 type: string
9211                                                         namespaces:
9212                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
9213                                                           type: array
9214                                                           items:
9215                                                             type: string
9216                                                         topologyKey:
9217                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
9218                                                           type: string
9219                                           nodeSelector:
9220                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
9221                                             type: object
9222                                             additionalProperties:
9223                                               type: string
9224                                           priorityClassName:
9225                                             description: If specified, the pod's priorityClassName.
9226                                             type: string
9227                                           serviceAccountName:
9228                                             description: If specified, the pod's service account
9229                                             type: string
9230                                           tolerations:
9231                                             description: If specified, the pod's tolerations.
9232                                             type: array
9233                                             items:
9234                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
9235                                               type: object
9236                                               properties:
9237                                                 effect:
9238                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
9239                                                   type: string
9240                                                 key:
9241                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
9242                                                   type: string
9243                                                 operator:
9244                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
9245                                                   type: string
9246                                                 tolerationSeconds:
9247                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
9248                                                   type: integer
9249                                                   format: int64
9250                                                 value:
9251                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
9252                                                   type: string
9253                                   serviceType:
9254                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9255                                     type: string
9256                           selector:
9257                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
9258                             type: object
9259                             properties:
9260                               dnsNames:
9261                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9262                                 type: array
9263                                 items:
9264                                   type: string
9265                               dnsZones:
9266                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
9267                                 type: array
9268                                 items:
9269                                   type: string
9270                               matchLabels:
9271                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
9272                                 type: object
9273                                 additionalProperties:
9274                                   type: string
9275                 ca:
9276                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
9277                   type: object
9278                   required:
9279                     - secretName
9280                   properties:
9281                     crlDistributionPoints:
9282                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
9283                       type: array
9284                       items:
9285                         type: string
9286                     ocspServers:
9287                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
9288                       type: array
9289                       items:
9290                         type: string
9291                     secretName:
9292                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
9293                       type: string
9294                 selfSigned:
9295                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
9296                   type: object
9297                   properties:
9298                     crlDistributionPoints:
9299                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
9300                       type: array
9301                       items:
9302                         type: string
9303                 vault:
9304                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
9305                   type: object
9306                   required:
9307                     - auth
9308                     - path
9309                     - server
9310                   properties:
9311                     auth:
9312                       description: Auth configures how cert-manager authenticates with the Vault server.
9313                       type: object
9314                       properties:
9315                         appRole:
9316                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
9317                           type: object
9318                           required:
9319                             - path
9320                             - roleId
9321                             - secretRef
9322                           properties:
9323                             path:
9324                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
9325                               type: string
9326                             roleId:
9327                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
9328                               type: string
9329                             secretRef:
9330                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
9331                               type: object
9332                               required:
9333                                 - name
9334                               properties:
9335                                 key:
9336                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9337                                   type: string
9338                                 name:
9339                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9340                                   type: string
9341                         kubernetes:
9342                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
9343                           type: object
9344                           required:
9345                             - role
9346                             - secretRef
9347                           properties:
9348                             mountPath:
9349                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
9350                               type: string
9351                             role:
9352                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
9353                               type: string
9354                             secretRef:
9355                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
9356                               type: object
9357                               required:
9358                                 - name
9359                               properties:
9360                                 key:
9361                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9362                                   type: string
9363                                 name:
9364                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9365                                   type: string
9366                         tokenSecretRef:
9367                           description: TokenSecretRef authenticates with Vault by presenting a token.
9368                           type: object
9369                           required:
9370                             - name
9371                           properties:
9372                             key:
9373                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9374                               type: string
9375                             name:
9376                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9377                               type: string
9378                     caBundle:
9379                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
9380                       type: string
9381                       format: byte
9382                     namespace:
9383                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
9384                       type: string
9385                     path:
9386                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
9387                       type: string
9388                     server:
9389                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
9390                       type: string
9391                 venafi:
9392                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
9393                   type: object
9394                   required:
9395                     - zone
9396                   properties:
9397                     cloud:
9398                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
9399                       type: object
9400                       required:
9401                         - apiTokenSecretRef
9402                       properties:
9403                         apiTokenSecretRef:
9404                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
9405                           type: object
9406                           required:
9407                             - name
9408                           properties:
9409                             key:
9410                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9411                               type: string
9412                             name:
9413                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9414                               type: string
9415                         url:
9416                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
9417                           type: string
9418                     tpp:
9419                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
9420                       type: object
9421                       required:
9422                         - credentialsRef
9423                         - url
9424                       properties:
9425                         caBundle:
9426                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
9427                           type: string
9428                           format: byte
9429                         credentialsRef:
9430                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
9431                           type: object
9432                           required:
9433                             - name
9434                           properties:
9435                             name:
9436                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9437                               type: string
9438                         url:
9439                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
9440                           type: string
9441                     zone:
9442                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
9443                       type: string
9444             status:
9445               description: Status of the ClusterIssuer. This is set and managed automatically.
9446               type: object
9447               properties:
9448                 acme:
9449                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
9450                   type: object
9451                   properties:
9452                     lastRegisteredEmail:
9453                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
9454                       type: string
9455                     uri:
9456                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
9457                       type: string
9458                 conditions:
9459                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
9460                   type: array
9461                   items:
9462                     description: IssuerCondition contains condition information for an Issuer.
9463                     type: object
9464                     required:
9465                       - status
9466                       - type
9467                     properties:
9468                       lastTransitionTime:
9469                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
9470                         type: string
9471                         format: date-time
9472                       message:
9473                         description: Message is a human readable description of the details of the last transition, complementing reason.
9474                         type: string
9475                       observedGeneration:
9476                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
9477                         type: integer
9478                         format: int64
9479                       reason:
9480                         description: Reason is a brief machine readable explanation for the condition's last transition.
9481                         type: string
9482                       status:
9483                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
9484                         type: string
9485                         enum:
9486                           - "True"
9487                           - "False"
9488                           - Unknown
9489                       type:
9490                         description: Type of the condition, known values are (`Ready`).
9491                         type: string
9492       served: true
9493       storage: false
9494     - name: v1
9495       subresources:
9496         status: {}
9497       additionalPrinterColumns:
9498         - jsonPath: .status.conditions[?(@.type=="Ready")].status
9499           name: Ready
9500           type: string
9501         - jsonPath: .status.conditions[?(@.type=="Ready")].message
9502           name: Status
9503           priority: 1
9504           type: string
9505         - jsonPath: .metadata.creationTimestamp
9506           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
9507           name: Age
9508           type: date
9509       schema:
9510         openAPIV3Schema:
9511           description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
9512           type: object
9513           required:
9514             - spec
9515           properties:
9516             apiVersion:
9517               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9518               type: string
9519             kind:
9520               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9521               type: string
9522             metadata:
9523               type: object
9524             spec:
9525               description: Desired state of the ClusterIssuer resource.
9526               type: object
9527               properties:
9528                 acme:
9529                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
9530                   type: object
9531                   required:
9532                     - privateKeySecretRef
9533                     - server
9534                   properties:
9535                     disableAccountKeyGeneration:
9536                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
9537                       type: boolean
9538                     email:
9539                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
9540                       type: string
9541                     enableDurationFeature:
9542                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
9543                       type: boolean
9544                     externalAccountBinding:
9545                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
9546                       type: object
9547                       required:
9548                         - keyID
9549                         - keySecretRef
9550                       properties:
9551                         keyAlgorithm:
9552                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
9553                           type: string
9554                           enum:
9555                             - HS256
9556                             - HS384
9557                             - HS512
9558                         keyID:
9559                           description: keyID is the ID of the CA key that the External Account is bound to.
9560                           type: string
9561                         keySecretRef:
9562                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
9563                           type: object
9564                           required:
9565                             - name
9566                           properties:
9567                             key:
9568                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9569                               type: string
9570                             name:
9571                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9572                               type: string
9573                     preferredChain:
9574                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
9575                       type: string
9576                       maxLength: 64
9577                     privateKeySecretRef:
9578                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
9579                       type: object
9580                       required:
9581                         - name
9582                       properties:
9583                         key:
9584                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9585                           type: string
9586                         name:
9587                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9588                           type: string
9589                     server:
9590                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
9591                       type: string
9592                     skipTLSVerify:
9593                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
9594                       type: boolean
9595                     solvers:
9596                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
9597                       type: array
9598                       items:
9599                         description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
9600                         type: object
9601                         properties:
9602                           dns01:
9603                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
9604                             type: object
9605                             properties:
9606                               acmeDNS:
9607                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
9608                                 type: object
9609                                 required:
9610                                   - accountSecretRef
9611                                   - host
9612                                 properties:
9613                                   accountSecretRef:
9614                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9615                                     type: object
9616                                     required:
9617                                       - name
9618                                     properties:
9619                                       key:
9620                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9621                                         type: string
9622                                       name:
9623                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9624                                         type: string
9625                                   host:
9626                                     type: string
9627                               akamai:
9628                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
9629                                 type: object
9630                                 required:
9631                                   - accessTokenSecretRef
9632                                   - clientSecretSecretRef
9633                                   - clientTokenSecretRef
9634                                   - serviceConsumerDomain
9635                                 properties:
9636                                   accessTokenSecretRef:
9637                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9638                                     type: object
9639                                     required:
9640                                       - name
9641                                     properties:
9642                                       key:
9643                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9644                                         type: string
9645                                       name:
9646                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9647                                         type: string
9648                                   clientSecretSecretRef:
9649                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9650                                     type: object
9651                                     required:
9652                                       - name
9653                                     properties:
9654                                       key:
9655                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9656                                         type: string
9657                                       name:
9658                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9659                                         type: string
9660                                   clientTokenSecretRef:
9661                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9662                                     type: object
9663                                     required:
9664                                       - name
9665                                     properties:
9666                                       key:
9667                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9668                                         type: string
9669                                       name:
9670                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9671                                         type: string
9672                                   serviceConsumerDomain:
9673                                     type: string
9674                               azureDNS:
9675                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
9676                                 type: object
9677                                 required:
9678                                   - resourceGroupName
9679                                   - subscriptionID
9680                                 properties:
9681                                   clientID:
9682                                     description: if both this and ClientSecret are left unset MSI will be used
9683                                     type: string
9684                                   clientSecretSecretRef:
9685                                     description: if both this and ClientID are left unset MSI will be used
9686                                     type: object
9687                                     required:
9688                                       - name
9689                                     properties:
9690                                       key:
9691                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9692                                         type: string
9693                                       name:
9694                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9695                                         type: string
9696                                   environment:
9697                                     type: string
9698                                     enum:
9699                                       - AzurePublicCloud
9700                                       - AzureChinaCloud
9701                                       - AzureGermanCloud
9702                                       - AzureUSGovernmentCloud
9703                                   hostedZoneName:
9704                                     type: string
9705                                   resourceGroupName:
9706                                     type: string
9707                                   subscriptionID:
9708                                     type: string
9709                                   tenantID:
9710                                     description: when specifying ClientID and ClientSecret then this field is also needed
9711                                     type: string
9712                               cloudDNS:
9713                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
9714                                 type: object
9715                                 required:
9716                                   - project
9717                                 properties:
9718                                   hostedZoneName:
9719                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
9720                                     type: string
9721                                   project:
9722                                     type: string
9723                                   serviceAccountSecretRef:
9724                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9725                                     type: object
9726                                     required:
9727                                       - name
9728                                     properties:
9729                                       key:
9730                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9731                                         type: string
9732                                       name:
9733                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9734                                         type: string
9735                               cloudflare:
9736                                 description: Use the Cloudflare API to manage DNS01 challenge records.
9737                                 type: object
9738                                 properties:
9739                                   apiKeySecretRef:
9740                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
9741                                     type: object
9742                                     required:
9743                                       - name
9744                                     properties:
9745                                       key:
9746                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9747                                         type: string
9748                                       name:
9749                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9750                                         type: string
9751                                   apiTokenSecretRef:
9752                                     description: API token used to authenticate with Cloudflare.
9753                                     type: object
9754                                     required:
9755                                       - name
9756                                     properties:
9757                                       key:
9758                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9759                                         type: string
9760                                       name:
9761                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9762                                         type: string
9763                                   email:
9764                                     description: Email of the account, only required when using API key based authentication.
9765                                     type: string
9766                               cnameStrategy:
9767                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
9768                                 type: string
9769                                 enum:
9770                                   - None
9771                                   - Follow
9772                               digitalocean:
9773                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
9774                                 type: object
9775                                 required:
9776                                   - tokenSecretRef
9777                                 properties:
9778                                   tokenSecretRef:
9779                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
9780                                     type: object
9781                                     required:
9782                                       - name
9783                                     properties:
9784                                       key:
9785                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9786                                         type: string
9787                                       name:
9788                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9789                                         type: string
9790                               rfc2136:
9791                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
9792                                 type: object
9793                                 required:
9794                                   - nameserver
9795                                 properties:
9796                                   nameserver:
9797                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
9798                                     type: string
9799                                   tsigAlgorithm:
9800                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
9801                                     type: string
9802                                   tsigKeyName:
9803                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
9804                                     type: string
9805                                   tsigSecretSecretRef:
9806                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
9807                                     type: object
9808                                     required:
9809                                       - name
9810                                     properties:
9811                                       key:
9812                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9813                                         type: string
9814                                       name:
9815                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9816                                         type: string
9817                               route53:
9818                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
9819                                 type: object
9820                                 required:
9821                                   - region
9822                                 properties:
9823                                   accessKeyID:
9824                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
9825                                     type: string
9826                                   hostedZoneID:
9827                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
9828                                     type: string
9829                                   region:
9830                                     description: Always set the region when using AccessKeyID and SecretAccessKey
9831                                     type: string
9832                                   role:
9833                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
9834                                     type: string
9835                                   secretAccessKeySecretRef:
9836                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
9837                                     type: object
9838                                     required:
9839                                       - name
9840                                     properties:
9841                                       key:
9842                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
9843                                         type: string
9844                                       name:
9845                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
9846                                         type: string
9847                               webhook:
9848                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
9849                                 type: object
9850                                 required:
9851                                   - groupName
9852                                   - solverName
9853                                 properties:
9854                                   config:
9855                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
9856                                     x-kubernetes-preserve-unknown-fields: true
9857                                   groupName:
9858                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
9859                                     type: string
9860                                   solverName:
9861                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
9862                                     type: string
9863                           http01:
9864                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
9865                             type: object
9866                             properties:
9867                               gatewayHTTPRoute:
9868                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
9869                                 type: object
9870                                 properties:
9871                                   labels:
9872                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
9873                                     type: object
9874                                     additionalProperties:
9875                                       type: string
9876                                   serviceType:
9877                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
9878                                     type: string
9879                               ingress:
9880                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
9881                                 type: object
9882                                 properties:
9883                                   class:
9884                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
9885                                     type: string
9886                                   ingressTemplate:
9887                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
9888                                     type: object
9889                                     properties:
9890                                       metadata:
9891                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9892                                         type: object
9893                                         properties:
9894                                           annotations:
9895                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
9896                                             type: object
9897                                             additionalProperties:
9898                                               type: string
9899                                           labels:
9900                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
9901                                             type: object
9902                                             additionalProperties:
9903                                               type: string
9904                                   name:
9905                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
9906                                     type: string
9907                                   podTemplate:
9908                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
9909                                     type: object
9910                                     properties:
9911                                       metadata:
9912                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
9913                                         type: object
9914                                         properties:
9915                                           annotations:
9916                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
9917                                             type: object
9918                                             additionalProperties:
9919                                               type: string
9920                                           labels:
9921                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
9922                                             type: object
9923                                             additionalProperties:
9924                                               type: string
9925                                       spec:
9926                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
9927                                         type: object
9928                                         properties:
9929                                           affinity:
9930                                             description: If specified, the pod's scheduling constraints
9931                                             type: object
9932                                             properties:
9933                                               nodeAffinity:
9934                                                 description: Describes node affinity scheduling rules for the pod.
9935                                                 type: object
9936                                                 properties:
9937                                                   preferredDuringSchedulingIgnoredDuringExecution:
9938                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
9939                                                     type: array
9940                                                     items:
9941                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
9942                                                       type: object
9943                                                       required:
9944                                                         - preference
9945                                                         - weight
9946                                                       properties:
9947                                                         preference:
9948                                                           description: A node selector term, associated with the corresponding weight.
9949                                                           type: object
9950                                                           properties:
9951                                                             matchExpressions:
9952                                                               description: A list of node selector requirements by node's labels.
9953                                                               type: array
9954                                                               items:
9955                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9956                                                                 type: object
9957                                                                 required:
9958                                                                   - key
9959                                                                   - operator
9960                                                                 properties:
9961                                                                   key:
9962                                                                     description: The label key that the selector applies to.
9963                                                                     type: string
9964                                                                   operator:
9965                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9966                                                                     type: string
9967                                                                   values:
9968                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
9969                                                                     type: array
9970                                                                     items:
9971                                                                       type: string
9972                                                             matchFields:
9973                                                               description: A list of node selector requirements by node's fields.
9974                                                               type: array
9975                                                               items:
9976                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
9977                                                                 type: object
9978                                                                 required:
9979                                                                   - key
9980                                                                   - operator
9981                                                                 properties:
9982                                                                   key:
9983                                                                     description: The label key that the selector applies to.
9984                                                                     type: string
9985                                                                   operator:
9986                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
9987                                                                     type: string
9988                                                                   values:
9989                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
9990                                                                     type: array
9991                                                                     items:
9992                                                                       type: string
9993                                                         weight:
9994                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
9995                                                           type: integer
9996                                                           format: int32
9997                                                   requiredDuringSchedulingIgnoredDuringExecution:
9998                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
9999                                                     type: object
10000                                                     required:
10001                                                       - nodeSelectorTerms
10002                                                     properties:
10003                                                       nodeSelectorTerms:
10004                                                         description: Required. A list of node selector terms. The terms are ORed.
10005                                                         type: array
10006                                                         items:
10007                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
10008                                                           type: object
10009                                                           properties:
10010                                                             matchExpressions:
10011                                                               description: A list of node selector requirements by node's labels.
10012                                                               type: array
10013                                                               items:
10014                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10015                                                                 type: object
10016                                                                 required:
10017                                                                   - key
10018                                                                   - operator
10019                                                                 properties:
10020                                                                   key:
10021                                                                     description: The label key that the selector applies to.
10022                                                                     type: string
10023                                                                   operator:
10024                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10025                                                                     type: string
10026                                                                   values:
10027                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10028                                                                     type: array
10029                                                                     items:
10030                                                                       type: string
10031                                                             matchFields:
10032                                                               description: A list of node selector requirements by node's fields.
10033                                                               type: array
10034                                                               items:
10035                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10036                                                                 type: object
10037                                                                 required:
10038                                                                   - key
10039                                                                   - operator
10040                                                                 properties:
10041                                                                   key:
10042                                                                     description: The label key that the selector applies to.
10043                                                                     type: string
10044                                                                   operator:
10045                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
10046                                                                     type: string
10047                                                                   values:
10048                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
10049                                                                     type: array
10050                                                                     items:
10051                                                                       type: string
10052                                               podAffinity:
10053                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
10054                                                 type: object
10055                                                 properties:
10056                                                   preferredDuringSchedulingIgnoredDuringExecution:
10057                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10058                                                     type: array
10059                                                     items:
10060                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10061                                                       type: object
10062                                                       required:
10063                                                         - podAffinityTerm
10064                                                         - weight
10065                                                       properties:
10066                                                         podAffinityTerm:
10067                                                           description: Required. A pod affinity term, associated with the corresponding weight.
10068                                                           type: object
10069                                                           required:
10070                                                             - topologyKey
10071                                                           properties:
10072                                                             labelSelector:
10073                                                               description: A label query over a set of resources, in this case pods.
10074                                                               type: object
10075                                                               properties:
10076                                                                 matchExpressions:
10077                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10078                                                                   type: array
10079                                                                   items:
10080                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10081                                                                     type: object
10082                                                                     required:
10083                                                                       - key
10084                                                                       - operator
10085                                                                     properties:
10086                                                                       key:
10087                                                                         description: key is the label key that the selector applies to.
10088                                                                         type: string
10089                                                                       operator:
10090                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10091                                                                         type: string
10092                                                                       values:
10093                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10094                                                                         type: array
10095                                                                         items:
10096                                                                           type: string
10097                                                                 matchLabels:
10098                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10099                                                                   type: object
10100                                                                   additionalProperties:
10101                                                                     type: string
10102                                                             namespaceSelector:
10103                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10104                                                               type: object
10105                                                               properties:
10106                                                                 matchExpressions:
10107                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10108                                                                   type: array
10109                                                                   items:
10110                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10111                                                                     type: object
10112                                                                     required:
10113                                                                       - key
10114                                                                       - operator
10115                                                                     properties:
10116                                                                       key:
10117                                                                         description: key is the label key that the selector applies to.
10118                                                                         type: string
10119                                                                       operator:
10120                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10121                                                                         type: string
10122                                                                       values:
10123                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10124                                                                         type: array
10125                                                                         items:
10126                                                                           type: string
10127                                                                 matchLabels:
10128                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10129                                                                   type: object
10130                                                                   additionalProperties:
10131                                                                     type: string
10132                                                             namespaces:
10133                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10134                                                               type: array
10135                                                               items:
10136                                                                 type: string
10137                                                             topologyKey:
10138                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10139                                                               type: string
10140                                                         weight:
10141                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10142                                                           type: integer
10143                                                           format: int32
10144                                                   requiredDuringSchedulingIgnoredDuringExecution:
10145                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10146                                                     type: array
10147                                                     items:
10148                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10149                                                       type: object
10150                                                       required:
10151                                                         - topologyKey
10152                                                       properties:
10153                                                         labelSelector:
10154                                                           description: A label query over a set of resources, in this case pods.
10155                                                           type: object
10156                                                           properties:
10157                                                             matchExpressions:
10158                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10159                                                               type: array
10160                                                               items:
10161                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10162                                                                 type: object
10163                                                                 required:
10164                                                                   - key
10165                                                                   - operator
10166                                                                 properties:
10167                                                                   key:
10168                                                                     description: key is the label key that the selector applies to.
10169                                                                     type: string
10170                                                                   operator:
10171                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10172                                                                     type: string
10173                                                                   values:
10174                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10175                                                                     type: array
10176                                                                     items:
10177                                                                       type: string
10178                                                             matchLabels:
10179                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10180                                                               type: object
10181                                                               additionalProperties:
10182                                                                 type: string
10183                                                         namespaceSelector:
10184                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10185                                                           type: object
10186                                                           properties:
10187                                                             matchExpressions:
10188                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10189                                                               type: array
10190                                                               items:
10191                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10192                                                                 type: object
10193                                                                 required:
10194                                                                   - key
10195                                                                   - operator
10196                                                                 properties:
10197                                                                   key:
10198                                                                     description: key is the label key that the selector applies to.
10199                                                                     type: string
10200                                                                   operator:
10201                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10202                                                                     type: string
10203                                                                   values:
10204                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10205                                                                     type: array
10206                                                                     items:
10207                                                                       type: string
10208                                                             matchLabels:
10209                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10210                                                               type: object
10211                                                               additionalProperties:
10212                                                                 type: string
10213                                                         namespaces:
10214                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10215                                                           type: array
10216                                                           items:
10217                                                             type: string
10218                                                         topologyKey:
10219                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10220                                                           type: string
10221                                               podAntiAffinity:
10222                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
10223                                                 type: object
10224                                                 properties:
10225                                                   preferredDuringSchedulingIgnoredDuringExecution:
10226                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
10227                                                     type: array
10228                                                     items:
10229                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
10230                                                       type: object
10231                                                       required:
10232                                                         - podAffinityTerm
10233                                                         - weight
10234                                                       properties:
10235                                                         podAffinityTerm:
10236                                                           description: Required. A pod affinity term, associated with the corresponding weight.
10237                                                           type: object
10238                                                           required:
10239                                                             - topologyKey
10240                                                           properties:
10241                                                             labelSelector:
10242                                                               description: A label query over a set of resources, in this case pods.
10243                                                               type: object
10244                                                               properties:
10245                                                                 matchExpressions:
10246                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10247                                                                   type: array
10248                                                                   items:
10249                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10250                                                                     type: object
10251                                                                     required:
10252                                                                       - key
10253                                                                       - operator
10254                                                                     properties:
10255                                                                       key:
10256                                                                         description: key is the label key that the selector applies to.
10257                                                                         type: string
10258                                                                       operator:
10259                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10260                                                                         type: string
10261                                                                       values:
10262                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10263                                                                         type: array
10264                                                                         items:
10265                                                                           type: string
10266                                                                 matchLabels:
10267                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10268                                                                   type: object
10269                                                                   additionalProperties:
10270                                                                     type: string
10271                                                             namespaceSelector:
10272                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10273                                                               type: object
10274                                                               properties:
10275                                                                 matchExpressions:
10276                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10277                                                                   type: array
10278                                                                   items:
10279                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10280                                                                     type: object
10281                                                                     required:
10282                                                                       - key
10283                                                                       - operator
10284                                                                     properties:
10285                                                                       key:
10286                                                                         description: key is the label key that the selector applies to.
10287                                                                         type: string
10288                                                                       operator:
10289                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10290                                                                         type: string
10291                                                                       values:
10292                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10293                                                                         type: array
10294                                                                         items:
10295                                                                           type: string
10296                                                                 matchLabels:
10297                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10298                                                                   type: object
10299                                                                   additionalProperties:
10300                                                                     type: string
10301                                                             namespaces:
10302                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10303                                                               type: array
10304                                                               items:
10305                                                                 type: string
10306                                                             topologyKey:
10307                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10308                                                               type: string
10309                                                         weight:
10310                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
10311                                                           type: integer
10312                                                           format: int32
10313                                                   requiredDuringSchedulingIgnoredDuringExecution:
10314                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
10315                                                     type: array
10316                                                     items:
10317                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
10318                                                       type: object
10319                                                       required:
10320                                                         - topologyKey
10321                                                       properties:
10322                                                         labelSelector:
10323                                                           description: A label query over a set of resources, in this case pods.
10324                                                           type: object
10325                                                           properties:
10326                                                             matchExpressions:
10327                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10328                                                               type: array
10329                                                               items:
10330                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10331                                                                 type: object
10332                                                                 required:
10333                                                                   - key
10334                                                                   - operator
10335                                                                 properties:
10336                                                                   key:
10337                                                                     description: key is the label key that the selector applies to.
10338                                                                     type: string
10339                                                                   operator:
10340                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10341                                                                     type: string
10342                                                                   values:
10343                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10344                                                                     type: array
10345                                                                     items:
10346                                                                       type: string
10347                                                             matchLabels:
10348                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10349                                                               type: object
10350                                                               additionalProperties:
10351                                                                 type: string
10352                                                         namespaceSelector:
10353                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
10354                                                           type: object
10355                                                           properties:
10356                                                             matchExpressions:
10357                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
10358                                                               type: array
10359                                                               items:
10360                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
10361                                                                 type: object
10362                                                                 required:
10363                                                                   - key
10364                                                                   - operator
10365                                                                 properties:
10366                                                                   key:
10367                                                                     description: key is the label key that the selector applies to.
10368                                                                     type: string
10369                                                                   operator:
10370                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
10371                                                                     type: string
10372                                                                   values:
10373                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
10374                                                                     type: array
10375                                                                     items:
10376                                                                       type: string
10377                                                             matchLabels:
10378                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
10379                                                               type: object
10380                                                               additionalProperties:
10381                                                                 type: string
10382                                                         namespaces:
10383                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
10384                                                           type: array
10385                                                           items:
10386                                                             type: string
10387                                                         topologyKey:
10388                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
10389                                                           type: string
10390                                           nodeSelector:
10391                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
10392                                             type: object
10393                                             additionalProperties:
10394                                               type: string
10395                                           priorityClassName:
10396                                             description: If specified, the pod's priorityClassName.
10397                                             type: string
10398                                           serviceAccountName:
10399                                             description: If specified, the pod's service account
10400                                             type: string
10401                                           tolerations:
10402                                             description: If specified, the pod's tolerations.
10403                                             type: array
10404                                             items:
10405                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
10406                                               type: object
10407                                               properties:
10408                                                 effect:
10409                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
10410                                                   type: string
10411                                                 key:
10412                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
10413                                                   type: string
10414                                                 operator:
10415                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
10416                                                   type: string
10417                                                 tolerationSeconds:
10418                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
10419                                                   type: integer
10420                                                   format: int64
10421                                                 value:
10422                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
10423                                                   type: string
10424                                   serviceType:
10425                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
10426                                     type: string
10427                           selector:
10428                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
10429                             type: object
10430                             properties:
10431                               dnsNames:
10432                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10433                                 type: array
10434                                 items:
10435                                   type: string
10436                               dnsZones:
10437                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
10438                                 type: array
10439                                 items:
10440                                   type: string
10441                               matchLabels:
10442                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
10443                                 type: object
10444                                 additionalProperties:
10445                                   type: string
10446                 ca:
10447                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
10448                   type: object
10449                   required:
10450                     - secretName
10451                   properties:
10452                     crlDistributionPoints:
10453                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
10454                       type: array
10455                       items:
10456                         type: string
10457                     ocspServers:
10458                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
10459                       type: array
10460                       items:
10461                         type: string
10462                     secretName:
10463                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
10464                       type: string
10465                 selfSigned:
10466                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
10467                   type: object
10468                   properties:
10469                     crlDistributionPoints:
10470                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
10471                       type: array
10472                       items:
10473                         type: string
10474                 vault:
10475                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
10476                   type: object
10477                   required:
10478                     - auth
10479                     - path
10480                     - server
10481                   properties:
10482                     auth:
10483                       description: Auth configures how cert-manager authenticates with the Vault server.
10484                       type: object
10485                       properties:
10486                         appRole:
10487                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
10488                           type: object
10489                           required:
10490                             - path
10491                             - roleId
10492                             - secretRef
10493                           properties:
10494                             path:
10495                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
10496                               type: string
10497                             roleId:
10498                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
10499                               type: string
10500                             secretRef:
10501                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
10502                               type: object
10503                               required:
10504                                 - name
10505                               properties:
10506                                 key:
10507                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10508                                   type: string
10509                                 name:
10510                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10511                                   type: string
10512                         kubernetes:
10513                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
10514                           type: object
10515                           required:
10516                             - role
10517                             - secretRef
10518                           properties:
10519                             mountPath:
10520                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
10521                               type: string
10522                             role:
10523                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
10524                               type: string
10525                             secretRef:
10526                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
10527                               type: object
10528                               required:
10529                                 - name
10530                               properties:
10531                                 key:
10532                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10533                                   type: string
10534                                 name:
10535                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10536                                   type: string
10537                         tokenSecretRef:
10538                           description: TokenSecretRef authenticates with Vault by presenting a token.
10539                           type: object
10540                           required:
10541                             - name
10542                           properties:
10543                             key:
10544                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10545                               type: string
10546                             name:
10547                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10548                               type: string
10549                     caBundle:
10550                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
10551                       type: string
10552                       format: byte
10553                     namespace:
10554                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
10555                       type: string
10556                     path:
10557                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
10558                       type: string
10559                     server:
10560                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
10561                       type: string
10562                 venafi:
10563                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
10564                   type: object
10565                   required:
10566                     - zone
10567                   properties:
10568                     cloud:
10569                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
10570                       type: object
10571                       required:
10572                         - apiTokenSecretRef
10573                       properties:
10574                         apiTokenSecretRef:
10575                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
10576                           type: object
10577                           required:
10578                             - name
10579                           properties:
10580                             key:
10581                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10582                               type: string
10583                             name:
10584                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10585                               type: string
10586                         url:
10587                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
10588                           type: string
10589                     tpp:
10590                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
10591                       type: object
10592                       required:
10593                         - credentialsRef
10594                         - url
10595                       properties:
10596                         caBundle:
10597                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
10598                           type: string
10599                           format: byte
10600                         credentialsRef:
10601                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
10602                           type: object
10603                           required:
10604                             - name
10605                           properties:
10606                             name:
10607                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10608                               type: string
10609                         url:
10610                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
10611                           type: string
10612                     zone:
10613                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
10614                       type: string
10615             status:
10616               description: Status of the ClusterIssuer. This is set and managed automatically.
10617               type: object
10618               properties:
10619                 acme:
10620                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
10621                   type: object
10622                   properties:
10623                     lastRegisteredEmail:
10624                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
10625                       type: string
10626                     uri:
10627                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
10628                       type: string
10629                 conditions:
10630                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
10631                   type: array
10632                   items:
10633                     description: IssuerCondition contains condition information for an Issuer.
10634                     type: object
10635                     required:
10636                       - status
10637                       - type
10638                     properties:
10639                       lastTransitionTime:
10640                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
10641                         type: string
10642                         format: date-time
10643                       message:
10644                         description: Message is a human readable description of the details of the last transition, complementing reason.
10645                         type: string
10646                       observedGeneration:
10647                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
10648                         type: integer
10649                         format: int64
10650                       reason:
10651                         description: Reason is a brief machine readable explanation for the condition's last transition.
10652                         type: string
10653                       status:
10654                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
10655                         type: string
10656                         enum:
10657                           - "True"
10658                           - "False"
10659                           - Unknown
10660                       type:
10661                         description: Type of the condition, known values are (`Ready`).
10662                         type: string
10663       served: true
10664       storage: true
10665 ---
10666 # Source: cert-manager/templates/templates.out
10667 apiVersion: apiextensions.k8s.io/v1
10668 kind: CustomResourceDefinition
10669 metadata:
10670   name: issuers.cert-manager.io
10671   annotations:
10672     cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
10673   labels:
10674     app: 'cert-manager'
10675     app.kubernetes.io/name: 'cert-manager'
10676     app.kubernetes.io/instance: 'cert-manager'
10677     # Generated labels
10678     app.kubernetes.io/version: "v1.5.3"
10679 spec:
10680   group: cert-manager.io
10681   names:
10682     kind: Issuer
10683     listKind: IssuerList
10684     plural: issuers
10685     singular: issuer
10686     categories:
10687       - cert-manager
10688   scope: Namespaced
10689   conversion:
10690     # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
10691     strategy: Webhook
10692     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
10693     webhook:
10694       # We don't actually support `v1beta1` but is listed here as it is a
10695       # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
10696       # API server reads the supported versions in order, so _should always_
10697       # attempt a `v1` request which is understood by the cert-manager webhook.
10698       # Any `v1beta1` request will return an error and fail closed for that
10699       # resource (the whole object request is rejected).
10700       # When we no longer support v1.16 we can remove `v1beta1` from this list.
10701       conversionReviewVersions: ["v1", "v1beta1"]
10702       clientConfig:
10703         #
10704         service:
10705           name: 'cert-manager-webhook'
10706           namespace: "cert-manager"
10707           path: /convert
10708           #
10709   versions:
10710     - name: v1alpha2
10711       subresources:
10712         status: {}
10713       additionalPrinterColumns:
10714         - jsonPath: .status.conditions[?(@.type=="Ready")].status
10715           name: Ready
10716           type: string
10717         - jsonPath: .status.conditions[?(@.type=="Ready")].message
10718           name: Status
10719           priority: 1
10720           type: string
10721         - jsonPath: .metadata.creationTimestamp
10722           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
10723           name: Age
10724           type: date
10725       schema:
10726         openAPIV3Schema:
10727           description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
10728           type: object
10729           properties:
10730             apiVersion:
10731               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10732               type: string
10733             kind:
10734               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10735               type: string
10736             metadata:
10737               type: object
10738             spec:
10739               description: Desired state of the Issuer resource.
10740               type: object
10741               properties:
10742                 acme:
10743                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
10744                   type: object
10745                   required:
10746                     - privateKeySecretRef
10747                     - server
10748                   properties:
10749                     disableAccountKeyGeneration:
10750                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
10751                       type: boolean
10752                     email:
10753                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
10754                       type: string
10755                     enableDurationFeature:
10756                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
10757                       type: boolean
10758                     externalAccountBinding:
10759                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
10760                       type: object
10761                       required:
10762                         - keyID
10763                         - keySecretRef
10764                       properties:
10765                         keyAlgorithm:
10766                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
10767                           type: string
10768                           enum:
10769                             - HS256
10770                             - HS384
10771                             - HS512
10772                         keyID:
10773                           description: keyID is the ID of the CA key that the External Account is bound to.
10774                           type: string
10775                         keySecretRef:
10776                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
10777                           type: object
10778                           required:
10779                             - name
10780                           properties:
10781                             key:
10782                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10783                               type: string
10784                             name:
10785                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10786                               type: string
10787                     preferredChain:
10788                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
10789                       type: string
10790                       maxLength: 64
10791                     privateKeySecretRef:
10792                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
10793                       type: object
10794                       required:
10795                         - name
10796                       properties:
10797                         key:
10798                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10799                           type: string
10800                         name:
10801                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10802                           type: string
10803                     server:
10804                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
10805                       type: string
10806                     skipTLSVerify:
10807                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
10808                       type: boolean
10809                     solvers:
10810                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
10811                       type: array
10812                       items:
10813                         description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
10814                         type: object
10815                         properties:
10816                           dns01:
10817                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
10818                             type: object
10819                             properties:
10820                               acmedns:
10821                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
10822                                 type: object
10823                                 required:
10824                                   - accountSecretRef
10825                                   - host
10826                                 properties:
10827                                   accountSecretRef:
10828                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10829                                     type: object
10830                                     required:
10831                                       - name
10832                                     properties:
10833                                       key:
10834                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10835                                         type: string
10836                                       name:
10837                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10838                                         type: string
10839                                   host:
10840                                     type: string
10841                               akamai:
10842                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
10843                                 type: object
10844                                 required:
10845                                   - accessTokenSecretRef
10846                                   - clientSecretSecretRef
10847                                   - clientTokenSecretRef
10848                                   - serviceConsumerDomain
10849                                 properties:
10850                                   accessTokenSecretRef:
10851                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10852                                     type: object
10853                                     required:
10854                                       - name
10855                                     properties:
10856                                       key:
10857                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10858                                         type: string
10859                                       name:
10860                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10861                                         type: string
10862                                   clientSecretSecretRef:
10863                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10864                                     type: object
10865                                     required:
10866                                       - name
10867                                     properties:
10868                                       key:
10869                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10870                                         type: string
10871                                       name:
10872                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10873                                         type: string
10874                                   clientTokenSecretRef:
10875                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10876                                     type: object
10877                                     required:
10878                                       - name
10879                                     properties:
10880                                       key:
10881                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10882                                         type: string
10883                                       name:
10884                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10885                                         type: string
10886                                   serviceConsumerDomain:
10887                                     type: string
10888                               azuredns:
10889                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
10890                                 type: object
10891                                 required:
10892                                   - resourceGroupName
10893                                   - subscriptionID
10894                                 properties:
10895                                   clientID:
10896                                     description: if both this and ClientSecret are left unset MSI will be used
10897                                     type: string
10898                                   clientSecretSecretRef:
10899                                     description: if both this and ClientID are left unset MSI will be used
10900                                     type: object
10901                                     required:
10902                                       - name
10903                                     properties:
10904                                       key:
10905                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10906                                         type: string
10907                                       name:
10908                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10909                                         type: string
10910                                   environment:
10911                                     type: string
10912                                     enum:
10913                                       - AzurePublicCloud
10914                                       - AzureChinaCloud
10915                                       - AzureGermanCloud
10916                                       - AzureUSGovernmentCloud
10917                                   hostedZoneName:
10918                                     type: string
10919                                   resourceGroupName:
10920                                     type: string
10921                                   subscriptionID:
10922                                     type: string
10923                                   tenantID:
10924                                     description: when specifying ClientID and ClientSecret then this field is also needed
10925                                     type: string
10926                               clouddns:
10927                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
10928                                 type: object
10929                                 required:
10930                                   - project
10931                                 properties:
10932                                   hostedZoneName:
10933                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
10934                                     type: string
10935                                   project:
10936                                     type: string
10937                                   serviceAccountSecretRef:
10938                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10939                                     type: object
10940                                     required:
10941                                       - name
10942                                     properties:
10943                                       key:
10944                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10945                                         type: string
10946                                       name:
10947                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10948                                         type: string
10949                               cloudflare:
10950                                 description: Use the Cloudflare API to manage DNS01 challenge records.
10951                                 type: object
10952                                 properties:
10953                                   apiKeySecretRef:
10954                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
10955                                     type: object
10956                                     required:
10957                                       - name
10958                                     properties:
10959                                       key:
10960                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10961                                         type: string
10962                                       name:
10963                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10964                                         type: string
10965                                   apiTokenSecretRef:
10966                                     description: API token used to authenticate with Cloudflare.
10967                                     type: object
10968                                     required:
10969                                       - name
10970                                     properties:
10971                                       key:
10972                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
10973                                         type: string
10974                                       name:
10975                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
10976                                         type: string
10977                                   email:
10978                                     description: Email of the account, only required when using API key based authentication.
10979                                     type: string
10980                               cnameStrategy:
10981                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
10982                                 type: string
10983                                 enum:
10984                                   - None
10985                                   - Follow
10986                               digitalocean:
10987                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
10988                                 type: object
10989                                 required:
10990                                   - tokenSecretRef
10991                                 properties:
10992                                   tokenSecretRef:
10993                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
10994                                     type: object
10995                                     required:
10996                                       - name
10997                                     properties:
10998                                       key:
10999                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11000                                         type: string
11001                                       name:
11002                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11003                                         type: string
11004                               rfc2136:
11005                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
11006                                 type: object
11007                                 required:
11008                                   - nameserver
11009                                 properties:
11010                                   nameserver:
11011                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
11012                                     type: string
11013                                   tsigAlgorithm:
11014                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
11015                                     type: string
11016                                   tsigKeyName:
11017                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
11018                                     type: string
11019                                   tsigSecretSecretRef:
11020                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
11021                                     type: object
11022                                     required:
11023                                       - name
11024                                     properties:
11025                                       key:
11026                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11027                                         type: string
11028                                       name:
11029                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11030                                         type: string
11031                               route53:
11032                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
11033                                 type: object
11034                                 required:
11035                                   - region
11036                                 properties:
11037                                   accessKeyID:
11038                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
11039                                     type: string
11040                                   hostedZoneID:
11041                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
11042                                     type: string
11043                                   region:
11044                                     description: Always set the region when using AccessKeyID and SecretAccessKey
11045                                     type: string
11046                                   role:
11047                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
11048                                     type: string
11049                                   secretAccessKeySecretRef:
11050                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
11051                                     type: object
11052                                     required:
11053                                       - name
11054                                     properties:
11055                                       key:
11056                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11057                                         type: string
11058                                       name:
11059                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11060                                         type: string
11061                               webhook:
11062                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
11063                                 type: object
11064                                 required:
11065                                   - groupName
11066                                   - solverName
11067                                 properties:
11068                                   config:
11069                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
11070                                     x-kubernetes-preserve-unknown-fields: true
11071                                   groupName:
11072                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
11073                                     type: string
11074                                   solverName:
11075                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
11076                                     type: string
11077                           http01:
11078                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
11079                             type: object
11080                             properties:
11081                               gatewayHTTPRoute:
11082                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
11083                                 type: object
11084                                 properties:
11085                                   labels:
11086                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
11087                                     type: object
11088                                     additionalProperties:
11089                                       type: string
11090                                   serviceType:
11091                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11092                                     type: string
11093                               ingress:
11094                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
11095                                 type: object
11096                                 properties:
11097                                   class:
11098                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
11099                                     type: string
11100                                   ingressTemplate:
11101                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
11102                                     type: object
11103                                     properties:
11104                                       metadata:
11105                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11106                                         type: object
11107                                         properties:
11108                                           annotations:
11109                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
11110                                             type: object
11111                                             additionalProperties:
11112                                               type: string
11113                                           labels:
11114                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
11115                                             type: object
11116                                             additionalProperties:
11117                                               type: string
11118                                   name:
11119                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
11120                                     type: string
11121                                   podTemplate:
11122                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
11123                                     type: object
11124                                     properties:
11125                                       metadata:
11126                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
11127                                         type: object
11128                                         properties:
11129                                           annotations:
11130                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
11131                                             type: object
11132                                             additionalProperties:
11133                                               type: string
11134                                           labels:
11135                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
11136                                             type: object
11137                                             additionalProperties:
11138                                               type: string
11139                                       spec:
11140                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
11141                                         type: object
11142                                         properties:
11143                                           affinity:
11144                                             description: If specified, the pod's scheduling constraints
11145                                             type: object
11146                                             properties:
11147                                               nodeAffinity:
11148                                                 description: Describes node affinity scheduling rules for the pod.
11149                                                 type: object
11150                                                 properties:
11151                                                   preferredDuringSchedulingIgnoredDuringExecution:
11152                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
11153                                                     type: array
11154                                                     items:
11155                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
11156                                                       type: object
11157                                                       required:
11158                                                         - preference
11159                                                         - weight
11160                                                       properties:
11161                                                         preference:
11162                                                           description: A node selector term, associated with the corresponding weight.
11163                                                           type: object
11164                                                           properties:
11165                                                             matchExpressions:
11166                                                               description: A list of node selector requirements by node's labels.
11167                                                               type: array
11168                                                               items:
11169                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11170                                                                 type: object
11171                                                                 required:
11172                                                                   - key
11173                                                                   - operator
11174                                                                 properties:
11175                                                                   key:
11176                                                                     description: The label key that the selector applies to.
11177                                                                     type: string
11178                                                                   operator:
11179                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11180                                                                     type: string
11181                                                                   values:
11182                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11183                                                                     type: array
11184                                                                     items:
11185                                                                       type: string
11186                                                             matchFields:
11187                                                               description: A list of node selector requirements by node's fields.
11188                                                               type: array
11189                                                               items:
11190                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11191                                                                 type: object
11192                                                                 required:
11193                                                                   - key
11194                                                                   - operator
11195                                                                 properties:
11196                                                                   key:
11197                                                                     description: The label key that the selector applies to.
11198                                                                     type: string
11199                                                                   operator:
11200                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11201                                                                     type: string
11202                                                                   values:
11203                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11204                                                                     type: array
11205                                                                     items:
11206                                                                       type: string
11207                                                         weight:
11208                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
11209                                                           type: integer
11210                                                           format: int32
11211                                                   requiredDuringSchedulingIgnoredDuringExecution:
11212                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
11213                                                     type: object
11214                                                     required:
11215                                                       - nodeSelectorTerms
11216                                                     properties:
11217                                                       nodeSelectorTerms:
11218                                                         description: Required. A list of node selector terms. The terms are ORed.
11219                                                         type: array
11220                                                         items:
11221                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
11222                                                           type: object
11223                                                           properties:
11224                                                             matchExpressions:
11225                                                               description: A list of node selector requirements by node's labels.
11226                                                               type: array
11227                                                               items:
11228                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11229                                                                 type: object
11230                                                                 required:
11231                                                                   - key
11232                                                                   - operator
11233                                                                 properties:
11234                                                                   key:
11235                                                                     description: The label key that the selector applies to.
11236                                                                     type: string
11237                                                                   operator:
11238                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11239                                                                     type: string
11240                                                                   values:
11241                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11242                                                                     type: array
11243                                                                     items:
11244                                                                       type: string
11245                                                             matchFields:
11246                                                               description: A list of node selector requirements by node's fields.
11247                                                               type: array
11248                                                               items:
11249                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11250                                                                 type: object
11251                                                                 required:
11252                                                                   - key
11253                                                                   - operator
11254                                                                 properties:
11255                                                                   key:
11256                                                                     description: The label key that the selector applies to.
11257                                                                     type: string
11258                                                                   operator:
11259                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
11260                                                                     type: string
11261                                                                   values:
11262                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
11263                                                                     type: array
11264                                                                     items:
11265                                                                       type: string
11266                                               podAffinity:
11267                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
11268                                                 type: object
11269                                                 properties:
11270                                                   preferredDuringSchedulingIgnoredDuringExecution:
11271                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11272                                                     type: array
11273                                                     items:
11274                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11275                                                       type: object
11276                                                       required:
11277                                                         - podAffinityTerm
11278                                                         - weight
11279                                                       properties:
11280                                                         podAffinityTerm:
11281                                                           description: Required. A pod affinity term, associated with the corresponding weight.
11282                                                           type: object
11283                                                           required:
11284                                                             - topologyKey
11285                                                           properties:
11286                                                             labelSelector:
11287                                                               description: A label query over a set of resources, in this case pods.
11288                                                               type: object
11289                                                               properties:
11290                                                                 matchExpressions:
11291                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11292                                                                   type: array
11293                                                                   items:
11294                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11295                                                                     type: object
11296                                                                     required:
11297                                                                       - key
11298                                                                       - operator
11299                                                                     properties:
11300                                                                       key:
11301                                                                         description: key is the label key that the selector applies to.
11302                                                                         type: string
11303                                                                       operator:
11304                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11305                                                                         type: string
11306                                                                       values:
11307                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11308                                                                         type: array
11309                                                                         items:
11310                                                                           type: string
11311                                                                 matchLabels:
11312                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11313                                                                   type: object
11314                                                                   additionalProperties:
11315                                                                     type: string
11316                                                             namespaceSelector:
11317                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11318                                                               type: object
11319                                                               properties:
11320                                                                 matchExpressions:
11321                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11322                                                                   type: array
11323                                                                   items:
11324                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11325                                                                     type: object
11326                                                                     required:
11327                                                                       - key
11328                                                                       - operator
11329                                                                     properties:
11330                                                                       key:
11331                                                                         description: key is the label key that the selector applies to.
11332                                                                         type: string
11333                                                                       operator:
11334                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11335                                                                         type: string
11336                                                                       values:
11337                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11338                                                                         type: array
11339                                                                         items:
11340                                                                           type: string
11341                                                                 matchLabels:
11342                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11343                                                                   type: object
11344                                                                   additionalProperties:
11345                                                                     type: string
11346                                                             namespaces:
11347                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11348                                                               type: array
11349                                                               items:
11350                                                                 type: string
11351                                                             topologyKey:
11352                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11353                                                               type: string
11354                                                         weight:
11355                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11356                                                           type: integer
11357                                                           format: int32
11358                                                   requiredDuringSchedulingIgnoredDuringExecution:
11359                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11360                                                     type: array
11361                                                     items:
11362                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11363                                                       type: object
11364                                                       required:
11365                                                         - topologyKey
11366                                                       properties:
11367                                                         labelSelector:
11368                                                           description: A label query over a set of resources, in this case pods.
11369                                                           type: object
11370                                                           properties:
11371                                                             matchExpressions:
11372                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11373                                                               type: array
11374                                                               items:
11375                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11376                                                                 type: object
11377                                                                 required:
11378                                                                   - key
11379                                                                   - operator
11380                                                                 properties:
11381                                                                   key:
11382                                                                     description: key is the label key that the selector applies to.
11383                                                                     type: string
11384                                                                   operator:
11385                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11386                                                                     type: string
11387                                                                   values:
11388                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11389                                                                     type: array
11390                                                                     items:
11391                                                                       type: string
11392                                                             matchLabels:
11393                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11394                                                               type: object
11395                                                               additionalProperties:
11396                                                                 type: string
11397                                                         namespaceSelector:
11398                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11399                                                           type: object
11400                                                           properties:
11401                                                             matchExpressions:
11402                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11403                                                               type: array
11404                                                               items:
11405                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11406                                                                 type: object
11407                                                                 required:
11408                                                                   - key
11409                                                                   - operator
11410                                                                 properties:
11411                                                                   key:
11412                                                                     description: key is the label key that the selector applies to.
11413                                                                     type: string
11414                                                                   operator:
11415                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11416                                                                     type: string
11417                                                                   values:
11418                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11419                                                                     type: array
11420                                                                     items:
11421                                                                       type: string
11422                                                             matchLabels:
11423                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11424                                                               type: object
11425                                                               additionalProperties:
11426                                                                 type: string
11427                                                         namespaces:
11428                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11429                                                           type: array
11430                                                           items:
11431                                                             type: string
11432                                                         topologyKey:
11433                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11434                                                           type: string
11435                                               podAntiAffinity:
11436                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
11437                                                 type: object
11438                                                 properties:
11439                                                   preferredDuringSchedulingIgnoredDuringExecution:
11440                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
11441                                                     type: array
11442                                                     items:
11443                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
11444                                                       type: object
11445                                                       required:
11446                                                         - podAffinityTerm
11447                                                         - weight
11448                                                       properties:
11449                                                         podAffinityTerm:
11450                                                           description: Required. A pod affinity term, associated with the corresponding weight.
11451                                                           type: object
11452                                                           required:
11453                                                             - topologyKey
11454                                                           properties:
11455                                                             labelSelector:
11456                                                               description: A label query over a set of resources, in this case pods.
11457                                                               type: object
11458                                                               properties:
11459                                                                 matchExpressions:
11460                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11461                                                                   type: array
11462                                                                   items:
11463                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11464                                                                     type: object
11465                                                                     required:
11466                                                                       - key
11467                                                                       - operator
11468                                                                     properties:
11469                                                                       key:
11470                                                                         description: key is the label key that the selector applies to.
11471                                                                         type: string
11472                                                                       operator:
11473                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11474                                                                         type: string
11475                                                                       values:
11476                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11477                                                                         type: array
11478                                                                         items:
11479                                                                           type: string
11480                                                                 matchLabels:
11481                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11482                                                                   type: object
11483                                                                   additionalProperties:
11484                                                                     type: string
11485                                                             namespaceSelector:
11486                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11487                                                               type: object
11488                                                               properties:
11489                                                                 matchExpressions:
11490                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11491                                                                   type: array
11492                                                                   items:
11493                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11494                                                                     type: object
11495                                                                     required:
11496                                                                       - key
11497                                                                       - operator
11498                                                                     properties:
11499                                                                       key:
11500                                                                         description: key is the label key that the selector applies to.
11501                                                                         type: string
11502                                                                       operator:
11503                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11504                                                                         type: string
11505                                                                       values:
11506                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11507                                                                         type: array
11508                                                                         items:
11509                                                                           type: string
11510                                                                 matchLabels:
11511                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11512                                                                   type: object
11513                                                                   additionalProperties:
11514                                                                     type: string
11515                                                             namespaces:
11516                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11517                                                               type: array
11518                                                               items:
11519                                                                 type: string
11520                                                             topologyKey:
11521                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11522                                                               type: string
11523                                                         weight:
11524                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
11525                                                           type: integer
11526                                                           format: int32
11527                                                   requiredDuringSchedulingIgnoredDuringExecution:
11528                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
11529                                                     type: array
11530                                                     items:
11531                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
11532                                                       type: object
11533                                                       required:
11534                                                         - topologyKey
11535                                                       properties:
11536                                                         labelSelector:
11537                                                           description: A label query over a set of resources, in this case pods.
11538                                                           type: object
11539                                                           properties:
11540                                                             matchExpressions:
11541                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11542                                                               type: array
11543                                                               items:
11544                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11545                                                                 type: object
11546                                                                 required:
11547                                                                   - key
11548                                                                   - operator
11549                                                                 properties:
11550                                                                   key:
11551                                                                     description: key is the label key that the selector applies to.
11552                                                                     type: string
11553                                                                   operator:
11554                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11555                                                                     type: string
11556                                                                   values:
11557                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11558                                                                     type: array
11559                                                                     items:
11560                                                                       type: string
11561                                                             matchLabels:
11562                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11563                                                               type: object
11564                                                               additionalProperties:
11565                                                                 type: string
11566                                                         namespaceSelector:
11567                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
11568                                                           type: object
11569                                                           properties:
11570                                                             matchExpressions:
11571                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
11572                                                               type: array
11573                                                               items:
11574                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
11575                                                                 type: object
11576                                                                 required:
11577                                                                   - key
11578                                                                   - operator
11579                                                                 properties:
11580                                                                   key:
11581                                                                     description: key is the label key that the selector applies to.
11582                                                                     type: string
11583                                                                   operator:
11584                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
11585                                                                     type: string
11586                                                                   values:
11587                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
11588                                                                     type: array
11589                                                                     items:
11590                                                                       type: string
11591                                                             matchLabels:
11592                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
11593                                                               type: object
11594                                                               additionalProperties:
11595                                                                 type: string
11596                                                         namespaces:
11597                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
11598                                                           type: array
11599                                                           items:
11600                                                             type: string
11601                                                         topologyKey:
11602                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
11603                                                           type: string
11604                                           nodeSelector:
11605                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
11606                                             type: object
11607                                             additionalProperties:
11608                                               type: string
11609                                           priorityClassName:
11610                                             description: If specified, the pod's priorityClassName.
11611                                             type: string
11612                                           serviceAccountName:
11613                                             description: If specified, the pod's service account
11614                                             type: string
11615                                           tolerations:
11616                                             description: If specified, the pod's tolerations.
11617                                             type: array
11618                                             items:
11619                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
11620                                               type: object
11621                                               properties:
11622                                                 effect:
11623                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
11624                                                   type: string
11625                                                 key:
11626                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
11627                                                   type: string
11628                                                 operator:
11629                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
11630                                                   type: string
11631                                                 tolerationSeconds:
11632                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
11633                                                   type: integer
11634                                                   format: int64
11635                                                 value:
11636                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
11637                                                   type: string
11638                                   serviceType:
11639                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
11640                                     type: string
11641                           selector:
11642                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
11643                             type: object
11644                             properties:
11645                               dnsNames:
11646                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
11647                                 type: array
11648                                 items:
11649                                   type: string
11650                               dnsZones:
11651                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
11652                                 type: array
11653                                 items:
11654                                   type: string
11655                               matchLabels:
11656                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
11657                                 type: object
11658                                 additionalProperties:
11659                                   type: string
11660                 ca:
11661                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
11662                   type: object
11663                   required:
11664                     - secretName
11665                   properties:
11666                     crlDistributionPoints:
11667                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
11668                       type: array
11669                       items:
11670                         type: string
11671                     ocspServers:
11672                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
11673                       type: array
11674                       items:
11675                         type: string
11676                     secretName:
11677                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
11678                       type: string
11679                 selfSigned:
11680                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
11681                   type: object
11682                   properties:
11683                     crlDistributionPoints:
11684                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
11685                       type: array
11686                       items:
11687                         type: string
11688                 vault:
11689                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
11690                   type: object
11691                   required:
11692                     - auth
11693                     - path
11694                     - server
11695                   properties:
11696                     auth:
11697                       description: Auth configures how cert-manager authenticates with the Vault server.
11698                       type: object
11699                       properties:
11700                         appRole:
11701                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
11702                           type: object
11703                           required:
11704                             - path
11705                             - roleId
11706                             - secretRef
11707                           properties:
11708                             path:
11709                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
11710                               type: string
11711                             roleId:
11712                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
11713                               type: string
11714                             secretRef:
11715                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
11716                               type: object
11717                               required:
11718                                 - name
11719                               properties:
11720                                 key:
11721                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11722                                   type: string
11723                                 name:
11724                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11725                                   type: string
11726                         kubernetes:
11727                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
11728                           type: object
11729                           required:
11730                             - role
11731                             - secretRef
11732                           properties:
11733                             mountPath:
11734                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
11735                               type: string
11736                             role:
11737                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
11738                               type: string
11739                             secretRef:
11740                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
11741                               type: object
11742                               required:
11743                                 - name
11744                               properties:
11745                                 key:
11746                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11747                                   type: string
11748                                 name:
11749                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11750                                   type: string
11751                         tokenSecretRef:
11752                           description: TokenSecretRef authenticates with Vault by presenting a token.
11753                           type: object
11754                           required:
11755                             - name
11756                           properties:
11757                             key:
11758                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11759                               type: string
11760                             name:
11761                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11762                               type: string
11763                     caBundle:
11764                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
11765                       type: string
11766                       format: byte
11767                     namespace:
11768                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
11769                       type: string
11770                     path:
11771                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
11772                       type: string
11773                     server:
11774                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
11775                       type: string
11776                 venafi:
11777                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
11778                   type: object
11779                   required:
11780                     - zone
11781                   properties:
11782                     cloud:
11783                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
11784                       type: object
11785                       required:
11786                         - apiTokenSecretRef
11787                       properties:
11788                         apiTokenSecretRef:
11789                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
11790                           type: object
11791                           required:
11792                             - name
11793                           properties:
11794                             key:
11795                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11796                               type: string
11797                             name:
11798                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11799                               type: string
11800                         url:
11801                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
11802                           type: string
11803                     tpp:
11804                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
11805                       type: object
11806                       required:
11807                         - credentialsRef
11808                         - url
11809                       properties:
11810                         caBundle:
11811                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
11812                           type: string
11813                           format: byte
11814                         credentialsRef:
11815                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
11816                           type: object
11817                           required:
11818                             - name
11819                           properties:
11820                             name:
11821                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11822                               type: string
11823                         url:
11824                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
11825                           type: string
11826                     zone:
11827                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
11828                       type: string
11829             status:
11830               description: Status of the Issuer. This is set and managed automatically.
11831               type: object
11832               properties:
11833                 acme:
11834                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
11835                   type: object
11836                   properties:
11837                     lastRegisteredEmail:
11838                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
11839                       type: string
11840                     uri:
11841                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
11842                       type: string
11843                 conditions:
11844                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
11845                   type: array
11846                   items:
11847                     description: IssuerCondition contains condition information for an Issuer.
11848                     type: object
11849                     required:
11850                       - status
11851                       - type
11852                     properties:
11853                       lastTransitionTime:
11854                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
11855                         type: string
11856                         format: date-time
11857                       message:
11858                         description: Message is a human readable description of the details of the last transition, complementing reason.
11859                         type: string
11860                       observedGeneration:
11861                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
11862                         type: integer
11863                         format: int64
11864                       reason:
11865                         description: Reason is a brief machine readable explanation for the condition's last transition.
11866                         type: string
11867                       status:
11868                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
11869                         type: string
11870                         enum:
11871                           - "True"
11872                           - "False"
11873                           - Unknown
11874                       type:
11875                         description: Type of the condition, known values are (`Ready`).
11876                         type: string
11877       served: true
11878       storage: false
11879     - name: v1alpha3
11880       subresources:
11881         status: {}
11882       additionalPrinterColumns:
11883         - jsonPath: .status.conditions[?(@.type=="Ready")].status
11884           name: Ready
11885           type: string
11886         - jsonPath: .status.conditions[?(@.type=="Ready")].message
11887           name: Status
11888           priority: 1
11889           type: string
11890         - jsonPath: .metadata.creationTimestamp
11891           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
11892           name: Age
11893           type: date
11894       schema:
11895         openAPIV3Schema:
11896           description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
11897           type: object
11898           properties:
11899             apiVersion:
11900               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11901               type: string
11902             kind:
11903               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11904               type: string
11905             metadata:
11906               type: object
11907             spec:
11908               description: Desired state of the Issuer resource.
11909               type: object
11910               properties:
11911                 acme:
11912                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
11913                   type: object
11914                   required:
11915                     - privateKeySecretRef
11916                     - server
11917                   properties:
11918                     disableAccountKeyGeneration:
11919                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
11920                       type: boolean
11921                     email:
11922                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
11923                       type: string
11924                     enableDurationFeature:
11925                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
11926                       type: boolean
11927                     externalAccountBinding:
11928                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
11929                       type: object
11930                       required:
11931                         - keyID
11932                         - keySecretRef
11933                       properties:
11934                         keyAlgorithm:
11935                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
11936                           type: string
11937                           enum:
11938                             - HS256
11939                             - HS384
11940                             - HS512
11941                         keyID:
11942                           description: keyID is the ID of the CA key that the External Account is bound to.
11943                           type: string
11944                         keySecretRef:
11945                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
11946                           type: object
11947                           required:
11948                             - name
11949                           properties:
11950                             key:
11951                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11952                               type: string
11953                             name:
11954                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11955                               type: string
11956                     preferredChain:
11957                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
11958                       type: string
11959                       maxLength: 64
11960                     privateKeySecretRef:
11961                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
11962                       type: object
11963                       required:
11964                         - name
11965                       properties:
11966                         key:
11967                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
11968                           type: string
11969                         name:
11970                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
11971                           type: string
11972                     server:
11973                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
11974                       type: string
11975                     skipTLSVerify:
11976                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
11977                       type: boolean
11978                     solvers:
11979                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
11980                       type: array
11981                       items:
11982                         description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
11983                         type: object
11984                         properties:
11985                           dns01:
11986                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
11987                             type: object
11988                             properties:
11989                               acmedns:
11990                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
11991                                 type: object
11992                                 required:
11993                                   - accountSecretRef
11994                                   - host
11995                                 properties:
11996                                   accountSecretRef:
11997                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
11998                                     type: object
11999                                     required:
12000                                       - name
12001                                     properties:
12002                                       key:
12003                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12004                                         type: string
12005                                       name:
12006                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12007                                         type: string
12008                                   host:
12009                                     type: string
12010                               akamai:
12011                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
12012                                 type: object
12013                                 required:
12014                                   - accessTokenSecretRef
12015                                   - clientSecretSecretRef
12016                                   - clientTokenSecretRef
12017                                   - serviceConsumerDomain
12018                                 properties:
12019                                   accessTokenSecretRef:
12020                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12021                                     type: object
12022                                     required:
12023                                       - name
12024                                     properties:
12025                                       key:
12026                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12027                                         type: string
12028                                       name:
12029                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12030                                         type: string
12031                                   clientSecretSecretRef:
12032                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12033                                     type: object
12034                                     required:
12035                                       - name
12036                                     properties:
12037                                       key:
12038                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12039                                         type: string
12040                                       name:
12041                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12042                                         type: string
12043                                   clientTokenSecretRef:
12044                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12045                                     type: object
12046                                     required:
12047                                       - name
12048                                     properties:
12049                                       key:
12050                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12051                                         type: string
12052                                       name:
12053                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12054                                         type: string
12055                                   serviceConsumerDomain:
12056                                     type: string
12057                               azuredns:
12058                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
12059                                 type: object
12060                                 required:
12061                                   - resourceGroupName
12062                                   - subscriptionID
12063                                 properties:
12064                                   clientID:
12065                                     description: if both this and ClientSecret are left unset MSI will be used
12066                                     type: string
12067                                   clientSecretSecretRef:
12068                                     description: if both this and ClientID are left unset MSI will be used
12069                                     type: object
12070                                     required:
12071                                       - name
12072                                     properties:
12073                                       key:
12074                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12075                                         type: string
12076                                       name:
12077                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12078                                         type: string
12079                                   environment:
12080                                     type: string
12081                                     enum:
12082                                       - AzurePublicCloud
12083                                       - AzureChinaCloud
12084                                       - AzureGermanCloud
12085                                       - AzureUSGovernmentCloud
12086                                   hostedZoneName:
12087                                     type: string
12088                                   resourceGroupName:
12089                                     type: string
12090                                   subscriptionID:
12091                                     type: string
12092                                   tenantID:
12093                                     description: when specifying ClientID and ClientSecret then this field is also needed
12094                                     type: string
12095                               clouddns:
12096                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
12097                                 type: object
12098                                 required:
12099                                   - project
12100                                 properties:
12101                                   hostedZoneName:
12102                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
12103                                     type: string
12104                                   project:
12105                                     type: string
12106                                   serviceAccountSecretRef:
12107                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12108                                     type: object
12109                                     required:
12110                                       - name
12111                                     properties:
12112                                       key:
12113                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12114                                         type: string
12115                                       name:
12116                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12117                                         type: string
12118                               cloudflare:
12119                                 description: Use the Cloudflare API to manage DNS01 challenge records.
12120                                 type: object
12121                                 properties:
12122                                   apiKeySecretRef:
12123                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
12124                                     type: object
12125                                     required:
12126                                       - name
12127                                     properties:
12128                                       key:
12129                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12130                                         type: string
12131                                       name:
12132                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12133                                         type: string
12134                                   apiTokenSecretRef:
12135                                     description: API token used to authenticate with Cloudflare.
12136                                     type: object
12137                                     required:
12138                                       - name
12139                                     properties:
12140                                       key:
12141                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12142                                         type: string
12143                                       name:
12144                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12145                                         type: string
12146                                   email:
12147                                     description: Email of the account, only required when using API key based authentication.
12148                                     type: string
12149                               cnameStrategy:
12150                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
12151                                 type: string
12152                                 enum:
12153                                   - None
12154                                   - Follow
12155                               digitalocean:
12156                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
12157                                 type: object
12158                                 required:
12159                                   - tokenSecretRef
12160                                 properties:
12161                                   tokenSecretRef:
12162                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
12163                                     type: object
12164                                     required:
12165                                       - name
12166                                     properties:
12167                                       key:
12168                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12169                                         type: string
12170                                       name:
12171                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12172                                         type: string
12173                               rfc2136:
12174                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
12175                                 type: object
12176                                 required:
12177                                   - nameserver
12178                                 properties:
12179                                   nameserver:
12180                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
12181                                     type: string
12182                                   tsigAlgorithm:
12183                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
12184                                     type: string
12185                                   tsigKeyName:
12186                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
12187                                     type: string
12188                                   tsigSecretSecretRef:
12189                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
12190                                     type: object
12191                                     required:
12192                                       - name
12193                                     properties:
12194                                       key:
12195                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12196                                         type: string
12197                                       name:
12198                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12199                                         type: string
12200                               route53:
12201                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
12202                                 type: object
12203                                 required:
12204                                   - region
12205                                 properties:
12206                                   accessKeyID:
12207                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
12208                                     type: string
12209                                   hostedZoneID:
12210                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
12211                                     type: string
12212                                   region:
12213                                     description: Always set the region when using AccessKeyID and SecretAccessKey
12214                                     type: string
12215                                   role:
12216                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
12217                                     type: string
12218                                   secretAccessKeySecretRef:
12219                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
12220                                     type: object
12221                                     required:
12222                                       - name
12223                                     properties:
12224                                       key:
12225                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12226                                         type: string
12227                                       name:
12228                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12229                                         type: string
12230                               webhook:
12231                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
12232                                 type: object
12233                                 required:
12234                                   - groupName
12235                                   - solverName
12236                                 properties:
12237                                   config:
12238                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
12239                                     x-kubernetes-preserve-unknown-fields: true
12240                                   groupName:
12241                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
12242                                     type: string
12243                                   solverName:
12244                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
12245                                     type: string
12246                           http01:
12247                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
12248                             type: object
12249                             properties:
12250                               gatewayHTTPRoute:
12251                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
12252                                 type: object
12253                                 properties:
12254                                   labels:
12255                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
12256                                     type: object
12257                                     additionalProperties:
12258                                       type: string
12259                                   serviceType:
12260                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12261                                     type: string
12262                               ingress:
12263                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
12264                                 type: object
12265                                 properties:
12266                                   class:
12267                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
12268                                     type: string
12269                                   ingressTemplate:
12270                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges
12271                                     type: object
12272                                     properties:
12273                                       metadata:
12274                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12275                                         type: object
12276                                         properties:
12277                                           annotations:
12278                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
12279                                             type: object
12280                                             additionalProperties:
12281                                               type: string
12282                                           labels:
12283                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
12284                                             type: object
12285                                             additionalProperties:
12286                                               type: string
12287                                   name:
12288                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
12289                                     type: string
12290                                   podTemplate:
12291                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
12292                                     type: object
12293                                     properties:
12294                                       metadata:
12295                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
12296                                         type: object
12297                                         properties:
12298                                           annotations:
12299                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
12300                                             type: object
12301                                             additionalProperties:
12302                                               type: string
12303                                           labels:
12304                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
12305                                             type: object
12306                                             additionalProperties:
12307                                               type: string
12308                                       spec:
12309                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
12310                                         type: object
12311                                         properties:
12312                                           affinity:
12313                                             description: If specified, the pod's scheduling constraints
12314                                             type: object
12315                                             properties:
12316                                               nodeAffinity:
12317                                                 description: Describes node affinity scheduling rules for the pod.
12318                                                 type: object
12319                                                 properties:
12320                                                   preferredDuringSchedulingIgnoredDuringExecution:
12321                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
12322                                                     type: array
12323                                                     items:
12324                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
12325                                                       type: object
12326                                                       required:
12327                                                         - preference
12328                                                         - weight
12329                                                       properties:
12330                                                         preference:
12331                                                           description: A node selector term, associated with the corresponding weight.
12332                                                           type: object
12333                                                           properties:
12334                                                             matchExpressions:
12335                                                               description: A list of node selector requirements by node's labels.
12336                                                               type: array
12337                                                               items:
12338                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12339                                                                 type: object
12340                                                                 required:
12341                                                                   - key
12342                                                                   - operator
12343                                                                 properties:
12344                                                                   key:
12345                                                                     description: The label key that the selector applies to.
12346                                                                     type: string
12347                                                                   operator:
12348                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12349                                                                     type: string
12350                                                                   values:
12351                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12352                                                                     type: array
12353                                                                     items:
12354                                                                       type: string
12355                                                             matchFields:
12356                                                               description: A list of node selector requirements by node's fields.
12357                                                               type: array
12358                                                               items:
12359                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12360                                                                 type: object
12361                                                                 required:
12362                                                                   - key
12363                                                                   - operator
12364                                                                 properties:
12365                                                                   key:
12366                                                                     description: The label key that the selector applies to.
12367                                                                     type: string
12368                                                                   operator:
12369                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12370                                                                     type: string
12371                                                                   values:
12372                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12373                                                                     type: array
12374                                                                     items:
12375                                                                       type: string
12376                                                         weight:
12377                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
12378                                                           type: integer
12379                                                           format: int32
12380                                                   requiredDuringSchedulingIgnoredDuringExecution:
12381                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
12382                                                     type: object
12383                                                     required:
12384                                                       - nodeSelectorTerms
12385                                                     properties:
12386                                                       nodeSelectorTerms:
12387                                                         description: Required. A list of node selector terms. The terms are ORed.
12388                                                         type: array
12389                                                         items:
12390                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
12391                                                           type: object
12392                                                           properties:
12393                                                             matchExpressions:
12394                                                               description: A list of node selector requirements by node's labels.
12395                                                               type: array
12396                                                               items:
12397                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12398                                                                 type: object
12399                                                                 required:
12400                                                                   - key
12401                                                                   - operator
12402                                                                 properties:
12403                                                                   key:
12404                                                                     description: The label key that the selector applies to.
12405                                                                     type: string
12406                                                                   operator:
12407                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12408                                                                     type: string
12409                                                                   values:
12410                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12411                                                                     type: array
12412                                                                     items:
12413                                                                       type: string
12414                                                             matchFields:
12415                                                               description: A list of node selector requirements by node's fields.
12416                                                               type: array
12417                                                               items:
12418                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12419                                                                 type: object
12420                                                                 required:
12421                                                                   - key
12422                                                                   - operator
12423                                                                 properties:
12424                                                                   key:
12425                                                                     description: The label key that the selector applies to.
12426                                                                     type: string
12427                                                                   operator:
12428                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
12429                                                                     type: string
12430                                                                   values:
12431                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
12432                                                                     type: array
12433                                                                     items:
12434                                                                       type: string
12435                                               podAffinity:
12436                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
12437                                                 type: object
12438                                                 properties:
12439                                                   preferredDuringSchedulingIgnoredDuringExecution:
12440                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12441                                                     type: array
12442                                                     items:
12443                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12444                                                       type: object
12445                                                       required:
12446                                                         - podAffinityTerm
12447                                                         - weight
12448                                                       properties:
12449                                                         podAffinityTerm:
12450                                                           description: Required. A pod affinity term, associated with the corresponding weight.
12451                                                           type: object
12452                                                           required:
12453                                                             - topologyKey
12454                                                           properties:
12455                                                             labelSelector:
12456                                                               description: A label query over a set of resources, in this case pods.
12457                                                               type: object
12458                                                               properties:
12459                                                                 matchExpressions:
12460                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12461                                                                   type: array
12462                                                                   items:
12463                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12464                                                                     type: object
12465                                                                     required:
12466                                                                       - key
12467                                                                       - operator
12468                                                                     properties:
12469                                                                       key:
12470                                                                         description: key is the label key that the selector applies to.
12471                                                                         type: string
12472                                                                       operator:
12473                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12474                                                                         type: string
12475                                                                       values:
12476                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12477                                                                         type: array
12478                                                                         items:
12479                                                                           type: string
12480                                                                 matchLabels:
12481                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12482                                                                   type: object
12483                                                                   additionalProperties:
12484                                                                     type: string
12485                                                             namespaceSelector:
12486                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12487                                                               type: object
12488                                                               properties:
12489                                                                 matchExpressions:
12490                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12491                                                                   type: array
12492                                                                   items:
12493                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12494                                                                     type: object
12495                                                                     required:
12496                                                                       - key
12497                                                                       - operator
12498                                                                     properties:
12499                                                                       key:
12500                                                                         description: key is the label key that the selector applies to.
12501                                                                         type: string
12502                                                                       operator:
12503                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12504                                                                         type: string
12505                                                                       values:
12506                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12507                                                                         type: array
12508                                                                         items:
12509                                                                           type: string
12510                                                                 matchLabels:
12511                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12512                                                                   type: object
12513                                                                   additionalProperties:
12514                                                                     type: string
12515                                                             namespaces:
12516                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12517                                                               type: array
12518                                                               items:
12519                                                                 type: string
12520                                                             topologyKey:
12521                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12522                                                               type: string
12523                                                         weight:
12524                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12525                                                           type: integer
12526                                                           format: int32
12527                                                   requiredDuringSchedulingIgnoredDuringExecution:
12528                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12529                                                     type: array
12530                                                     items:
12531                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12532                                                       type: object
12533                                                       required:
12534                                                         - topologyKey
12535                                                       properties:
12536                                                         labelSelector:
12537                                                           description: A label query over a set of resources, in this case pods.
12538                                                           type: object
12539                                                           properties:
12540                                                             matchExpressions:
12541                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12542                                                               type: array
12543                                                               items:
12544                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12545                                                                 type: object
12546                                                                 required:
12547                                                                   - key
12548                                                                   - operator
12549                                                                 properties:
12550                                                                   key:
12551                                                                     description: key is the label key that the selector applies to.
12552                                                                     type: string
12553                                                                   operator:
12554                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12555                                                                     type: string
12556                                                                   values:
12557                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12558                                                                     type: array
12559                                                                     items:
12560                                                                       type: string
12561                                                             matchLabels:
12562                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12563                                                               type: object
12564                                                               additionalProperties:
12565                                                                 type: string
12566                                                         namespaceSelector:
12567                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12568                                                           type: object
12569                                                           properties:
12570                                                             matchExpressions:
12571                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12572                                                               type: array
12573                                                               items:
12574                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12575                                                                 type: object
12576                                                                 required:
12577                                                                   - key
12578                                                                   - operator
12579                                                                 properties:
12580                                                                   key:
12581                                                                     description: key is the label key that the selector applies to.
12582                                                                     type: string
12583                                                                   operator:
12584                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12585                                                                     type: string
12586                                                                   values:
12587                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12588                                                                     type: array
12589                                                                     items:
12590                                                                       type: string
12591                                                             matchLabels:
12592                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12593                                                               type: object
12594                                                               additionalProperties:
12595                                                                 type: string
12596                                                         namespaces:
12597                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12598                                                           type: array
12599                                                           items:
12600                                                             type: string
12601                                                         topologyKey:
12602                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12603                                                           type: string
12604                                               podAntiAffinity:
12605                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
12606                                                 type: object
12607                                                 properties:
12608                                                   preferredDuringSchedulingIgnoredDuringExecution:
12609                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
12610                                                     type: array
12611                                                     items:
12612                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
12613                                                       type: object
12614                                                       required:
12615                                                         - podAffinityTerm
12616                                                         - weight
12617                                                       properties:
12618                                                         podAffinityTerm:
12619                                                           description: Required. A pod affinity term, associated with the corresponding weight.
12620                                                           type: object
12621                                                           required:
12622                                                             - topologyKey
12623                                                           properties:
12624                                                             labelSelector:
12625                                                               description: A label query over a set of resources, in this case pods.
12626                                                               type: object
12627                                                               properties:
12628                                                                 matchExpressions:
12629                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12630                                                                   type: array
12631                                                                   items:
12632                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12633                                                                     type: object
12634                                                                     required:
12635                                                                       - key
12636                                                                       - operator
12637                                                                     properties:
12638                                                                       key:
12639                                                                         description: key is the label key that the selector applies to.
12640                                                                         type: string
12641                                                                       operator:
12642                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12643                                                                         type: string
12644                                                                       values:
12645                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12646                                                                         type: array
12647                                                                         items:
12648                                                                           type: string
12649                                                                 matchLabels:
12650                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12651                                                                   type: object
12652                                                                   additionalProperties:
12653                                                                     type: string
12654                                                             namespaceSelector:
12655                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12656                                                               type: object
12657                                                               properties:
12658                                                                 matchExpressions:
12659                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12660                                                                   type: array
12661                                                                   items:
12662                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12663                                                                     type: object
12664                                                                     required:
12665                                                                       - key
12666                                                                       - operator
12667                                                                     properties:
12668                                                                       key:
12669                                                                         description: key is the label key that the selector applies to.
12670                                                                         type: string
12671                                                                       operator:
12672                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12673                                                                         type: string
12674                                                                       values:
12675                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12676                                                                         type: array
12677                                                                         items:
12678                                                                           type: string
12679                                                                 matchLabels:
12680                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12681                                                                   type: object
12682                                                                   additionalProperties:
12683                                                                     type: string
12684                                                             namespaces:
12685                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12686                                                               type: array
12687                                                               items:
12688                                                                 type: string
12689                                                             topologyKey:
12690                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12691                                                               type: string
12692                                                         weight:
12693                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
12694                                                           type: integer
12695                                                           format: int32
12696                                                   requiredDuringSchedulingIgnoredDuringExecution:
12697                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
12698                                                     type: array
12699                                                     items:
12700                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
12701                                                       type: object
12702                                                       required:
12703                                                         - topologyKey
12704                                                       properties:
12705                                                         labelSelector:
12706                                                           description: A label query over a set of resources, in this case pods.
12707                                                           type: object
12708                                                           properties:
12709                                                             matchExpressions:
12710                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12711                                                               type: array
12712                                                               items:
12713                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12714                                                                 type: object
12715                                                                 required:
12716                                                                   - key
12717                                                                   - operator
12718                                                                 properties:
12719                                                                   key:
12720                                                                     description: key is the label key that the selector applies to.
12721                                                                     type: string
12722                                                                   operator:
12723                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12724                                                                     type: string
12725                                                                   values:
12726                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12727                                                                     type: array
12728                                                                     items:
12729                                                                       type: string
12730                                                             matchLabels:
12731                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12732                                                               type: object
12733                                                               additionalProperties:
12734                                                                 type: string
12735                                                         namespaceSelector:
12736                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
12737                                                           type: object
12738                                                           properties:
12739                                                             matchExpressions:
12740                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
12741                                                               type: array
12742                                                               items:
12743                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
12744                                                                 type: object
12745                                                                 required:
12746                                                                   - key
12747                                                                   - operator
12748                                                                 properties:
12749                                                                   key:
12750                                                                     description: key is the label key that the selector applies to.
12751                                                                     type: string
12752                                                                   operator:
12753                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
12754                                                                     type: string
12755                                                                   values:
12756                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
12757                                                                     type: array
12758                                                                     items:
12759                                                                       type: string
12760                                                             matchLabels:
12761                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
12762                                                               type: object
12763                                                               additionalProperties:
12764                                                                 type: string
12765                                                         namespaces:
12766                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
12767                                                           type: array
12768                                                           items:
12769                                                             type: string
12770                                                         topologyKey:
12771                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
12772                                                           type: string
12773                                           nodeSelector:
12774                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
12775                                             type: object
12776                                             additionalProperties:
12777                                               type: string
12778                                           priorityClassName:
12779                                             description: If specified, the pod's priorityClassName.
12780                                             type: string
12781                                           serviceAccountName:
12782                                             description: If specified, the pod's service account
12783                                             type: string
12784                                           tolerations:
12785                                             description: If specified, the pod's tolerations.
12786                                             type: array
12787                                             items:
12788                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
12789                                               type: object
12790                                               properties:
12791                                                 effect:
12792                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
12793                                                   type: string
12794                                                 key:
12795                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
12796                                                   type: string
12797                                                 operator:
12798                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
12799                                                   type: string
12800                                                 tolerationSeconds:
12801                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
12802                                                   type: integer
12803                                                   format: int64
12804                                                 value:
12805                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
12806                                                   type: string
12807                                   serviceType:
12808                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
12809                                     type: string
12810                           selector:
12811                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
12812                             type: object
12813                             properties:
12814                               dnsNames:
12815                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12816                                 type: array
12817                                 items:
12818                                   type: string
12819                               dnsZones:
12820                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
12821                                 type: array
12822                                 items:
12823                                   type: string
12824                               matchLabels:
12825                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
12826                                 type: object
12827                                 additionalProperties:
12828                                   type: string
12829                 ca:
12830                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
12831                   type: object
12832                   required:
12833                     - secretName
12834                   properties:
12835                     crlDistributionPoints:
12836                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
12837                       type: array
12838                       items:
12839                         type: string
12840                     ocspServers:
12841                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
12842                       type: array
12843                       items:
12844                         type: string
12845                     secretName:
12846                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
12847                       type: string
12848                 selfSigned:
12849                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
12850                   type: object
12851                   properties:
12852                     crlDistributionPoints:
12853                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
12854                       type: array
12855                       items:
12856                         type: string
12857                 vault:
12858                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
12859                   type: object
12860                   required:
12861                     - auth
12862                     - path
12863                     - server
12864                   properties:
12865                     auth:
12866                       description: Auth configures how cert-manager authenticates with the Vault server.
12867                       type: object
12868                       properties:
12869                         appRole:
12870                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
12871                           type: object
12872                           required:
12873                             - path
12874                             - roleId
12875                             - secretRef
12876                           properties:
12877                             path:
12878                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
12879                               type: string
12880                             roleId:
12881                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
12882                               type: string
12883                             secretRef:
12884                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
12885                               type: object
12886                               required:
12887                                 - name
12888                               properties:
12889                                 key:
12890                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12891                                   type: string
12892                                 name:
12893                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12894                                   type: string
12895                         kubernetes:
12896                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
12897                           type: object
12898                           required:
12899                             - role
12900                             - secretRef
12901                           properties:
12902                             mountPath:
12903                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
12904                               type: string
12905                             role:
12906                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
12907                               type: string
12908                             secretRef:
12909                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
12910                               type: object
12911                               required:
12912                                 - name
12913                               properties:
12914                                 key:
12915                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12916                                   type: string
12917                                 name:
12918                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12919                                   type: string
12920                         tokenSecretRef:
12921                           description: TokenSecretRef authenticates with Vault by presenting a token.
12922                           type: object
12923                           required:
12924                             - name
12925                           properties:
12926                             key:
12927                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12928                               type: string
12929                             name:
12930                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12931                               type: string
12932                     caBundle:
12933                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
12934                       type: string
12935                       format: byte
12936                     namespace:
12937                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
12938                       type: string
12939                     path:
12940                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
12941                       type: string
12942                     server:
12943                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
12944                       type: string
12945                 venafi:
12946                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
12947                   type: object
12948                   required:
12949                     - zone
12950                   properties:
12951                     cloud:
12952                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
12953                       type: object
12954                       required:
12955                         - apiTokenSecretRef
12956                       properties:
12957                         apiTokenSecretRef:
12958                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
12959                           type: object
12960                           required:
12961                             - name
12962                           properties:
12963                             key:
12964                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
12965                               type: string
12966                             name:
12967                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12968                               type: string
12969                         url:
12970                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
12971                           type: string
12972                     tpp:
12973                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
12974                       type: object
12975                       required:
12976                         - credentialsRef
12977                         - url
12978                       properties:
12979                         caBundle:
12980                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
12981                           type: string
12982                           format: byte
12983                         credentialsRef:
12984                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
12985                           type: object
12986                           required:
12987                             - name
12988                           properties:
12989                             name:
12990                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
12991                               type: string
12992                         url:
12993                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
12994                           type: string
12995                     zone:
12996                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
12997                       type: string
12998             status:
12999               description: Status of the Issuer. This is set and managed automatically.
13000               type: object
13001               properties:
13002                 acme:
13003                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
13004                   type: object
13005                   properties:
13006                     lastRegisteredEmail:
13007                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
13008                       type: string
13009                     uri:
13010                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
13011                       type: string
13012                 conditions:
13013                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
13014                   type: array
13015                   items:
13016                     description: IssuerCondition contains condition information for an Issuer.
13017                     type: object
13018                     required:
13019                       - status
13020                       - type
13021                     properties:
13022                       lastTransitionTime:
13023                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
13024                         type: string
13025                         format: date-time
13026                       message:
13027                         description: Message is a human readable description of the details of the last transition, complementing reason.
13028                         type: string
13029                       observedGeneration:
13030                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
13031                         type: integer
13032                         format: int64
13033                       reason:
13034                         description: Reason is a brief machine readable explanation for the condition's last transition.
13035                         type: string
13036                       status:
13037                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
13038                         type: string
13039                         enum:
13040                           - "True"
13041                           - "False"
13042                           - Unknown
13043                       type:
13044                         description: Type of the condition, known values are (`Ready`).
13045                         type: string
13046       served: true
13047       storage: false
13048     - name: v1beta1
13049       subresources:
13050         status: {}
13051       additionalPrinterColumns:
13052         - jsonPath: .status.conditions[?(@.type=="Ready")].status
13053           name: Ready
13054           type: string
13055         - jsonPath: .status.conditions[?(@.type=="Ready")].message
13056           name: Status
13057           priority: 1
13058           type: string
13059         - jsonPath: .metadata.creationTimestamp
13060           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
13061           name: Age
13062           type: date
13063       schema:
13064         openAPIV3Schema:
13065           description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
13066           type: object
13067           required:
13068             - spec
13069           properties:
13070             apiVersion:
13071               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
13072               type: string
13073             kind:
13074               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
13075               type: string
13076             metadata:
13077               type: object
13078             spec:
13079               description: Desired state of the Issuer resource.
13080               type: object
13081               properties:
13082                 acme:
13083                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
13084                   type: object
13085                   required:
13086                     - privateKeySecretRef
13087                     - server
13088                   properties:
13089                     disableAccountKeyGeneration:
13090                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
13091                       type: boolean
13092                     email:
13093                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
13094                       type: string
13095                     enableDurationFeature:
13096                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
13097                       type: boolean
13098                     externalAccountBinding:
13099                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
13100                       type: object
13101                       required:
13102                         - keyID
13103                         - keySecretRef
13104                       properties:
13105                         keyAlgorithm:
13106                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
13107                           type: string
13108                           enum:
13109                             - HS256
13110                             - HS384
13111                             - HS512
13112                         keyID:
13113                           description: keyID is the ID of the CA key that the External Account is bound to.
13114                           type: string
13115                         keySecretRef:
13116                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
13117                           type: object
13118                           required:
13119                             - name
13120                           properties:
13121                             key:
13122                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13123                               type: string
13124                             name:
13125                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13126                               type: string
13127                     preferredChain:
13128                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
13129                       type: string
13130                       maxLength: 64
13131                     privateKeySecretRef:
13132                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
13133                       type: object
13134                       required:
13135                         - name
13136                       properties:
13137                         key:
13138                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13139                           type: string
13140                         name:
13141                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13142                           type: string
13143                     server:
13144                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
13145                       type: string
13146                     skipTLSVerify:
13147                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
13148                       type: boolean
13149                     solvers:
13150                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
13151                       type: array
13152                       items:
13153                         description: Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.
13154                         type: object
13155                         properties:
13156                           dns01:
13157                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
13158                             type: object
13159                             properties:
13160                               acmeDNS:
13161                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
13162                                 type: object
13163                                 required:
13164                                   - accountSecretRef
13165                                   - host
13166                                 properties:
13167                                   accountSecretRef:
13168                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13169                                     type: object
13170                                     required:
13171                                       - name
13172                                     properties:
13173                                       key:
13174                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13175                                         type: string
13176                                       name:
13177                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13178                                         type: string
13179                                   host:
13180                                     type: string
13181                               akamai:
13182                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
13183                                 type: object
13184                                 required:
13185                                   - accessTokenSecretRef
13186                                   - clientSecretSecretRef
13187                                   - clientTokenSecretRef
13188                                   - serviceConsumerDomain
13189                                 properties:
13190                                   accessTokenSecretRef:
13191                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13192                                     type: object
13193                                     required:
13194                                       - name
13195                                     properties:
13196                                       key:
13197                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13198                                         type: string
13199                                       name:
13200                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13201                                         type: string
13202                                   clientSecretSecretRef:
13203                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13204                                     type: object
13205                                     required:
13206                                       - name
13207                                     properties:
13208                                       key:
13209                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13210                                         type: string
13211                                       name:
13212                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13213                                         type: string
13214                                   clientTokenSecretRef:
13215                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13216                                     type: object
13217                                     required:
13218                                       - name
13219                                     properties:
13220                                       key:
13221                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13222                                         type: string
13223                                       name:
13224                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13225                                         type: string
13226                                   serviceConsumerDomain:
13227                                     type: string
13228                               azureDNS:
13229                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
13230                                 type: object
13231                                 required:
13232                                   - resourceGroupName
13233                                   - subscriptionID
13234                                 properties:
13235                                   clientID:
13236                                     description: if both this and ClientSecret are left unset MSI will be used
13237                                     type: string
13238                                   clientSecretSecretRef:
13239                                     description: if both this and ClientID are left unset MSI will be used
13240                                     type: object
13241                                     required:
13242                                       - name
13243                                     properties:
13244                                       key:
13245                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13246                                         type: string
13247                                       name:
13248                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13249                                         type: string
13250                                   environment:
13251                                     type: string
13252                                     enum:
13253                                       - AzurePublicCloud
13254                                       - AzureChinaCloud
13255                                       - AzureGermanCloud
13256                                       - AzureUSGovernmentCloud
13257                                   hostedZoneName:
13258                                     type: string
13259                                   resourceGroupName:
13260                                     type: string
13261                                   subscriptionID:
13262                                     type: string
13263                                   tenantID:
13264                                     description: when specifying ClientID and ClientSecret then this field is also needed
13265                                     type: string
13266                               cloudDNS:
13267                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
13268                                 type: object
13269                                 required:
13270                                   - project
13271                                 properties:
13272                                   hostedZoneName:
13273                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
13274                                     type: string
13275                                   project:
13276                                     type: string
13277                                   serviceAccountSecretRef:
13278                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13279                                     type: object
13280                                     required:
13281                                       - name
13282                                     properties:
13283                                       key:
13284                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13285                                         type: string
13286                                       name:
13287                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13288                                         type: string
13289                               cloudflare:
13290                                 description: Use the Cloudflare API to manage DNS01 challenge records.
13291                                 type: object
13292                                 properties:
13293                                   apiKeySecretRef:
13294                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
13295                                     type: object
13296                                     required:
13297                                       - name
13298                                     properties:
13299                                       key:
13300                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13301                                         type: string
13302                                       name:
13303                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13304                                         type: string
13305                                   apiTokenSecretRef:
13306                                     description: API token used to authenticate with Cloudflare.
13307                                     type: object
13308                                     required:
13309                                       - name
13310                                     properties:
13311                                       key:
13312                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13313                                         type: string
13314                                       name:
13315                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13316                                         type: string
13317                                   email:
13318                                     description: Email of the account, only required when using API key based authentication.
13319                                     type: string
13320                               cnameStrategy:
13321                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
13322                                 type: string
13323                                 enum:
13324                                   - None
13325                                   - Follow
13326                               digitalocean:
13327                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
13328                                 type: object
13329                                 required:
13330                                   - tokenSecretRef
13331                                 properties:
13332                                   tokenSecretRef:
13333                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
13334                                     type: object
13335                                     required:
13336                                       - name
13337                                     properties:
13338                                       key:
13339                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13340                                         type: string
13341                                       name:
13342                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13343                                         type: string
13344                               rfc2136:
13345                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
13346                                 type: object
13347                                 required:
13348                                   - nameserver
13349                                 properties:
13350                                   nameserver:
13351                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
13352                                     type: string
13353                                   tsigAlgorithm:
13354                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
13355                                     type: string
13356                                   tsigKeyName:
13357                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
13358                                     type: string
13359                                   tsigSecretSecretRef:
13360                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
13361                                     type: object
13362                                     required:
13363                                       - name
13364                                     properties:
13365                                       key:
13366                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13367                                         type: string
13368                                       name:
13369                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13370                                         type: string
13371                               route53:
13372                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
13373                                 type: object
13374                                 required:
13375                                   - region
13376                                 properties:
13377                                   accessKeyID:
13378                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
13379                                     type: string
13380                                   hostedZoneID:
13381                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
13382                                     type: string
13383                                   region:
13384                                     description: Always set the region when using AccessKeyID and SecretAccessKey
13385                                     type: string
13386                                   role:
13387                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
13388                                     type: string
13389                                   secretAccessKeySecretRef:
13390                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
13391                                     type: object
13392                                     required:
13393                                       - name
13394                                     properties:
13395                                       key:
13396                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
13397                                         type: string
13398                                       name:
13399                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
13400                                         type: string
13401                               webhook:
13402                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
13403                                 type: object
13404                                 required:
13405                                   - groupName
13406                                   - solverName
13407                                 properties:
13408                                   config:
13409                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
13410                                     x-kubernetes-preserve-unknown-fields: true
13411                                   groupName:
13412                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
13413                                     type: string
13414                                   solverName:
13415                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
13416                                     type: string
13417                           http01:
13418                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
13419                             type: object
13420                             properties:
13421                               gatewayHTTPRoute:
13422                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
13423                                 type: object
13424                                 properties:
13425                                   labels:
13426                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
13427                                     type: object
13428                                     additionalProperties:
13429                                       type: string
13430                                   serviceType:
13431                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13432                                     type: string
13433                               ingress:
13434                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
13435                                 type: object
13436                                 properties:
13437                                   class:
13438                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
13439                                     type: string
13440                                   ingressTemplate:
13441                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
13442                                     type: object
13443                                     properties:
13444                                       metadata:
13445                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13446                                         type: object
13447                                         properties:
13448                                           annotations:
13449                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
13450                                             type: object
13451                                             additionalProperties:
13452                                               type: string
13453                                           labels:
13454                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
13455                                             type: object
13456                                             additionalProperties:
13457                                               type: string
13458                                   name:
13459                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
13460                                     type: string
13461                                   podTemplate:
13462                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges
13463                                     type: object
13464                                     properties:
13465                                       metadata:
13466                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
13467                                         type: object
13468                                         properties:
13469                                           annotations:
13470                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
13471                                             type: object
13472                                             additionalProperties:
13473                                               type: string
13474                                           labels:
13475                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
13476                                             type: object
13477                                             additionalProperties:
13478                                               type: string
13479                                       spec:
13480                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
13481                                         type: object
13482                                         properties:
13483                                           affinity:
13484                                             description: If specified, the pod's scheduling constraints
13485                                             type: object
13486                                             properties:
13487                                               nodeAffinity:
13488                                                 description: Describes node affinity scheduling rules for the pod.
13489                                                 type: object
13490                                                 properties:
13491                                                   preferredDuringSchedulingIgnoredDuringExecution:
13492                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
13493                                                     type: array
13494                                                     items:
13495                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
13496                                                       type: object
13497                                                       required:
13498                                                         - preference
13499                                                         - weight
13500                                                       properties:
13501                                                         preference:
13502                                                           description: A node selector term, associated with the corresponding weight.
13503                                                           type: object
13504                                                           properties:
13505                                                             matchExpressions:
13506                                                               description: A list of node selector requirements by node's labels.
13507                                                               type: array
13508                                                               items:
13509                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13510                                                                 type: object
13511                                                                 required:
13512                                                                   - key
13513                                                                   - operator
13514                                                                 properties:
13515                                                                   key:
13516                                                                     description: The label key that the selector applies to.
13517                                                                     type: string
13518                                                                   operator:
13519                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13520                                                                     type: string
13521                                                                   values:
13522                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13523                                                                     type: array
13524                                                                     items:
13525                                                                       type: string
13526                                                             matchFields:
13527                                                               description: A list of node selector requirements by node's fields.
13528                                                               type: array
13529                                                               items:
13530                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13531                                                                 type: object
13532                                                                 required:
13533                                                                   - key
13534                                                                   - operator
13535                                                                 properties:
13536                                                                   key:
13537                                                                     description: The label key that the selector applies to.
13538                                                                     type: string
13539                                                                   operator:
13540                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13541                                                                     type: string
13542                                                                   values:
13543                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13544                                                                     type: array
13545                                                                     items:
13546                                                                       type: string
13547                                                         weight:
13548                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
13549                                                           type: integer
13550                                                           format: int32
13551                                                   requiredDuringSchedulingIgnoredDuringExecution:
13552                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
13553                                                     type: object
13554                                                     required:
13555                                                       - nodeSelectorTerms
13556                                                     properties:
13557                                                       nodeSelectorTerms:
13558                                                         description: Required. A list of node selector terms. The terms are ORed.
13559                                                         type: array
13560                                                         items:
13561                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
13562                                                           type: object
13563                                                           properties:
13564                                                             matchExpressions:
13565                                                               description: A list of node selector requirements by node's labels.
13566                                                               type: array
13567                                                               items:
13568                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13569                                                                 type: object
13570                                                                 required:
13571                                                                   - key
13572                                                                   - operator
13573                                                                 properties:
13574                                                                   key:
13575                                                                     description: The label key that the selector applies to.
13576                                                                     type: string
13577                                                                   operator:
13578                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13579                                                                     type: string
13580                                                                   values:
13581                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13582                                                                     type: array
13583                                                                     items:
13584                                                                       type: string
13585                                                             matchFields:
13586                                                               description: A list of node selector requirements by node's fields.
13587                                                               type: array
13588                                                               items:
13589                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13590                                                                 type: object
13591                                                                 required:
13592                                                                   - key
13593                                                                   - operator
13594                                                                 properties:
13595                                                                   key:
13596                                                                     description: The label key that the selector applies to.
13597                                                                     type: string
13598                                                                   operator:
13599                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
13600                                                                     type: string
13601                                                                   values:
13602                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
13603                                                                     type: array
13604                                                                     items:
13605                                                                       type: string
13606                                               podAffinity:
13607                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
13608                                                 type: object
13609                                                 properties:
13610                                                   preferredDuringSchedulingIgnoredDuringExecution:
13611                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13612                                                     type: array
13613                                                     items:
13614                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13615                                                       type: object
13616                                                       required:
13617                                                         - podAffinityTerm
13618                                                         - weight
13619                                                       properties:
13620                                                         podAffinityTerm:
13621                                                           description: Required. A pod affinity term, associated with the corresponding weight.
13622                                                           type: object
13623                                                           required:
13624                                                             - topologyKey
13625                                                           properties:
13626                                                             labelSelector:
13627                                                               description: A label query over a set of resources, in this case pods.
13628                                                               type: object
13629                                                               properties:
13630                                                                 matchExpressions:
13631                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13632                                                                   type: array
13633                                                                   items:
13634                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13635                                                                     type: object
13636                                                                     required:
13637                                                                       - key
13638                                                                       - operator
13639                                                                     properties:
13640                                                                       key:
13641                                                                         description: key is the label key that the selector applies to.
13642                                                                         type: string
13643                                                                       operator:
13644                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13645                                                                         type: string
13646                                                                       values:
13647                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13648                                                                         type: array
13649                                                                         items:
13650                                                                           type: string
13651                                                                 matchLabels:
13652                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13653                                                                   type: object
13654                                                                   additionalProperties:
13655                                                                     type: string
13656                                                             namespaceSelector:
13657                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13658                                                               type: object
13659                                                               properties:
13660                                                                 matchExpressions:
13661                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13662                                                                   type: array
13663                                                                   items:
13664                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13665                                                                     type: object
13666                                                                     required:
13667                                                                       - key
13668                                                                       - operator
13669                                                                     properties:
13670                                                                       key:
13671                                                                         description: key is the label key that the selector applies to.
13672                                                                         type: string
13673                                                                       operator:
13674                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13675                                                                         type: string
13676                                                                       values:
13677                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13678                                                                         type: array
13679                                                                         items:
13680                                                                           type: string
13681                                                                 matchLabels:
13682                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13683                                                                   type: object
13684                                                                   additionalProperties:
13685                                                                     type: string
13686                                                             namespaces:
13687                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13688                                                               type: array
13689                                                               items:
13690                                                                 type: string
13691                                                             topologyKey:
13692                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13693                                                               type: string
13694                                                         weight:
13695                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13696                                                           type: integer
13697                                                           format: int32
13698                                                   requiredDuringSchedulingIgnoredDuringExecution:
13699                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13700                                                     type: array
13701                                                     items:
13702                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13703                                                       type: object
13704                                                       required:
13705                                                         - topologyKey
13706                                                       properties:
13707                                                         labelSelector:
13708                                                           description: A label query over a set of resources, in this case pods.
13709                                                           type: object
13710                                                           properties:
13711                                                             matchExpressions:
13712                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13713                                                               type: array
13714                                                               items:
13715                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13716                                                                 type: object
13717                                                                 required:
13718                                                                   - key
13719                                                                   - operator
13720                                                                 properties:
13721                                                                   key:
13722                                                                     description: key is the label key that the selector applies to.
13723                                                                     type: string
13724                                                                   operator:
13725                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13726                                                                     type: string
13727                                                                   values:
13728                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13729                                                                     type: array
13730                                                                     items:
13731                                                                       type: string
13732                                                             matchLabels:
13733                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13734                                                               type: object
13735                                                               additionalProperties:
13736                                                                 type: string
13737                                                         namespaceSelector:
13738                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13739                                                           type: object
13740                                                           properties:
13741                                                             matchExpressions:
13742                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13743                                                               type: array
13744                                                               items:
13745                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13746                                                                 type: object
13747                                                                 required:
13748                                                                   - key
13749                                                                   - operator
13750                                                                 properties:
13751                                                                   key:
13752                                                                     description: key is the label key that the selector applies to.
13753                                                                     type: string
13754                                                                   operator:
13755                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13756                                                                     type: string
13757                                                                   values:
13758                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13759                                                                     type: array
13760                                                                     items:
13761                                                                       type: string
13762                                                             matchLabels:
13763                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13764                                                               type: object
13765                                                               additionalProperties:
13766                                                                 type: string
13767                                                         namespaces:
13768                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13769                                                           type: array
13770                                                           items:
13771                                                             type: string
13772                                                         topologyKey:
13773                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13774                                                           type: string
13775                                               podAntiAffinity:
13776                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
13777                                                 type: object
13778                                                 properties:
13779                                                   preferredDuringSchedulingIgnoredDuringExecution:
13780                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
13781                                                     type: array
13782                                                     items:
13783                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
13784                                                       type: object
13785                                                       required:
13786                                                         - podAffinityTerm
13787                                                         - weight
13788                                                       properties:
13789                                                         podAffinityTerm:
13790                                                           description: Required. A pod affinity term, associated with the corresponding weight.
13791                                                           type: object
13792                                                           required:
13793                                                             - topologyKey
13794                                                           properties:
13795                                                             labelSelector:
13796                                                               description: A label query over a set of resources, in this case pods.
13797                                                               type: object
13798                                                               properties:
13799                                                                 matchExpressions:
13800                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13801                                                                   type: array
13802                                                                   items:
13803                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13804                                                                     type: object
13805                                                                     required:
13806                                                                       - key
13807                                                                       - operator
13808                                                                     properties:
13809                                                                       key:
13810                                                                         description: key is the label key that the selector applies to.
13811                                                                         type: string
13812                                                                       operator:
13813                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13814                                                                         type: string
13815                                                                       values:
13816                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13817                                                                         type: array
13818                                                                         items:
13819                                                                           type: string
13820                                                                 matchLabels:
13821                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13822                                                                   type: object
13823                                                                   additionalProperties:
13824                                                                     type: string
13825                                                             namespaceSelector:
13826                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13827                                                               type: object
13828                                                               properties:
13829                                                                 matchExpressions:
13830                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13831                                                                   type: array
13832                                                                   items:
13833                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13834                                                                     type: object
13835                                                                     required:
13836                                                                       - key
13837                                                                       - operator
13838                                                                     properties:
13839                                                                       key:
13840                                                                         description: key is the label key that the selector applies to.
13841                                                                         type: string
13842                                                                       operator:
13843                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13844                                                                         type: string
13845                                                                       values:
13846                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13847                                                                         type: array
13848                                                                         items:
13849                                                                           type: string
13850                                                                 matchLabels:
13851                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13852                                                                   type: object
13853                                                                   additionalProperties:
13854                                                                     type: string
13855                                                             namespaces:
13856                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13857                                                               type: array
13858                                                               items:
13859                                                                 type: string
13860                                                             topologyKey:
13861                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13862                                                               type: string
13863                                                         weight:
13864                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
13865                                                           type: integer
13866                                                           format: int32
13867                                                   requiredDuringSchedulingIgnoredDuringExecution:
13868                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
13869                                                     type: array
13870                                                     items:
13871                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
13872                                                       type: object
13873                                                       required:
13874                                                         - topologyKey
13875                                                       properties:
13876                                                         labelSelector:
13877                                                           description: A label query over a set of resources, in this case pods.
13878                                                           type: object
13879                                                           properties:
13880                                                             matchExpressions:
13881                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13882                                                               type: array
13883                                                               items:
13884                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13885                                                                 type: object
13886                                                                 required:
13887                                                                   - key
13888                                                                   - operator
13889                                                                 properties:
13890                                                                   key:
13891                                                                     description: key is the label key that the selector applies to.
13892                                                                     type: string
13893                                                                   operator:
13894                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13895                                                                     type: string
13896                                                                   values:
13897                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13898                                                                     type: array
13899                                                                     items:
13900                                                                       type: string
13901                                                             matchLabels:
13902                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13903                                                               type: object
13904                                                               additionalProperties:
13905                                                                 type: string
13906                                                         namespaceSelector:
13907                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
13908                                                           type: object
13909                                                           properties:
13910                                                             matchExpressions:
13911                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
13912                                                               type: array
13913                                                               items:
13914                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
13915                                                                 type: object
13916                                                                 required:
13917                                                                   - key
13918                                                                   - operator
13919                                                                 properties:
13920                                                                   key:
13921                                                                     description: key is the label key that the selector applies to.
13922                                                                     type: string
13923                                                                   operator:
13924                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
13925                                                                     type: string
13926                                                                   values:
13927                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
13928                                                                     type: array
13929                                                                     items:
13930                                                                       type: string
13931                                                             matchLabels:
13932                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
13933                                                               type: object
13934                                                               additionalProperties:
13935                                                                 type: string
13936                                                         namespaces:
13937                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
13938                                                           type: array
13939                                                           items:
13940                                                             type: string
13941                                                         topologyKey:
13942                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
13943                                                           type: string
13944                                           nodeSelector:
13945                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
13946                                             type: object
13947                                             additionalProperties:
13948                                               type: string
13949                                           priorityClassName:
13950                                             description: If specified, the pod's priorityClassName.
13951                                             type: string
13952                                           serviceAccountName:
13953                                             description: If specified, the pod's service account
13954                                             type: string
13955                                           tolerations:
13956                                             description: If specified, the pod's tolerations.
13957                                             type: array
13958                                             items:
13959                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
13960                                               type: object
13961                                               properties:
13962                                                 effect:
13963                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
13964                                                   type: string
13965                                                 key:
13966                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
13967                                                   type: string
13968                                                 operator:
13969                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
13970                                                   type: string
13971                                                 tolerationSeconds:
13972                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
13973                                                   type: integer
13974                                                   format: int64
13975                                                 value:
13976                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
13977                                                   type: string
13978                                   serviceType:
13979                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
13980                                     type: string
13981                           selector:
13982                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
13983                             type: object
13984                             properties:
13985                               dnsNames:
13986                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13987                                 type: array
13988                                 items:
13989                                   type: string
13990                               dnsZones:
13991                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
13992                                 type: array
13993                                 items:
13994                                   type: string
13995                               matchLabels:
13996                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
13997                                 type: object
13998                                 additionalProperties:
13999                                   type: string
14000                 ca:
14001                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
14002                   type: object
14003                   required:
14004                     - secretName
14005                   properties:
14006                     crlDistributionPoints:
14007                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
14008                       type: array
14009                       items:
14010                         type: string
14011                     ocspServers:
14012                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
14013                       type: array
14014                       items:
14015                         type: string
14016                     secretName:
14017                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
14018                       type: string
14019                 selfSigned:
14020                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
14021                   type: object
14022                   properties:
14023                     crlDistributionPoints:
14024                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
14025                       type: array
14026                       items:
14027                         type: string
14028                 vault:
14029                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
14030                   type: object
14031                   required:
14032                     - auth
14033                     - path
14034                     - server
14035                   properties:
14036                     auth:
14037                       description: Auth configures how cert-manager authenticates with the Vault server.
14038                       type: object
14039                       properties:
14040                         appRole:
14041                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
14042                           type: object
14043                           required:
14044                             - path
14045                             - roleId
14046                             - secretRef
14047                           properties:
14048                             path:
14049                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
14050                               type: string
14051                             roleId:
14052                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
14053                               type: string
14054                             secretRef:
14055                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
14056                               type: object
14057                               required:
14058                                 - name
14059                               properties:
14060                                 key:
14061                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14062                                   type: string
14063                                 name:
14064                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14065                                   type: string
14066                         kubernetes:
14067                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
14068                           type: object
14069                           required:
14070                             - role
14071                             - secretRef
14072                           properties:
14073                             mountPath:
14074                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
14075                               type: string
14076                             role:
14077                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
14078                               type: string
14079                             secretRef:
14080                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
14081                               type: object
14082                               required:
14083                                 - name
14084                               properties:
14085                                 key:
14086                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14087                                   type: string
14088                                 name:
14089                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14090                                   type: string
14091                         tokenSecretRef:
14092                           description: TokenSecretRef authenticates with Vault by presenting a token.
14093                           type: object
14094                           required:
14095                             - name
14096                           properties:
14097                             key:
14098                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14099                               type: string
14100                             name:
14101                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14102                               type: string
14103                     caBundle:
14104                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
14105                       type: string
14106                       format: byte
14107                     namespace:
14108                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
14109                       type: string
14110                     path:
14111                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
14112                       type: string
14113                     server:
14114                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
14115                       type: string
14116                 venafi:
14117                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
14118                   type: object
14119                   required:
14120                     - zone
14121                   properties:
14122                     cloud:
14123                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
14124                       type: object
14125                       required:
14126                         - apiTokenSecretRef
14127                       properties:
14128                         apiTokenSecretRef:
14129                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
14130                           type: object
14131                           required:
14132                             - name
14133                           properties:
14134                             key:
14135                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14136                               type: string
14137                             name:
14138                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14139                               type: string
14140                         url:
14141                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
14142                           type: string
14143                     tpp:
14144                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
14145                       type: object
14146                       required:
14147                         - credentialsRef
14148                         - url
14149                       properties:
14150                         caBundle:
14151                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
14152                           type: string
14153                           format: byte
14154                         credentialsRef:
14155                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
14156                           type: object
14157                           required:
14158                             - name
14159                           properties:
14160                             name:
14161                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14162                               type: string
14163                         url:
14164                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
14165                           type: string
14166                     zone:
14167                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
14168                       type: string
14169             status:
14170               description: Status of the Issuer. This is set and managed automatically.
14171               type: object
14172               properties:
14173                 acme:
14174                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
14175                   type: object
14176                   properties:
14177                     lastRegisteredEmail:
14178                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
14179                       type: string
14180                     uri:
14181                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
14182                       type: string
14183                 conditions:
14184                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
14185                   type: array
14186                   items:
14187                     description: IssuerCondition contains condition information for an Issuer.
14188                     type: object
14189                     required:
14190                       - status
14191                       - type
14192                     properties:
14193                       lastTransitionTime:
14194                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
14195                         type: string
14196                         format: date-time
14197                       message:
14198                         description: Message is a human readable description of the details of the last transition, complementing reason.
14199                         type: string
14200                       observedGeneration:
14201                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
14202                         type: integer
14203                         format: int64
14204                       reason:
14205                         description: Reason is a brief machine readable explanation for the condition's last transition.
14206                         type: string
14207                       status:
14208                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
14209                         type: string
14210                         enum:
14211                           - "True"
14212                           - "False"
14213                           - Unknown
14214                       type:
14215                         description: Type of the condition, known values are (`Ready`).
14216                         type: string
14217       served: true
14218       storage: false
14219     - name: v1
14220       subresources:
14221         status: {}
14222       additionalPrinterColumns:
14223         - jsonPath: .status.conditions[?(@.type=="Ready")].status
14224           name: Ready
14225           type: string
14226         - jsonPath: .status.conditions[?(@.type=="Ready")].message
14227           name: Status
14228           priority: 1
14229           type: string
14230         - jsonPath: .metadata.creationTimestamp
14231           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
14232           name: Age
14233           type: date
14234       schema:
14235         openAPIV3Schema:
14236           description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
14237           type: object
14238           required:
14239             - spec
14240           properties:
14241             apiVersion:
14242               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
14243               type: string
14244             kind:
14245               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
14246               type: string
14247             metadata:
14248               type: object
14249             spec:
14250               description: Desired state of the Issuer resource.
14251               type: object
14252               properties:
14253                 acme:
14254                   description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
14255                   type: object
14256                   required:
14257                     - privateKeySecretRef
14258                     - server
14259                   properties:
14260                     disableAccountKeyGeneration:
14261                       description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
14262                       type: boolean
14263                     email:
14264                       description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
14265                       type: string
14266                     enableDurationFeature:
14267                       description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
14268                       type: boolean
14269                     externalAccountBinding:
14270                       description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
14271                       type: object
14272                       required:
14273                         - keyID
14274                         - keySecretRef
14275                       properties:
14276                         keyAlgorithm:
14277                           description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
14278                           type: string
14279                           enum:
14280                             - HS256
14281                             - HS384
14282                             - HS512
14283                         keyID:
14284                           description: keyID is the ID of the CA key that the External Account is bound to.
14285                           type: string
14286                         keySecretRef:
14287                           description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
14288                           type: object
14289                           required:
14290                             - name
14291                           properties:
14292                             key:
14293                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14294                               type: string
14295                             name:
14296                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14297                               type: string
14298                     preferredChain:
14299                       description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
14300                       type: string
14301                       maxLength: 64
14302                     privateKeySecretRef:
14303                       description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
14304                       type: object
14305                       required:
14306                         - name
14307                       properties:
14308                         key:
14309                           description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14310                           type: string
14311                         name:
14312                           description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14313                           type: string
14314                     server:
14315                       description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
14316                       type: string
14317                     skipTLSVerify:
14318                       description: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
14319                       type: boolean
14320                     solvers:
14321                       description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
14322                       type: array
14323                       items:
14324                         description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
14325                         type: object
14326                         properties:
14327                           dns01:
14328                             description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
14329                             type: object
14330                             properties:
14331                               acmeDNS:
14332                                 description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
14333                                 type: object
14334                                 required:
14335                                   - accountSecretRef
14336                                   - host
14337                                 properties:
14338                                   accountSecretRef:
14339                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14340                                     type: object
14341                                     required:
14342                                       - name
14343                                     properties:
14344                                       key:
14345                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14346                                         type: string
14347                                       name:
14348                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14349                                         type: string
14350                                   host:
14351                                     type: string
14352                               akamai:
14353                                 description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
14354                                 type: object
14355                                 required:
14356                                   - accessTokenSecretRef
14357                                   - clientSecretSecretRef
14358                                   - clientTokenSecretRef
14359                                   - serviceConsumerDomain
14360                                 properties:
14361                                   accessTokenSecretRef:
14362                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14363                                     type: object
14364                                     required:
14365                                       - name
14366                                     properties:
14367                                       key:
14368                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14369                                         type: string
14370                                       name:
14371                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14372                                         type: string
14373                                   clientSecretSecretRef:
14374                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14375                                     type: object
14376                                     required:
14377                                       - name
14378                                     properties:
14379                                       key:
14380                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14381                                         type: string
14382                                       name:
14383                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14384                                         type: string
14385                                   clientTokenSecretRef:
14386                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14387                                     type: object
14388                                     required:
14389                                       - name
14390                                     properties:
14391                                       key:
14392                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14393                                         type: string
14394                                       name:
14395                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14396                                         type: string
14397                                   serviceConsumerDomain:
14398                                     type: string
14399                               azureDNS:
14400                                 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
14401                                 type: object
14402                                 required:
14403                                   - resourceGroupName
14404                                   - subscriptionID
14405                                 properties:
14406                                   clientID:
14407                                     description: if both this and ClientSecret are left unset MSI will be used
14408                                     type: string
14409                                   clientSecretSecretRef:
14410                                     description: if both this and ClientID are left unset MSI will be used
14411                                     type: object
14412                                     required:
14413                                       - name
14414                                     properties:
14415                                       key:
14416                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14417                                         type: string
14418                                       name:
14419                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14420                                         type: string
14421                                   environment:
14422                                     type: string
14423                                     enum:
14424                                       - AzurePublicCloud
14425                                       - AzureChinaCloud
14426                                       - AzureGermanCloud
14427                                       - AzureUSGovernmentCloud
14428                                   hostedZoneName:
14429                                     type: string
14430                                   resourceGroupName:
14431                                     type: string
14432                                   subscriptionID:
14433                                     type: string
14434                                   tenantID:
14435                                     description: when specifying ClientID and ClientSecret then this field is also needed
14436                                     type: string
14437                               cloudDNS:
14438                                 description: Use the Google Cloud DNS API to manage DNS01 challenge records.
14439                                 type: object
14440                                 required:
14441                                   - project
14442                                 properties:
14443                                   hostedZoneName:
14444                                     description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
14445                                     type: string
14446                                   project:
14447                                     type: string
14448                                   serviceAccountSecretRef:
14449                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14450                                     type: object
14451                                     required:
14452                                       - name
14453                                     properties:
14454                                       key:
14455                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14456                                         type: string
14457                                       name:
14458                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14459                                         type: string
14460                               cloudflare:
14461                                 description: Use the Cloudflare API to manage DNS01 challenge records.
14462                                 type: object
14463                                 properties:
14464                                   apiKeySecretRef:
14465                                     description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
14466                                     type: object
14467                                     required:
14468                                       - name
14469                                     properties:
14470                                       key:
14471                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14472                                         type: string
14473                                       name:
14474                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14475                                         type: string
14476                                   apiTokenSecretRef:
14477                                     description: API token used to authenticate with Cloudflare.
14478                                     type: object
14479                                     required:
14480                                       - name
14481                                     properties:
14482                                       key:
14483                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14484                                         type: string
14485                                       name:
14486                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14487                                         type: string
14488                                   email:
14489                                     description: Email of the account, only required when using API key based authentication.
14490                                     type: string
14491                               cnameStrategy:
14492                                 description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
14493                                 type: string
14494                                 enum:
14495                                   - None
14496                                   - Follow
14497                               digitalocean:
14498                                 description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
14499                                 type: object
14500                                 required:
14501                                   - tokenSecretRef
14502                                 properties:
14503                                   tokenSecretRef:
14504                                     description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
14505                                     type: object
14506                                     required:
14507                                       - name
14508                                     properties:
14509                                       key:
14510                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14511                                         type: string
14512                                       name:
14513                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14514                                         type: string
14515                               rfc2136:
14516                                 description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
14517                                 type: object
14518                                 required:
14519                                   - nameserver
14520                                 properties:
14521                                   nameserver:
14522                                     description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
14523                                     type: string
14524                                   tsigAlgorithm:
14525                                     description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
14526                                     type: string
14527                                   tsigKeyName:
14528                                     description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
14529                                     type: string
14530                                   tsigSecretSecretRef:
14531                                     description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
14532                                     type: object
14533                                     required:
14534                                       - name
14535                                     properties:
14536                                       key:
14537                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14538                                         type: string
14539                                       name:
14540                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14541                                         type: string
14542                               route53:
14543                                 description: Use the AWS Route53 API to manage DNS01 challenge records.
14544                                 type: object
14545                                 required:
14546                                   - region
14547                                 properties:
14548                                   accessKeyID:
14549                                     description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
14550                                     type: string
14551                                   hostedZoneID:
14552                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
14553                                     type: string
14554                                   region:
14555                                     description: Always set the region when using AccessKeyID and SecretAccessKey
14556                                     type: string
14557                                   role:
14558                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
14559                                     type: string
14560                                   secretAccessKeySecretRef:
14561                                     description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
14562                                     type: object
14563                                     required:
14564                                       - name
14565                                     properties:
14566                                       key:
14567                                         description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
14568                                         type: string
14569                                       name:
14570                                         description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
14571                                         type: string
14572                               webhook:
14573                                 description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
14574                                 type: object
14575                                 required:
14576                                   - groupName
14577                                   - solverName
14578                                 properties:
14579                                   config:
14580                                     description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
14581                                     x-kubernetes-preserve-unknown-fields: true
14582                                   groupName:
14583                                     description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
14584                                     type: string
14585                                   solverName:
14586                                     description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
14587                                     type: string
14588                           http01:
14589                             description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
14590                             type: object
14591                             properties:
14592                               gatewayHTTPRoute:
14593                                 description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
14594                                 type: object
14595                                 properties:
14596                                   labels:
14597                                     description: The labels that cert-manager will use when creating the temporary HTTPRoute needed for solving the HTTP-01 challenge. These labels must match the label selector of at least one Gateway.
14598                                     type: object
14599                                     additionalProperties:
14600                                       type: string
14601                                   serviceType:
14602                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
14603                                     type: string
14604                               ingress:
14605                                 description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
14606                                 type: object
14607                                 properties:
14608                                   class:
14609                                     description: The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of 'class' or 'name' may be specified.
14610                                     type: string
14611                                   ingressTemplate:
14612                                     description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
14613                                     type: object
14614                                     properties:
14615                                       metadata:
14616                                         description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14617                                         type: object
14618                                         properties:
14619                                           annotations:
14620                                             description: Annotations that should be added to the created ACME HTTP01 solver ingress.
14621                                             type: object
14622                                             additionalProperties:
14623                                               type: string
14624                                           labels:
14625                                             description: Labels that should be added to the created ACME HTTP01 solver ingress.
14626                                             type: object
14627                                             additionalProperties:
14628                                               type: string
14629                                   name:
14630                                     description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources.
14631                                     type: string
14632                                   podTemplate:
14633                                     description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
14634                                     type: object
14635                                     properties:
14636                                       metadata:
14637                                         description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
14638                                         type: object
14639                                         properties:
14640                                           annotations:
14641                                             description: Annotations that should be added to the create ACME HTTP01 solver pods.
14642                                             type: object
14643                                             additionalProperties:
14644                                               type: string
14645                                           labels:
14646                                             description: Labels that should be added to the created ACME HTTP01 solver pods.
14647                                             type: object
14648                                             additionalProperties:
14649                                               type: string
14650                                       spec:
14651                                         description: PodSpec defines overrides for the HTTP01 challenge solver pod. Only the 'priorityClassName', 'nodeSelector', 'affinity', 'serviceAccountName' and 'tolerations' fields are supported currently. All other fields will be ignored.
14652                                         type: object
14653                                         properties:
14654                                           affinity:
14655                                             description: If specified, the pod's scheduling constraints
14656                                             type: object
14657                                             properties:
14658                                               nodeAffinity:
14659                                                 description: Describes node affinity scheduling rules for the pod.
14660                                                 type: object
14661                                                 properties:
14662                                                   preferredDuringSchedulingIgnoredDuringExecution:
14663                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
14664                                                     type: array
14665                                                     items:
14666                                                       description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
14667                                                       type: object
14668                                                       required:
14669                                                         - preference
14670                                                         - weight
14671                                                       properties:
14672                                                         preference:
14673                                                           description: A node selector term, associated with the corresponding weight.
14674                                                           type: object
14675                                                           properties:
14676                                                             matchExpressions:
14677                                                               description: A list of node selector requirements by node's labels.
14678                                                               type: array
14679                                                               items:
14680                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14681                                                                 type: object
14682                                                                 required:
14683                                                                   - key
14684                                                                   - operator
14685                                                                 properties:
14686                                                                   key:
14687                                                                     description: The label key that the selector applies to.
14688                                                                     type: string
14689                                                                   operator:
14690                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14691                                                                     type: string
14692                                                                   values:
14693                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14694                                                                     type: array
14695                                                                     items:
14696                                                                       type: string
14697                                                             matchFields:
14698                                                               description: A list of node selector requirements by node's fields.
14699                                                               type: array
14700                                                               items:
14701                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14702                                                                 type: object
14703                                                                 required:
14704                                                                   - key
14705                                                                   - operator
14706                                                                 properties:
14707                                                                   key:
14708                                                                     description: The label key that the selector applies to.
14709                                                                     type: string
14710                                                                   operator:
14711                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14712                                                                     type: string
14713                                                                   values:
14714                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14715                                                                     type: array
14716                                                                     items:
14717                                                                       type: string
14718                                                         weight:
14719                                                           description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
14720                                                           type: integer
14721                                                           format: int32
14722                                                   requiredDuringSchedulingIgnoredDuringExecution:
14723                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
14724                                                     type: object
14725                                                     required:
14726                                                       - nodeSelectorTerms
14727                                                     properties:
14728                                                       nodeSelectorTerms:
14729                                                         description: Required. A list of node selector terms. The terms are ORed.
14730                                                         type: array
14731                                                         items:
14732                                                           description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
14733                                                           type: object
14734                                                           properties:
14735                                                             matchExpressions:
14736                                                               description: A list of node selector requirements by node's labels.
14737                                                               type: array
14738                                                               items:
14739                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14740                                                                 type: object
14741                                                                 required:
14742                                                                   - key
14743                                                                   - operator
14744                                                                 properties:
14745                                                                   key:
14746                                                                     description: The label key that the selector applies to.
14747                                                                     type: string
14748                                                                   operator:
14749                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14750                                                                     type: string
14751                                                                   values:
14752                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14753                                                                     type: array
14754                                                                     items:
14755                                                                       type: string
14756                                                             matchFields:
14757                                                               description: A list of node selector requirements by node's fields.
14758                                                               type: array
14759                                                               items:
14760                                                                 description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14761                                                                 type: object
14762                                                                 required:
14763                                                                   - key
14764                                                                   - operator
14765                                                                 properties:
14766                                                                   key:
14767                                                                     description: The label key that the selector applies to.
14768                                                                     type: string
14769                                                                   operator:
14770                                                                     description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
14771                                                                     type: string
14772                                                                   values:
14773                                                                     description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
14774                                                                     type: array
14775                                                                     items:
14776                                                                       type: string
14777                                               podAffinity:
14778                                                 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
14779                                                 type: object
14780                                                 properties:
14781                                                   preferredDuringSchedulingIgnoredDuringExecution:
14782                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14783                                                     type: array
14784                                                     items:
14785                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14786                                                       type: object
14787                                                       required:
14788                                                         - podAffinityTerm
14789                                                         - weight
14790                                                       properties:
14791                                                         podAffinityTerm:
14792                                                           description: Required. A pod affinity term, associated with the corresponding weight.
14793                                                           type: object
14794                                                           required:
14795                                                             - topologyKey
14796                                                           properties:
14797                                                             labelSelector:
14798                                                               description: A label query over a set of resources, in this case pods.
14799                                                               type: object
14800                                                               properties:
14801                                                                 matchExpressions:
14802                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14803                                                                   type: array
14804                                                                   items:
14805                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14806                                                                     type: object
14807                                                                     required:
14808                                                                       - key
14809                                                                       - operator
14810                                                                     properties:
14811                                                                       key:
14812                                                                         description: key is the label key that the selector applies to.
14813                                                                         type: string
14814                                                                       operator:
14815                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14816                                                                         type: string
14817                                                                       values:
14818                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14819                                                                         type: array
14820                                                                         items:
14821                                                                           type: string
14822                                                                 matchLabels:
14823                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14824                                                                   type: object
14825                                                                   additionalProperties:
14826                                                                     type: string
14827                                                             namespaceSelector:
14828                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14829                                                               type: object
14830                                                               properties:
14831                                                                 matchExpressions:
14832                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14833                                                                   type: array
14834                                                                   items:
14835                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14836                                                                     type: object
14837                                                                     required:
14838                                                                       - key
14839                                                                       - operator
14840                                                                     properties:
14841                                                                       key:
14842                                                                         description: key is the label key that the selector applies to.
14843                                                                         type: string
14844                                                                       operator:
14845                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14846                                                                         type: string
14847                                                                       values:
14848                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14849                                                                         type: array
14850                                                                         items:
14851                                                                           type: string
14852                                                                 matchLabels:
14853                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14854                                                                   type: object
14855                                                                   additionalProperties:
14856                                                                     type: string
14857                                                             namespaces:
14858                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14859                                                               type: array
14860                                                               items:
14861                                                                 type: string
14862                                                             topologyKey:
14863                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14864                                                               type: string
14865                                                         weight:
14866                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
14867                                                           type: integer
14868                                                           format: int32
14869                                                   requiredDuringSchedulingIgnoredDuringExecution:
14870                                                     description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
14871                                                     type: array
14872                                                     items:
14873                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
14874                                                       type: object
14875                                                       required:
14876                                                         - topologyKey
14877                                                       properties:
14878                                                         labelSelector:
14879                                                           description: A label query over a set of resources, in this case pods.
14880                                                           type: object
14881                                                           properties:
14882                                                             matchExpressions:
14883                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14884                                                               type: array
14885                                                               items:
14886                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14887                                                                 type: object
14888                                                                 required:
14889                                                                   - key
14890                                                                   - operator
14891                                                                 properties:
14892                                                                   key:
14893                                                                     description: key is the label key that the selector applies to.
14894                                                                     type: string
14895                                                                   operator:
14896                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14897                                                                     type: string
14898                                                                   values:
14899                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14900                                                                     type: array
14901                                                                     items:
14902                                                                       type: string
14903                                                             matchLabels:
14904                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14905                                                               type: object
14906                                                               additionalProperties:
14907                                                                 type: string
14908                                                         namespaceSelector:
14909                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14910                                                           type: object
14911                                                           properties:
14912                                                             matchExpressions:
14913                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14914                                                               type: array
14915                                                               items:
14916                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14917                                                                 type: object
14918                                                                 required:
14919                                                                   - key
14920                                                                   - operator
14921                                                                 properties:
14922                                                                   key:
14923                                                                     description: key is the label key that the selector applies to.
14924                                                                     type: string
14925                                                                   operator:
14926                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14927                                                                     type: string
14928                                                                   values:
14929                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14930                                                                     type: array
14931                                                                     items:
14932                                                                       type: string
14933                                                             matchLabels:
14934                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14935                                                               type: object
14936                                                               additionalProperties:
14937                                                                 type: string
14938                                                         namespaces:
14939                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
14940                                                           type: array
14941                                                           items:
14942                                                             type: string
14943                                                         topologyKey:
14944                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
14945                                                           type: string
14946                                               podAntiAffinity:
14947                                                 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
14948                                                 type: object
14949                                                 properties:
14950                                                   preferredDuringSchedulingIgnoredDuringExecution:
14951                                                     description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
14952                                                     type: array
14953                                                     items:
14954                                                       description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
14955                                                       type: object
14956                                                       required:
14957                                                         - podAffinityTerm
14958                                                         - weight
14959                                                       properties:
14960                                                         podAffinityTerm:
14961                                                           description: Required. A pod affinity term, associated with the corresponding weight.
14962                                                           type: object
14963                                                           required:
14964                                                             - topologyKey
14965                                                           properties:
14966                                                             labelSelector:
14967                                                               description: A label query over a set of resources, in this case pods.
14968                                                               type: object
14969                                                               properties:
14970                                                                 matchExpressions:
14971                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
14972                                                                   type: array
14973                                                                   items:
14974                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
14975                                                                     type: object
14976                                                                     required:
14977                                                                       - key
14978                                                                       - operator
14979                                                                     properties:
14980                                                                       key:
14981                                                                         description: key is the label key that the selector applies to.
14982                                                                         type: string
14983                                                                       operator:
14984                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
14985                                                                         type: string
14986                                                                       values:
14987                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
14988                                                                         type: array
14989                                                                         items:
14990                                                                           type: string
14991                                                                 matchLabels:
14992                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
14993                                                                   type: object
14994                                                                   additionalProperties:
14995                                                                     type: string
14996                                                             namespaceSelector:
14997                                                               description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
14998                                                               type: object
14999                                                               properties:
15000                                                                 matchExpressions:
15001                                                                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15002                                                                   type: array
15003                                                                   items:
15004                                                                     description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15005                                                                     type: object
15006                                                                     required:
15007                                                                       - key
15008                                                                       - operator
15009                                                                     properties:
15010                                                                       key:
15011                                                                         description: key is the label key that the selector applies to.
15012                                                                         type: string
15013                                                                       operator:
15014                                                                         description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15015                                                                         type: string
15016                                                                       values:
15017                                                                         description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15018                                                                         type: array
15019                                                                         items:
15020                                                                           type: string
15021                                                                 matchLabels:
15022                                                                   description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15023                                                                   type: object
15024                                                                   additionalProperties:
15025                                                                     type: string
15026                                                             namespaces:
15027                                                               description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15028                                                               type: array
15029                                                               items:
15030                                                                 type: string
15031                                                             topologyKey:
15032                                                               description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15033                                                               type: string
15034                                                         weight:
15035                                                           description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
15036                                                           type: integer
15037                                                           format: int32
15038                                                   requiredDuringSchedulingIgnoredDuringExecution:
15039                                                     description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
15040                                                     type: array
15041                                                     items:
15042                                                       description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is running
15043                                                       type: object
15044                                                       required:
15045                                                         - topologyKey
15046                                                       properties:
15047                                                         labelSelector:
15048                                                           description: A label query over a set of resources, in this case pods.
15049                                                           type: object
15050                                                           properties:
15051                                                             matchExpressions:
15052                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15053                                                               type: array
15054                                                               items:
15055                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15056                                                                 type: object
15057                                                                 required:
15058                                                                   - key
15059                                                                   - operator
15060                                                                 properties:
15061                                                                   key:
15062                                                                     description: key is the label key that the selector applies to.
15063                                                                     type: string
15064                                                                   operator:
15065                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15066                                                                     type: string
15067                                                                   values:
15068                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15069                                                                     type: array
15070                                                                     items:
15071                                                                       type: string
15072                                                             matchLabels:
15073                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15074                                                               type: object
15075                                                               additionalProperties:
15076                                                                 type: string
15077                                                         namespaceSelector:
15078                                                           description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
15079                                                           type: object
15080                                                           properties:
15081                                                             matchExpressions:
15082                                                               description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
15083                                                               type: array
15084                                                               items:
15085                                                                 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
15086                                                                 type: object
15087                                                                 required:
15088                                                                   - key
15089                                                                   - operator
15090                                                                 properties:
15091                                                                   key:
15092                                                                     description: key is the label key that the selector applies to.
15093                                                                     type: string
15094                                                                   operator:
15095                                                                     description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
15096                                                                     type: string
15097                                                                   values:
15098                                                                     description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
15099                                                                     type: array
15100                                                                     items:
15101                                                                       type: string
15102                                                             matchLabels:
15103                                                               description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
15104                                                               type: object
15105                                                               additionalProperties:
15106                                                                 type: string
15107                                                         namespaces:
15108                                                           description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
15109                                                           type: array
15110                                                           items:
15111                                                             type: string
15112                                                         topologyKey:
15113                                                           description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
15114                                                           type: string
15115                                           nodeSelector:
15116                                             description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
15117                                             type: object
15118                                             additionalProperties:
15119                                               type: string
15120                                           priorityClassName:
15121                                             description: If specified, the pod's priorityClassName.
15122                                             type: string
15123                                           serviceAccountName:
15124                                             description: If specified, the pod's service account
15125                                             type: string
15126                                           tolerations:
15127                                             description: If specified, the pod's tolerations.
15128                                             type: array
15129                                             items:
15130                                               description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
15131                                               type: object
15132                                               properties:
15133                                                 effect:
15134                                                   description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
15135                                                   type: string
15136                                                 key:
15137                                                   description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
15138                                                   type: string
15139                                                 operator:
15140                                                   description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
15141                                                   type: string
15142                                                 tolerationSeconds:
15143                                                   description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
15144                                                   type: integer
15145                                                   format: int64
15146                                                 value:
15147                                                   description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
15148                                                   type: string
15149                                   serviceType:
15150                                     description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
15151                                     type: string
15152                           selector:
15153                             description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
15154                             type: object
15155                             properties:
15156                               dnsNames:
15157                                 description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
15158                                 type: array
15159                                 items:
15160                                   type: string
15161                               dnsZones:
15162                                 description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
15163                                 type: array
15164                                 items:
15165                                   type: string
15166                               matchLabels:
15167                                 description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
15168                                 type: object
15169                                 additionalProperties:
15170                                   type: string
15171                 ca:
15172                   description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
15173                   type: object
15174                   required:
15175                     - secretName
15176                   properties:
15177                     crlDistributionPoints:
15178                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
15179                       type: array
15180                       items:
15181                         type: string
15182                     ocspServers:
15183                       description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
15184                       type: array
15185                       items:
15186                         type: string
15187                     secretName:
15188                       description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
15189                       type: string
15190                 selfSigned:
15191                   description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
15192                   type: object
15193                   properties:
15194                     crlDistributionPoints:
15195                       description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
15196                       type: array
15197                       items:
15198                         type: string
15199                 vault:
15200                   description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
15201                   type: object
15202                   required:
15203                     - auth
15204                     - path
15205                     - server
15206                   properties:
15207                     auth:
15208                       description: Auth configures how cert-manager authenticates with the Vault server.
15209                       type: object
15210                       properties:
15211                         appRole:
15212                           description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
15213                           type: object
15214                           required:
15215                             - path
15216                             - roleId
15217                             - secretRef
15218                           properties:
15219                             path:
15220                               description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
15221                               type: string
15222                             roleId:
15223                               description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
15224                               type: string
15225                             secretRef:
15226                               description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
15227                               type: object
15228                               required:
15229                                 - name
15230                               properties:
15231                                 key:
15232                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15233                                   type: string
15234                                 name:
15235                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15236                                   type: string
15237                         kubernetes:
15238                           description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
15239                           type: object
15240                           required:
15241                             - role
15242                             - secretRef
15243                           properties:
15244                             mountPath:
15245                               description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
15246                               type: string
15247                             role:
15248                               description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
15249                               type: string
15250                             secretRef:
15251                               description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
15252                               type: object
15253                               required:
15254                                 - name
15255                               properties:
15256                                 key:
15257                                   description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15258                                   type: string
15259                                 name:
15260                                   description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15261                                   type: string
15262                         tokenSecretRef:
15263                           description: TokenSecretRef authenticates with Vault by presenting a token.
15264                           type: object
15265                           required:
15266                             - name
15267                           properties:
15268                             key:
15269                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15270                               type: string
15271                             name:
15272                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15273                               type: string
15274                     caBundle:
15275                       description: PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
15276                       type: string
15277                       format: byte
15278                     namespace:
15279                       description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
15280                       type: string
15281                     path:
15282                       description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
15283                       type: string
15284                     server:
15285                       description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
15286                       type: string
15287                 venafi:
15288                   description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
15289                   type: object
15290                   required:
15291                     - zone
15292                   properties:
15293                     cloud:
15294                       description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
15295                       type: object
15296                       required:
15297                         - apiTokenSecretRef
15298                       properties:
15299                         apiTokenSecretRef:
15300                           description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
15301                           type: object
15302                           required:
15303                             - name
15304                           properties:
15305                             key:
15306                               description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
15307                               type: string
15308                             name:
15309                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15310                               type: string
15311                         url:
15312                           description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
15313                           type: string
15314                     tpp:
15315                       description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
15316                       type: object
15317                       required:
15318                         - credentialsRef
15319                         - url
15320                       properties:
15321                         caBundle:
15322                           description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
15323                           type: string
15324                           format: byte
15325                         credentialsRef:
15326                           description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
15327                           type: object
15328                           required:
15329                             - name
15330                           properties:
15331                             name:
15332                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
15333                               type: string
15334                         url:
15335                           description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
15336                           type: string
15337                     zone:
15338                       description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
15339                       type: string
15340             status:
15341               description: Status of the Issuer. This is set and managed automatically.
15342               type: object
15343               properties:
15344                 acme:
15345                   description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
15346                   type: object
15347                   properties:
15348                     lastRegisteredEmail:
15349                       description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the  Issuer
15350                       type: string
15351                     uri:
15352                       description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
15353                       type: string
15354                 conditions:
15355                   description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
15356                   type: array
15357                   items:
15358                     description: IssuerCondition contains condition information for an Issuer.
15359                     type: object
15360                     required:
15361                       - status
15362                       - type
15363                     properties:
15364                       lastTransitionTime:
15365                         description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
15366                         type: string
15367                         format: date-time
15368                       message:
15369                         description: Message is a human readable description of the details of the last transition, complementing reason.
15370                         type: string
15371                       observedGeneration:
15372                         description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
15373                         type: integer
15374                         format: int64
15375                       reason:
15376                         description: Reason is a brief machine readable explanation for the condition's last transition.
15377                         type: string
15378                       status:
15379                         description: Status of the condition, one of (`True`, `False`, `Unknown`).
15380                         type: string
15381                         enum:
15382                           - "True"
15383                           - "False"
15384                           - Unknown
15385                       type:
15386                         description: Type of the condition, known values are (`Ready`).
15387                         type: string
15388       served: true
15389       storage: true
15390 ---
15391 # Source: cert-manager/templates/templates.out
15392 apiVersion: apiextensions.k8s.io/v1
15393 kind: CustomResourceDefinition
15394 metadata:
15395   name: orders.acme.cert-manager.io
15396   annotations:
15397     cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
15398   labels:
15399     app: 'cert-manager'
15400     app.kubernetes.io/name: 'cert-manager'
15401     app.kubernetes.io/instance: 'cert-manager'
15402     # Generated labels
15403     app.kubernetes.io/version: "v1.5.3"
15404 spec:
15405   group: acme.cert-manager.io
15406   names:
15407     kind: Order
15408     listKind: OrderList
15409     plural: orders
15410     singular: order
15411     categories:
15412       - cert-manager
15413       - cert-manager-acme
15414   scope: Namespaced
15415   conversion:
15416     # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
15417     strategy: Webhook
15418     # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
15419     webhook:
15420       # We don't actually support `v1beta1` but is listed here as it is a
15421       # required value for [Kubernetes v1.16](kubernetes/kubernetes#82023). The
15422       # API server reads the supported versions in order, so _should always_
15423       # attempt a `v1` request which is understood by the cert-manager webhook.
15424       # Any `v1beta1` request will return an error and fail closed for that
15425       # resource (the whole object request is rejected).
15426       # When we no longer support v1.16 we can remove `v1beta1` from this list.
15427       conversionReviewVersions: ["v1", "v1beta1"]
15428       clientConfig:
15429         #
15430         service:
15431           name: 'cert-manager-webhook'
15432           namespace: "cert-manager"
15433           path: /convert
15434           #
15435   versions:
15436     - name: v1alpha2
15437       subresources:
15438         status: {}
15439       additionalPrinterColumns:
15440         - jsonPath: .status.state
15441           name: State
15442           type: string
15443         - jsonPath: .spec.issuerRef.name
15444           name: Issuer
15445           priority: 1
15446           type: string
15447         - jsonPath: .status.reason
15448           name: Reason
15449           priority: 1
15450           type: string
15451         - jsonPath: .metadata.creationTimestamp
15452           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15453           name: Age
15454           type: date
15455       schema:
15456         openAPIV3Schema:
15457           description: Order is a type to represent an Order with an ACME server
15458           type: object
15459           required:
15460             - metadata
15461           properties:
15462             apiVersion:
15463               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15464               type: string
15465             kind:
15466               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15467               type: string
15468             metadata:
15469               type: object
15470             spec:
15471               type: object
15472               required:
15473                 - csr
15474                 - issuerRef
15475               properties:
15476                 commonName:
15477                   description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15478                   type: string
15479                 csr:
15480                   description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15481                   type: string
15482                   format: byte
15483                 dnsNames:
15484                   description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15485                   type: array
15486                   items:
15487                     type: string
15488                 duration:
15489                   description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15490                   type: string
15491                 ipAddresses:
15492                   description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15493                   type: array
15494                   items:
15495                     type: string
15496                 issuerRef:
15497                   description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15498                   type: object
15499                   required:
15500                     - name
15501                   properties:
15502                     group:
15503                       description: Group of the resource being referred to.
15504                       type: string
15505                     kind:
15506                       description: Kind of the resource being referred to.
15507                       type: string
15508                     name:
15509                       description: Name of the resource being referred to.
15510                       type: string
15511             status:
15512               type: object
15513               properties:
15514                 authorizations:
15515                   description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15516                   type: array
15517                   items:
15518                     description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15519                     type: object
15520                     required:
15521                       - url
15522                     properties:
15523                       challenges:
15524                         description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15525                         type: array
15526                         items:
15527                           description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15528                           type: object
15529                           required:
15530                             - token
15531                             - type
15532                             - url
15533                           properties:
15534                             token:
15535                               description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15536                               type: string
15537                             type:
15538                               description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15539                               type: string
15540                             url:
15541                               description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15542                               type: string
15543                       identifier:
15544                         description: Identifier is the DNS name to be validated as part of this authorization
15545                         type: string
15546                       initialState:
15547                         description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15548                         type: string
15549                         enum:
15550                           - valid
15551                           - ready
15552                           - pending
15553                           - processing
15554                           - invalid
15555                           - expired
15556                           - errored
15557                       url:
15558                         description: URL is the URL of the Authorization that must be completed
15559                         type: string
15560                       wildcard:
15561                         description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15562                         type: boolean
15563                 certificate:
15564                   description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15565                   type: string
15566                   format: byte
15567                 failureTime:
15568                   description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15569                   type: string
15570                   format: date-time
15571                 finalizeURL:
15572                   description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15573                   type: string
15574                 reason:
15575                   description: Reason optionally provides more information about a why the order is in the current state.
15576                   type: string
15577                 state:
15578                   description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15579                   type: string
15580                   enum:
15581                     - valid
15582                     - ready
15583                     - pending
15584                     - processing
15585                     - invalid
15586                     - expired
15587                     - errored
15588                 url:
15589                   description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15590                   type: string
15591       served: true
15592       storage: false
15593     - name: v1alpha3
15594       subresources:
15595         status: {}
15596       additionalPrinterColumns:
15597         - jsonPath: .status.state
15598           name: State
15599           type: string
15600         - jsonPath: .spec.issuerRef.name
15601           name: Issuer
15602           priority: 1
15603           type: string
15604         - jsonPath: .status.reason
15605           name: Reason
15606           priority: 1
15607           type: string
15608         - jsonPath: .metadata.creationTimestamp
15609           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15610           name: Age
15611           type: date
15612       schema:
15613         openAPIV3Schema:
15614           description: Order is a type to represent an Order with an ACME server
15615           type: object
15616           required:
15617             - metadata
15618           properties:
15619             apiVersion:
15620               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15621               type: string
15622             kind:
15623               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15624               type: string
15625             metadata:
15626               type: object
15627             spec:
15628               type: object
15629               required:
15630                 - csr
15631                 - issuerRef
15632               properties:
15633                 commonName:
15634                   description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15635                   type: string
15636                 csr:
15637                   description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15638                   type: string
15639                   format: byte
15640                 dnsNames:
15641                   description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15642                   type: array
15643                   items:
15644                     type: string
15645                 duration:
15646                   description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15647                   type: string
15648                 ipAddresses:
15649                   description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15650                   type: array
15651                   items:
15652                     type: string
15653                 issuerRef:
15654                   description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15655                   type: object
15656                   required:
15657                     - name
15658                   properties:
15659                     group:
15660                       description: Group of the resource being referred to.
15661                       type: string
15662                     kind:
15663                       description: Kind of the resource being referred to.
15664                       type: string
15665                     name:
15666                       description: Name of the resource being referred to.
15667                       type: string
15668             status:
15669               type: object
15670               properties:
15671                 authorizations:
15672                   description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15673                   type: array
15674                   items:
15675                     description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15676                     type: object
15677                     required:
15678                       - url
15679                     properties:
15680                       challenges:
15681                         description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15682                         type: array
15683                         items:
15684                           description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15685                           type: object
15686                           required:
15687                             - token
15688                             - type
15689                             - url
15690                           properties:
15691                             token:
15692                               description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15693                               type: string
15694                             type:
15695                               description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15696                               type: string
15697                             url:
15698                               description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15699                               type: string
15700                       identifier:
15701                         description: Identifier is the DNS name to be validated as part of this authorization
15702                         type: string
15703                       initialState:
15704                         description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15705                         type: string
15706                         enum:
15707                           - valid
15708                           - ready
15709                           - pending
15710                           - processing
15711                           - invalid
15712                           - expired
15713                           - errored
15714                       url:
15715                         description: URL is the URL of the Authorization that must be completed
15716                         type: string
15717                       wildcard:
15718                         description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15719                         type: boolean
15720                 certificate:
15721                   description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15722                   type: string
15723                   format: byte
15724                 failureTime:
15725                   description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15726                   type: string
15727                   format: date-time
15728                 finalizeURL:
15729                   description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15730                   type: string
15731                 reason:
15732                   description: Reason optionally provides more information about a why the order is in the current state.
15733                   type: string
15734                 state:
15735                   description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15736                   type: string
15737                   enum:
15738                     - valid
15739                     - ready
15740                     - pending
15741                     - processing
15742                     - invalid
15743                     - expired
15744                     - errored
15745                 url:
15746                   description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15747                   type: string
15748       served: true
15749       storage: false
15750     - name: v1beta1
15751       subresources:
15752         status: {}
15753       additionalPrinterColumns:
15754         - jsonPath: .status.state
15755           name: State
15756           type: string
15757         - jsonPath: .spec.issuerRef.name
15758           name: Issuer
15759           priority: 1
15760           type: string
15761         - jsonPath: .status.reason
15762           name: Reason
15763           priority: 1
15764           type: string
15765         - jsonPath: .metadata.creationTimestamp
15766           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15767           name: Age
15768           type: date
15769       schema:
15770         openAPIV3Schema:
15771           description: Order is a type to represent an Order with an ACME server
15772           type: object
15773           required:
15774             - metadata
15775             - spec
15776           properties:
15777             apiVersion:
15778               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15779               type: string
15780             kind:
15781               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15782               type: string
15783             metadata:
15784               type: object
15785             spec:
15786               type: object
15787               required:
15788                 - issuerRef
15789                 - request
15790               properties:
15791                 commonName:
15792                   description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15793                   type: string
15794                 dnsNames:
15795                   description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15796                   type: array
15797                   items:
15798                     type: string
15799                 duration:
15800                   description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15801                   type: string
15802                 ipAddresses:
15803                   description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15804                   type: array
15805                   items:
15806                     type: string
15807                 issuerRef:
15808                   description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15809                   type: object
15810                   required:
15811                     - name
15812                   properties:
15813                     group:
15814                       description: Group of the resource being referred to.
15815                       type: string
15816                     kind:
15817                       description: Kind of the resource being referred to.
15818                       type: string
15819                     name:
15820                       description: Name of the resource being referred to.
15821                       type: string
15822                 request:
15823                   description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15824                   type: string
15825                   format: byte
15826             status:
15827               type: object
15828               properties:
15829                 authorizations:
15830                   description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15831                   type: array
15832                   items:
15833                     description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15834                     type: object
15835                     required:
15836                       - url
15837                     properties:
15838                       challenges:
15839                         description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15840                         type: array
15841                         items:
15842                           description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
15843                           type: object
15844                           required:
15845                             - token
15846                             - type
15847                             - url
15848                           properties:
15849                             token:
15850                               description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
15851                               type: string
15852                             type:
15853                               description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
15854                               type: string
15855                             url:
15856                               description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
15857                               type: string
15858                       identifier:
15859                         description: Identifier is the DNS name to be validated as part of this authorization
15860                         type: string
15861                       initialState:
15862                         description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
15863                         type: string
15864                         enum:
15865                           - valid
15866                           - ready
15867                           - pending
15868                           - processing
15869                           - invalid
15870                           - expired
15871                           - errored
15872                       url:
15873                         description: URL is the URL of the Authorization that must be completed
15874                         type: string
15875                       wildcard:
15876                         description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
15877                         type: boolean
15878                 certificate:
15879                   description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
15880                   type: string
15881                   format: byte
15882                 failureTime:
15883                   description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
15884                   type: string
15885                   format: date-time
15886                 finalizeURL:
15887                   description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
15888                   type: string
15889                 reason:
15890                   description: Reason optionally provides more information about a why the order is in the current state.
15891                   type: string
15892                 state:
15893                   description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
15894                   type: string
15895                   enum:
15896                     - valid
15897                     - ready
15898                     - pending
15899                     - processing
15900                     - invalid
15901                     - expired
15902                     - errored
15903                 url:
15904                   description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
15905                   type: string
15906       served: true
15907       storage: false
15908     - name: v1
15909       subresources:
15910         status: {}
15911       additionalPrinterColumns:
15912         - jsonPath: .status.state
15913           name: State
15914           type: string
15915         - jsonPath: .spec.issuerRef.name
15916           name: Issuer
15917           priority: 1
15918           type: string
15919         - jsonPath: .status.reason
15920           name: Reason
15921           priority: 1
15922           type: string
15923         - jsonPath: .metadata.creationTimestamp
15924           description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
15925           name: Age
15926           type: date
15927       schema:
15928         openAPIV3Schema:
15929           description: Order is a type to represent an Order with an ACME server
15930           type: object
15931           required:
15932             - metadata
15933             - spec
15934           properties:
15935             apiVersion:
15936               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
15937               type: string
15938             kind:
15939               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
15940               type: string
15941             metadata:
15942               type: object
15943             spec:
15944               type: object
15945               required:
15946                 - issuerRef
15947                 - request
15948               properties:
15949                 commonName:
15950                   description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
15951                   type: string
15952                 dnsNames:
15953                   description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15954                   type: array
15955                   items:
15956                     type: string
15957                 duration:
15958                   description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
15959                   type: string
15960                 ipAddresses:
15961                   description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
15962                   type: array
15963                   items:
15964                     type: string
15965                 issuerRef:
15966                   description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
15967                   type: object
15968                   required:
15969                     - name
15970                   properties:
15971                     group:
15972                       description: Group of the resource being referred to.
15973                       type: string
15974                     kind:
15975                       description: Kind of the resource being referred to.
15976                       type: string
15977                     name:
15978                       description: Name of the resource being referred to.
15979                       type: string
15980                 request:
15981                   description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
15982                   type: string
15983                   format: byte
15984             status:
15985               type: object
15986               properties:
15987                 authorizations:
15988                   description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
15989                   type: array
15990                   items:
15991                     description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
15992                     type: object
15993                     required:
15994                       - url
15995                     properties:
15996                       challenges:
15997                         description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
15998                         type: array
15999                         items:
16000                           description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
16001                           type: object
16002                           required:
16003                             - token
16004                             - type
16005                             - url
16006                           properties:
16007                             token:
16008                               description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
16009                               type: string
16010                             type:
16011                               description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
16012                               type: string
16013                             url:
16014                               description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
16015                               type: string
16016                       identifier:
16017                         description: Identifier is the DNS name to be validated as part of this authorization
16018                         type: string
16019                       initialState:
16020                         description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
16021                         type: string
16022                         enum:
16023                           - valid
16024                           - ready
16025                           - pending
16026                           - processing
16027                           - invalid
16028                           - expired
16029                           - errored
16030                       url:
16031                         description: URL is the URL of the Authorization that must be completed
16032                         type: string
16033                       wildcard:
16034                         description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
16035                         type: boolean
16036                 certificate:
16037                   description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
16038                   type: string
16039                   format: byte
16040                 failureTime:
16041                   description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
16042                   type: string
16043                   format: date-time
16044                 finalizeURL:
16045                   description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
16046                   type: string
16047                 reason:
16048                   description: Reason optionally provides more information about a why the order is in the current state.
16049                   type: string
16050                 state:
16051                   description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
16052                   type: string
16053                   enum:
16054                     - valid
16055                     - ready
16056                     - pending
16057                     - processing
16058                     - invalid
16059                     - expired
16060                     - errored
16061                 url:
16062                   description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
16063                   type: string
16064       served: true
16065       storage: true
16066 ---
16067 apiVersion: v1
16068 kind: Namespace
16069 metadata:
16070   name: cert-manager
16071 ---
16072 # Source: cert-manager/templates/cainjector-serviceaccount.yaml
16073 apiVersion: v1
16074 kind: ServiceAccount
16075 automountServiceAccountToken: true
16076 metadata:
16077   name: cert-manager-cainjector
16078   namespace: "cert-manager"
16079   labels:
16080     app: cainjector
16081     app.kubernetes.io/name: cainjector
16082     app.kubernetes.io/instance: cert-manager
16083     app.kubernetes.io/component: "cainjector"
16084     app.kubernetes.io/version: "v1.5.3"
16085 ---
16086 # Source: cert-manager/templates/serviceaccount.yaml
16087 apiVersion: v1
16088 kind: ServiceAccount
16089 automountServiceAccountToken: true
16090 metadata:
16091   name: cert-manager
16092   namespace: "cert-manager"
16093   labels:
16094     app: cert-manager
16095     app.kubernetes.io/name: cert-manager
16096     app.kubernetes.io/instance: cert-manager
16097     app.kubernetes.io/component: "controller"
16098     app.kubernetes.io/version: "v1.5.3"
16099 ---
16100 # Source: cert-manager/templates/webhook-serviceaccount.yaml
16101 apiVersion: v1
16102 kind: ServiceAccount
16103 automountServiceAccountToken: true
16104 metadata:
16105   name: cert-manager-webhook
16106   namespace: "cert-manager"
16107   labels:
16108     app: webhook
16109     app.kubernetes.io/name: webhook
16110     app.kubernetes.io/instance: cert-manager
16111     app.kubernetes.io/component: "webhook"
16112     app.kubernetes.io/version: "v1.5.3"
16113 ---
16114 # Source: cert-manager/templates/cainjector-rbac.yaml
16115 apiVersion: rbac.authorization.k8s.io/v1
16116 kind: ClusterRole
16117 metadata:
16118   name: cert-manager-cainjector
16119   labels:
16120     app: cainjector
16121     app.kubernetes.io/name: cainjector
16122     app.kubernetes.io/instance: cert-manager
16123     app.kubernetes.io/component: "cainjector"
16124     app.kubernetes.io/version: "v1.5.3"
16125 rules:
16126   - apiGroups: ["cert-manager.io"]
16127     resources: ["certificates"]
16128     verbs: ["get", "list", "watch"]
16129   - apiGroups: [""]
16130     resources: ["secrets"]
16131     verbs: ["get", "list", "watch"]
16132   - apiGroups: [""]
16133     resources: ["events"]
16134     verbs: ["get", "create", "update", "patch"]
16135   - apiGroups: ["admissionregistration.k8s.io"]
16136     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
16137     verbs: ["get", "list", "watch", "update"]
16138   - apiGroups: ["apiregistration.k8s.io"]
16139     resources: ["apiservices"]
16140     verbs: ["get", "list", "watch", "update"]
16141   - apiGroups: ["apiextensions.k8s.io"]
16142     resources: ["customresourcedefinitions"]
16143     verbs: ["get", "list", "watch", "update"]
16144   - apiGroups: ["auditregistration.k8s.io"]
16145     resources: ["auditsinks"]
16146     verbs: ["get", "list", "watch", "update"]
16147 ---
16148 # Source: cert-manager/templates/rbac.yaml
16149 # Issuer controller role
16150 apiVersion: rbac.authorization.k8s.io/v1
16151 kind: ClusterRole
16152 metadata:
16153   name: cert-manager-controller-issuers
16154   labels:
16155     app: cert-manager
16156     app.kubernetes.io/name: cert-manager
16157     app.kubernetes.io/instance: cert-manager
16158     app.kubernetes.io/component: "controller"
16159     app.kubernetes.io/version: "v1.5.3"
16160 rules:
16161   - apiGroups: ["cert-manager.io"]
16162     resources: ["issuers", "issuers/status"]
16163     verbs: ["update"]
16164   - apiGroups: ["cert-manager.io"]
16165     resources: ["issuers"]
16166     verbs: ["get", "list", "watch"]
16167   - apiGroups: [""]
16168     resources: ["secrets"]
16169     verbs: ["get", "list", "watch", "create", "update", "delete"]
16170   - apiGroups: [""]
16171     resources: ["events"]
16172     verbs: ["create", "patch"]
16173 ---
16174 # Source: cert-manager/templates/rbac.yaml
16175 # ClusterIssuer controller role
16176 apiVersion: rbac.authorization.k8s.io/v1
16177 kind: ClusterRole
16178 metadata:
16179   name: cert-manager-controller-clusterissuers
16180   labels:
16181     app: cert-manager
16182     app.kubernetes.io/name: cert-manager
16183     app.kubernetes.io/instance: cert-manager
16184     app.kubernetes.io/component: "controller"
16185     app.kubernetes.io/version: "v1.5.3"
16186 rules:
16187   - apiGroups: ["cert-manager.io"]
16188     resources: ["clusterissuers", "clusterissuers/status"]
16189     verbs: ["update"]
16190   - apiGroups: ["cert-manager.io"]
16191     resources: ["clusterissuers"]
16192     verbs: ["get", "list", "watch"]
16193   - apiGroups: [""]
16194     resources: ["secrets"]
16195     verbs: ["get", "list", "watch", "create", "update", "delete"]
16196   - apiGroups: [""]
16197     resources: ["events"]
16198     verbs: ["create", "patch"]
16199 ---
16200 # Source: cert-manager/templates/rbac.yaml
16201 # Certificates controller role
16202 apiVersion: rbac.authorization.k8s.io/v1
16203 kind: ClusterRole
16204 metadata:
16205   name: cert-manager-controller-certificates
16206   labels:
16207     app: cert-manager
16208     app.kubernetes.io/name: cert-manager
16209     app.kubernetes.io/instance: cert-manager
16210     app.kubernetes.io/component: "controller"
16211     app.kubernetes.io/version: "v1.5.3"
16212 rules:
16213   - apiGroups: ["cert-manager.io"]
16214     resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
16215     verbs: ["update"]
16216   - apiGroups: ["cert-manager.io"]
16217     resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
16218     verbs: ["get", "list", "watch"]
16219   # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16220   # admission controller enabled:
16221   # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16222   - apiGroups: ["cert-manager.io"]
16223     resources: ["certificates/finalizers", "certificaterequests/finalizers"]
16224     verbs: ["update"]
16225   - apiGroups: ["acme.cert-manager.io"]
16226     resources: ["orders"]
16227     verbs: ["create", "delete", "get", "list", "watch"]
16228   - apiGroups: [""]
16229     resources: ["secrets"]
16230     verbs: ["get", "list", "watch", "create", "update", "delete"]
16231   - apiGroups: [""]
16232     resources: ["events"]
16233     verbs: ["create", "patch"]
16234 ---
16235 # Source: cert-manager/templates/rbac.yaml
16236 # Orders controller role
16237 apiVersion: rbac.authorization.k8s.io/v1
16238 kind: ClusterRole
16239 metadata:
16240   name: cert-manager-controller-orders
16241   labels:
16242     app: cert-manager
16243     app.kubernetes.io/name: cert-manager
16244     app.kubernetes.io/instance: cert-manager
16245     app.kubernetes.io/component: "controller"
16246     app.kubernetes.io/version: "v1.5.3"
16247 rules:
16248   - apiGroups: ["acme.cert-manager.io"]
16249     resources: ["orders", "orders/status"]
16250     verbs: ["update"]
16251   - apiGroups: ["acme.cert-manager.io"]
16252     resources: ["orders", "challenges"]
16253     verbs: ["get", "list", "watch"]
16254   - apiGroups: ["cert-manager.io"]
16255     resources: ["clusterissuers", "issuers"]
16256     verbs: ["get", "list", "watch"]
16257   - apiGroups: ["acme.cert-manager.io"]
16258     resources: ["challenges"]
16259     verbs: ["create", "delete"]
16260   # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16261   # admission controller enabled:
16262   # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16263   - apiGroups: ["acme.cert-manager.io"]
16264     resources: ["orders/finalizers"]
16265     verbs: ["update"]
16266   - apiGroups: [""]
16267     resources: ["secrets"]
16268     verbs: ["get", "list", "watch"]
16269   - apiGroups: [""]
16270     resources: ["events"]
16271     verbs: ["create", "patch"]
16272 ---
16273 # Source: cert-manager/templates/rbac.yaml
16274 # Challenges controller role
16275 apiVersion: rbac.authorization.k8s.io/v1
16276 kind: ClusterRole
16277 metadata:
16278   name: cert-manager-controller-challenges
16279   labels:
16280     app: cert-manager
16281     app.kubernetes.io/name: cert-manager
16282     app.kubernetes.io/instance: cert-manager
16283     app.kubernetes.io/component: "controller"
16284     app.kubernetes.io/version: "v1.5.3"
16285 rules:
16286   # Use to update challenge resource status
16287   - apiGroups: ["acme.cert-manager.io"]
16288     resources: ["challenges", "challenges/status"]
16289     verbs: ["update"]
16290   # Used to watch challenge resources
16291   - apiGroups: ["acme.cert-manager.io"]
16292     resources: ["challenges"]
16293     verbs: ["get", "list", "watch"]
16294   # Used to watch challenges, issuer and clusterissuer resources
16295   - apiGroups: ["cert-manager.io"]
16296     resources: ["issuers", "clusterissuers"]
16297     verbs: ["get", "list", "watch"]
16298   # Need to be able to retrieve ACME account private key to complete challenges
16299   - apiGroups: [""]
16300     resources: ["secrets"]
16301     verbs: ["get", "list", "watch"]
16302   # Used to create events
16303   - apiGroups: [""]
16304     resources: ["events"]
16305     verbs: ["create", "patch"]
16306   # HTTP01 rules
16307   - apiGroups: [""]
16308     resources: ["pods", "services"]
16309     verbs: ["get", "list", "watch", "create", "delete"]
16310   - apiGroups: ["networking.k8s.io"]
16311     resources: ["ingresses"]
16312     verbs: ["get", "list", "watch", "create", "delete", "update"]
16313   - apiGroups: [ "networking.x-k8s.io" ]
16314     resources: [ "httproutes" ]
16315     verbs: ["get", "list", "watch", "create", "delete", "update"]
16316   # We require the ability to specify a custom hostname when we are creating
16317   # new ingress resources.
16318   # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
16319   - apiGroups: ["route.openshift.io"]
16320     resources: ["routes/custom-host"]
16321     verbs: ["create"]
16322   # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16323   # admission controller enabled:
16324   # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16325   - apiGroups: ["acme.cert-manager.io"]
16326     resources: ["challenges/finalizers"]
16327     verbs: ["update"]
16328   # DNS01 rules (duplicated above)
16329   - apiGroups: [""]
16330     resources: ["secrets"]
16331     verbs: ["get", "list", "watch"]
16332 ---
16333 # Source: cert-manager/templates/rbac.yaml
16334 # ingress-shim controller role
16335 apiVersion: rbac.authorization.k8s.io/v1
16336 kind: ClusterRole
16337 metadata:
16338   name: cert-manager-controller-ingress-shim
16339   labels:
16340     app: cert-manager
16341     app.kubernetes.io/name: cert-manager
16342     app.kubernetes.io/instance: cert-manager
16343     app.kubernetes.io/component: "controller"
16344     app.kubernetes.io/version: "v1.5.3"
16345 rules:
16346   - apiGroups: ["cert-manager.io"]
16347     resources: ["certificates", "certificaterequests"]
16348     verbs: ["create", "update", "delete"]
16349   - apiGroups: ["cert-manager.io"]
16350     resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
16351     verbs: ["get", "list", "watch"]
16352   - apiGroups: ["networking.k8s.io"]
16353     resources: ["ingresses"]
16354     verbs: ["get", "list", "watch"]
16355   # We require these rules to support users with the OwnerReferencesPermissionEnforcement
16356   # admission controller enabled:
16357   # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
16358   - apiGroups: ["networking.k8s.io"]
16359     resources: ["ingresses/finalizers"]
16360     verbs: ["update"]
16361   - apiGroups: ["networking.x-k8s.io"]
16362     resources: ["gateways", "httproutes"]
16363     verbs: ["get", "list", "watch"]
16364   - apiGroups: ["networking.x-k8s.io"]
16365     resources: ["gateways/finalizers", "httproutes/finalizers"]
16366     verbs: ["update"]
16367   - apiGroups: [""]
16368     resources: ["events"]
16369     verbs: ["create", "patch"]
16370 ---
16371 # Source: cert-manager/templates/rbac.yaml
16372 apiVersion: rbac.authorization.k8s.io/v1
16373 kind: ClusterRole
16374 metadata:
16375   name: cert-manager-view
16376   labels:
16377     app: cert-manager
16378     app.kubernetes.io/name: cert-manager
16379     app.kubernetes.io/instance: cert-manager
16380     app.kubernetes.io/component: "controller"
16381     app.kubernetes.io/version: "v1.5.3"
16382     rbac.authorization.k8s.io/aggregate-to-view: "true"
16383     rbac.authorization.k8s.io/aggregate-to-edit: "true"
16384     rbac.authorization.k8s.io/aggregate-to-admin: "true"
16385 rules:
16386   - apiGroups: ["cert-manager.io"]
16387     resources: ["certificates", "certificaterequests", "issuers"]
16388     verbs: ["get", "list", "watch"]
16389   - apiGroups: ["acme.cert-manager.io"]
16390     resources: ["challenges", "orders"]
16391     verbs: ["get", "list", "watch"]
16392 ---
16393 # Source: cert-manager/templates/rbac.yaml
16394 apiVersion: rbac.authorization.k8s.io/v1
16395 kind: ClusterRole
16396 metadata:
16397   name: cert-manager-edit
16398   labels:
16399     app: cert-manager
16400     app.kubernetes.io/name: cert-manager
16401     app.kubernetes.io/instance: cert-manager
16402     app.kubernetes.io/component: "controller"
16403     app.kubernetes.io/version: "v1.5.3"
16404     rbac.authorization.k8s.io/aggregate-to-edit: "true"
16405     rbac.authorization.k8s.io/aggregate-to-admin: "true"
16406 rules:
16407   - apiGroups: ["cert-manager.io"]
16408     resources: ["certificates", "certificaterequests", "issuers"]
16409     verbs: ["create", "delete", "deletecollection", "patch", "update"]
16410   - apiGroups: ["acme.cert-manager.io"]
16411     resources: ["challenges", "orders"]
16412     verbs: ["create", "delete", "deletecollection", "patch", "update"]
16413 ---
16414 # Source: cert-manager/templates/rbac.yaml
16415 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
16416 apiVersion: rbac.authorization.k8s.io/v1
16417 kind: ClusterRole
16418 metadata:
16419   name: cert-manager-controller-approve:cert-manager-io
16420   labels:
16421     app: cert-manager
16422     app.kubernetes.io/name: cert-manager
16423     app.kubernetes.io/instance: cert-manager
16424     app.kubernetes.io/component: "cert-manager"
16425     app.kubernetes.io/version: "v1.5.3"
16426 rules:
16427   - apiGroups: ["cert-manager.io"]
16428     resources: ["signers"]
16429     verbs: ["approve"]
16430     resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
16431 ---
16432 # Source: cert-manager/templates/rbac.yaml
16433 # Permission to:
16434 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
16435 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
16436 apiVersion: rbac.authorization.k8s.io/v1
16437 kind: ClusterRole
16438 metadata:
16439   name: cert-manager-controller-certificatesigningrequests
16440   labels:
16441     app: cert-manager
16442     app.kubernetes.io/name: cert-manager
16443     app.kubernetes.io/instance: cert-manager
16444     app.kubernetes.io/component: "cert-manager"
16445     app.kubernetes.io/version: "v1.5.3"
16446 rules:
16447   - apiGroups: ["certificates.k8s.io"]
16448     resources: ["certificatesigningrequests"]
16449     verbs: ["get", "list", "watch", "update"]
16450   - apiGroups: ["certificates.k8s.io"]
16451     resources: ["certificatesigningrequests/status"]
16452     verbs: ["update"]
16453   - apiGroups: ["certificates.k8s.io"]
16454     resources: ["signers"]
16455     resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
16456     verbs: ["sign"]
16457   - apiGroups: ["authorization.k8s.io"]
16458     resources: ["subjectaccessreviews"]
16459     verbs: ["create"]
16460 ---
16461 # Source: cert-manager/templates/webhook-rbac.yaml
16462 apiVersion: rbac.authorization.k8s.io/v1
16463 kind: ClusterRole
16464 metadata:
16465   name: cert-manager-webhook:subjectaccessreviews
16466   labels:
16467     app: webhook
16468     app.kubernetes.io/name: webhook
16469     app.kubernetes.io/instance: cert-manager
16470     app.kubernetes.io/component: "webhook"
16471     app.kubernetes.io/version: "v1.5.3"
16472 rules:
16473 - apiGroups: ["authorization.k8s.io"]
16474   resources: ["subjectaccessreviews"]
16475   verbs: ["create"]
16476 ---
16477 # Source: cert-manager/templates/cainjector-rbac.yaml
16478 apiVersion: rbac.authorization.k8s.io/v1
16479 kind: ClusterRoleBinding
16480 metadata:
16481   name: cert-manager-cainjector
16482   labels:
16483     app: cainjector
16484     app.kubernetes.io/name: cainjector
16485     app.kubernetes.io/instance: cert-manager
16486     app.kubernetes.io/component: "cainjector"
16487     app.kubernetes.io/version: "v1.5.3"
16488 roleRef:
16489   apiGroup: rbac.authorization.k8s.io
16490   kind: ClusterRole
16491   name: cert-manager-cainjector
16492 subjects:
16493   - name: cert-manager-cainjector
16494     namespace: "cert-manager"
16495     kind: ServiceAccount
16496 ---
16497 # Source: cert-manager/templates/rbac.yaml
16498 apiVersion: rbac.authorization.k8s.io/v1
16499 kind: ClusterRoleBinding
16500 metadata:
16501   name: cert-manager-controller-issuers
16502   labels:
16503     app: cert-manager
16504     app.kubernetes.io/name: cert-manager
16505     app.kubernetes.io/instance: cert-manager
16506     app.kubernetes.io/component: "controller"
16507     app.kubernetes.io/version: "v1.5.3"
16508 roleRef:
16509   apiGroup: rbac.authorization.k8s.io
16510   kind: ClusterRole
16511   name: cert-manager-controller-issuers
16512 subjects:
16513   - name: cert-manager
16514     namespace: "cert-manager"
16515     kind: ServiceAccount
16516 ---
16517 # Source: cert-manager/templates/rbac.yaml
16518 apiVersion: rbac.authorization.k8s.io/v1
16519 kind: ClusterRoleBinding
16520 metadata:
16521   name: cert-manager-controller-clusterissuers
16522   labels:
16523     app: cert-manager
16524     app.kubernetes.io/name: cert-manager
16525     app.kubernetes.io/instance: cert-manager
16526     app.kubernetes.io/component: "controller"
16527     app.kubernetes.io/version: "v1.5.3"
16528 roleRef:
16529   apiGroup: rbac.authorization.k8s.io
16530   kind: ClusterRole
16531   name: cert-manager-controller-clusterissuers
16532 subjects:
16533   - name: cert-manager
16534     namespace: "cert-manager"
16535     kind: ServiceAccount
16536 ---
16537 # Source: cert-manager/templates/rbac.yaml
16538 apiVersion: rbac.authorization.k8s.io/v1
16539 kind: ClusterRoleBinding
16540 metadata:
16541   name: cert-manager-controller-certificates
16542   labels:
16543     app: cert-manager
16544     app.kubernetes.io/name: cert-manager
16545     app.kubernetes.io/instance: cert-manager
16546     app.kubernetes.io/component: "controller"
16547     app.kubernetes.io/version: "v1.5.3"
16548 roleRef:
16549   apiGroup: rbac.authorization.k8s.io
16550   kind: ClusterRole
16551   name: cert-manager-controller-certificates
16552 subjects:
16553   - name: cert-manager
16554     namespace: "cert-manager"
16555     kind: ServiceAccount
16556 ---
16557 # Source: cert-manager/templates/rbac.yaml
16558 apiVersion: rbac.authorization.k8s.io/v1
16559 kind: ClusterRoleBinding
16560 metadata:
16561   name: cert-manager-controller-orders
16562   labels:
16563     app: cert-manager
16564     app.kubernetes.io/name: cert-manager
16565     app.kubernetes.io/instance: cert-manager
16566     app.kubernetes.io/component: "controller"
16567     app.kubernetes.io/version: "v1.5.3"
16568 roleRef:
16569   apiGroup: rbac.authorization.k8s.io
16570   kind: ClusterRole
16571   name: cert-manager-controller-orders
16572 subjects:
16573   - name: cert-manager
16574     namespace: "cert-manager"
16575     kind: ServiceAccount
16576 ---
16577 # Source: cert-manager/templates/rbac.yaml
16578 apiVersion: rbac.authorization.k8s.io/v1
16579 kind: ClusterRoleBinding
16580 metadata:
16581   name: cert-manager-controller-challenges
16582   labels:
16583     app: cert-manager
16584     app.kubernetes.io/name: cert-manager
16585     app.kubernetes.io/instance: cert-manager
16586     app.kubernetes.io/component: "controller"
16587     app.kubernetes.io/version: "v1.5.3"
16588 roleRef:
16589   apiGroup: rbac.authorization.k8s.io
16590   kind: ClusterRole
16591   name: cert-manager-controller-challenges
16592 subjects:
16593   - name: cert-manager
16594     namespace: "cert-manager"
16595     kind: ServiceAccount
16596 ---
16597 # Source: cert-manager/templates/rbac.yaml
16598 apiVersion: rbac.authorization.k8s.io/v1
16599 kind: ClusterRoleBinding
16600 metadata:
16601   name: cert-manager-controller-ingress-shim
16602   labels:
16603     app: cert-manager
16604     app.kubernetes.io/name: cert-manager
16605     app.kubernetes.io/instance: cert-manager
16606     app.kubernetes.io/component: "controller"
16607     app.kubernetes.io/version: "v1.5.3"
16608 roleRef:
16609   apiGroup: rbac.authorization.k8s.io
16610   kind: ClusterRole
16611   name: cert-manager-controller-ingress-shim
16612 subjects:
16613   - name: cert-manager
16614     namespace: "cert-manager"
16615     kind: ServiceAccount
16616 ---
16617 # Source: cert-manager/templates/rbac.yaml
16618 apiVersion: rbac.authorization.k8s.io/v1
16619 kind: ClusterRoleBinding
16620 metadata:
16621   name: cert-manager-controller-approve:cert-manager-io
16622   labels:
16623     app: cert-manager
16624     app.kubernetes.io/name: cert-manager
16625     app.kubernetes.io/instance: cert-manager
16626     app.kubernetes.io/component: "cert-manager"
16627     app.kubernetes.io/version: "v1.5.3"
16628 roleRef:
16629   apiGroup: rbac.authorization.k8s.io
16630   kind: ClusterRole
16631   name: cert-manager-controller-approve:cert-manager-io
16632 subjects:
16633   - name: cert-manager
16634     namespace: "cert-manager"
16635     kind: ServiceAccount
16636 ---
16637 # Source: cert-manager/templates/rbac.yaml
16638 apiVersion: rbac.authorization.k8s.io/v1
16639 kind: ClusterRoleBinding
16640 metadata:
16641   name: cert-manager-controller-certificatesigningrequests
16642   labels:
16643     app: cert-manager
16644     app.kubernetes.io/name: cert-manager
16645     app.kubernetes.io/instance: cert-manager
16646     app.kubernetes.io/component: "cert-manager"
16647     app.kubernetes.io/version: "v1.5.3"
16648 roleRef:
16649   apiGroup: rbac.authorization.k8s.io
16650   kind: ClusterRole
16651   name: cert-manager-controller-certificatesigningrequests
16652 subjects:
16653   - name: cert-manager
16654     namespace: "cert-manager"
16655     kind: ServiceAccount
16656 ---
16657 # Source: cert-manager/templates/webhook-rbac.yaml
16658 apiVersion: rbac.authorization.k8s.io/v1
16659 kind: ClusterRoleBinding
16660 metadata:
16661   name: cert-manager-webhook:subjectaccessreviews
16662   labels:
16663     app: webhook
16664     app.kubernetes.io/name: webhook
16665     app.kubernetes.io/instance: cert-manager
16666     app.kubernetes.io/component: "webhook"
16667     app.kubernetes.io/version: "v1.5.3"
16668 roleRef:
16669   apiGroup: rbac.authorization.k8s.io
16670   kind: ClusterRole
16671   name: cert-manager-webhook:subjectaccessreviews
16672 subjects:
16673 - apiGroup: ""
16674   kind: ServiceAccount
16675   name: cert-manager-webhook
16676   namespace: cert-manager
16677 ---
16678 # Source: cert-manager/templates/cainjector-rbac.yaml
16679 # leader election rules
16680 apiVersion: rbac.authorization.k8s.io/v1
16681 kind: Role
16682 metadata:
16683   name: cert-manager-cainjector:leaderelection
16684   namespace: kube-system
16685   labels:
16686     app: cainjector
16687     app.kubernetes.io/name: cainjector
16688     app.kubernetes.io/instance: cert-manager
16689     app.kubernetes.io/component: "cainjector"
16690     app.kubernetes.io/version: "v1.5.3"
16691 rules:
16692   # Used for leader election by the controller
16693   # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
16694   #   see cmd/cainjector/start.go#L113
16695   # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
16696   #   see cmd/cainjector/start.go#L137
16697   # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16698   - apiGroups: [""]
16699     resources: ["configmaps"]
16700     resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
16701     verbs: ["get", "update", "patch"]
16702   - apiGroups: [""]
16703     resources: ["configmaps"]
16704     verbs: ["create"]
16705   - apiGroups: ["coordination.k8s.io"]
16706     resources: ["leases"]
16707     resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
16708     verbs: ["get", "update", "patch"]
16709   - apiGroups: ["coordination.k8s.io"]
16710     resources: ["leases"]
16711     verbs: ["create"]
16712 ---
16713 # Source: cert-manager/templates/rbac.yaml
16714 apiVersion: rbac.authorization.k8s.io/v1
16715 kind: Role
16716 metadata:
16717   name: cert-manager:leaderelection
16718   namespace: kube-system
16719   labels:
16720     app: cert-manager
16721     app.kubernetes.io/name: cert-manager
16722     app.kubernetes.io/instance: cert-manager
16723     app.kubernetes.io/component: "controller"
16724     app.kubernetes.io/version: "v1.5.3"
16725 rules:
16726   # Used for leader election by the controller
16727   # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16728   - apiGroups: [""]
16729     resources: ["configmaps"]
16730     resourceNames: ["cert-manager-controller"]
16731     verbs: ["get", "update", "patch"]
16732   - apiGroups: [""]
16733     resources: ["configmaps"]
16734     verbs: ["create"]
16735   - apiGroups: ["coordination.k8s.io"]
16736     resources: ["leases"]
16737     resourceNames: ["cert-manager-controller"]
16738     verbs: ["get", "update", "patch"]
16739   - apiGroups: ["coordination.k8s.io"]
16740     resources: ["leases"]
16741     verbs: ["create"]
16742 ---
16743 # Source: cert-manager/templates/webhook-rbac.yaml
16744 apiVersion: rbac.authorization.k8s.io/v1
16745 kind: Role
16746 metadata:
16747   name: cert-manager-webhook:dynamic-serving
16748   namespace: "cert-manager"
16749   labels:
16750     app: webhook
16751     app.kubernetes.io/name: webhook
16752     app.kubernetes.io/instance: cert-manager
16753     app.kubernetes.io/component: "webhook"
16754     app.kubernetes.io/version: "v1.5.3"
16755 rules:
16756 - apiGroups: [""]
16757   resources: ["secrets"]
16758   resourceNames:
16759   - 'cert-manager-webhook-ca'
16760   verbs: ["get", "list", "watch", "update"]
16761 # It's not possible to grant CREATE permission on a single resourceName.
16762 - apiGroups: [""]
16763   resources: ["secrets"]
16764   verbs: ["create"]
16765 ---
16766 # Source: cert-manager/templates/cainjector-rbac.yaml
16767 # grant cert-manager permission to manage the leaderelection configmap in the
16768 # leader election namespace
16769 apiVersion: rbac.authorization.k8s.io/v1
16770 kind: RoleBinding
16771 metadata:
16772   name: cert-manager-cainjector:leaderelection
16773   namespace: kube-system
16774   labels:
16775     app: cainjector
16776     app.kubernetes.io/name: cainjector
16777     app.kubernetes.io/instance: cert-manager
16778     app.kubernetes.io/component: "cainjector"
16779     app.kubernetes.io/version: "v1.5.3"
16780 roleRef:
16781   apiGroup: rbac.authorization.k8s.io
16782   kind: Role
16783   name: cert-manager-cainjector:leaderelection
16784 subjects:
16785   - kind: ServiceAccount
16786     name: cert-manager-cainjector
16787     namespace: cert-manager
16788 ---
16789 # Source: cert-manager/templates/rbac.yaml
16790 # grant cert-manager permission to manage the leaderelection configmap in the
16791 # leader election namespace
16792 apiVersion: rbac.authorization.k8s.io/v1
16793 kind: RoleBinding
16794 metadata:
16795   name: cert-manager:leaderelection
16796   namespace: kube-system
16797   labels:
16798     app: cert-manager
16799     app.kubernetes.io/name: cert-manager
16800     app.kubernetes.io/instance: cert-manager
16801     app.kubernetes.io/component: "controller"
16802     app.kubernetes.io/version: "v1.5.3"
16803 roleRef:
16804   apiGroup: rbac.authorization.k8s.io
16805   kind: Role
16806   name: cert-manager:leaderelection
16807 subjects:
16808   - apiGroup: ""
16809     kind: ServiceAccount
16810     name: cert-manager
16811     namespace: cert-manager
16812 ---
16813 # Source: cert-manager/templates/webhook-rbac.yaml
16814 apiVersion: rbac.authorization.k8s.io/v1
16815 kind: RoleBinding
16816 metadata:
16817   name: cert-manager-webhook:dynamic-serving
16818   namespace: "cert-manager"
16819   labels:
16820     app: webhook
16821     app.kubernetes.io/name: webhook
16822     app.kubernetes.io/instance: cert-manager
16823     app.kubernetes.io/component: "webhook"
16824     app.kubernetes.io/version: "v1.5.3"
16825 roleRef:
16826   apiGroup: rbac.authorization.k8s.io
16827   kind: Role
16828   name: cert-manager-webhook:dynamic-serving
16829 subjects:
16830 - apiGroup: ""
16831   kind: ServiceAccount
16832   name: cert-manager-webhook
16833   namespace: cert-manager
16834 ---
16835 # Source: cert-manager/templates/service.yaml
16836 apiVersion: v1
16837 kind: Service
16838 metadata:
16839   name: cert-manager
16840   namespace: "cert-manager"
16841   labels:
16842     app: cert-manager
16843     app.kubernetes.io/name: cert-manager
16844     app.kubernetes.io/instance: cert-manager
16845     app.kubernetes.io/component: "controller"
16846     app.kubernetes.io/version: "v1.5.3"
16847 spec:
16848   type: ClusterIP
16849   ports:
16850     - protocol: TCP
16851       port: 9402
16852       name: tcp-prometheus-servicemonitor
16853       targetPort: 9402
16854   selector:
16855     app.kubernetes.io/name: cert-manager
16856     app.kubernetes.io/instance: cert-manager
16857     app.kubernetes.io/component: "controller"
16858 ---
16859 # Source: cert-manager/templates/webhook-service.yaml
16860 apiVersion: v1
16861 kind: Service
16862 metadata:
16863   name: cert-manager-webhook
16864   namespace: "cert-manager"
16865   labels:
16866     app: webhook
16867     app.kubernetes.io/name: webhook
16868     app.kubernetes.io/instance: cert-manager
16869     app.kubernetes.io/component: "webhook"
16870     app.kubernetes.io/version: "v1.5.3"
16871 spec:
16872   type: ClusterIP
16873   ports:
16874   - name: https
16875     port: 443
16876     protocol: TCP
16877     targetPort: 10250
16878   selector:
16879     app.kubernetes.io/name: webhook
16880     app.kubernetes.io/instance: cert-manager
16881     app.kubernetes.io/component: "webhook"
16882 ---
16883 # Source: cert-manager/templates/cainjector-deployment.yaml
16884 apiVersion: apps/v1
16885 kind: Deployment
16886 metadata:
16887   name: cert-manager-cainjector
16888   namespace: "cert-manager"
16889   labels:
16890     app: cainjector
16891     app.kubernetes.io/name: cainjector
16892     app.kubernetes.io/instance: cert-manager
16893     app.kubernetes.io/component: "cainjector"
16894     app.kubernetes.io/version: "v1.5.3"
16895 spec:
16896   replicas: 1
16897   selector:
16898     matchLabels:
16899       app.kubernetes.io/name: cainjector
16900       app.kubernetes.io/instance: cert-manager
16901       app.kubernetes.io/component: "cainjector"
16902   template:
16903     metadata:
16904       labels:
16905         app: cainjector
16906         app.kubernetes.io/name: cainjector
16907         app.kubernetes.io/instance: cert-manager
16908         app.kubernetes.io/component: "cainjector"
16909         app.kubernetes.io/version: "v1.5.3"
16910     spec:
16911       serviceAccountName: cert-manager-cainjector
16912       securityContext:
16913         runAsNonRoot: true
16914       containers:
16915         - name: cert-manager
16916           image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
16917           imagePullPolicy: IfNotPresent
16918           args:
16919           - --v=2
16920           - --leader-election-namespace=kube-system
16921           env:
16922           - name: POD_NAMESPACE
16923             valueFrom:
16924               fieldRef:
16925                 fieldPath: metadata.namespace
16926           resources:
16927             {}
16928 ---
16929 # Source: cert-manager/templates/deployment.yaml
16930 apiVersion: apps/v1
16931 kind: Deployment
16932 metadata:
16933   name: cert-manager
16934   namespace: "cert-manager"
16935   labels:
16936     app: cert-manager
16937     app.kubernetes.io/name: cert-manager
16938     app.kubernetes.io/instance: cert-manager
16939     app.kubernetes.io/component: "controller"
16940     app.kubernetes.io/version: "v1.5.3"
16941 spec:
16942   replicas: 1
16943   selector:
16944     matchLabels:
16945       app.kubernetes.io/name: cert-manager
16946       app.kubernetes.io/instance: cert-manager
16947       app.kubernetes.io/component: "controller"
16948   template:
16949     metadata:
16950       labels:
16951         app: cert-manager
16952         app.kubernetes.io/name: cert-manager
16953         app.kubernetes.io/instance: cert-manager
16954         app.kubernetes.io/component: "controller"
16955         app.kubernetes.io/version: "v1.5.3"
16956       annotations:
16957         prometheus.io/path: "/metrics"
16958         prometheus.io/scrape: 'true'
16959         prometheus.io/port: '9402'
16960     spec:
16961       serviceAccountName: cert-manager
16962       securityContext:
16963         runAsNonRoot: true
16964       containers:
16965         - name: cert-manager
16966           image: "quay.io/jetstack/cert-manager-controller:v1.5.3"
16967           imagePullPolicy: IfNotPresent
16968           args:
16969           - --v=2
16970           - --cluster-resource-namespace=$(POD_NAMESPACE)
16971           - --leader-election-namespace=kube-system
16972           ports:
16973           - containerPort: 9402
16974             protocol: TCP
16975           env:
16976           - name: POD_NAMESPACE
16977             valueFrom:
16978               fieldRef:
16979                 fieldPath: metadata.namespace
16980           resources:
16981             {}
16982 ---
16983 # Source: cert-manager/templates/webhook-deployment.yaml
16984 apiVersion: apps/v1
16985 kind: Deployment
16986 metadata:
16987   name: cert-manager-webhook
16988   namespace: "cert-manager"
16989   labels:
16990     app: webhook
16991     app.kubernetes.io/name: webhook
16992     app.kubernetes.io/instance: cert-manager
16993     app.kubernetes.io/component: "webhook"
16994     app.kubernetes.io/version: "v1.5.3"
16995 spec:
16996   replicas: 1
16997   selector:
16998     matchLabels:
16999       app.kubernetes.io/name: webhook
17000       app.kubernetes.io/instance: cert-manager
17001       app.kubernetes.io/component: "webhook"
17002   template:
17003     metadata:
17004       labels:
17005         app: webhook
17006         app.kubernetes.io/name: webhook
17007         app.kubernetes.io/instance: cert-manager
17008         app.kubernetes.io/component: "webhook"
17009         app.kubernetes.io/version: "v1.5.3"
17010     spec:
17011       serviceAccountName: cert-manager-webhook
17012       securityContext:
17013         runAsNonRoot: true
17014       containers:
17015         - name: cert-manager
17016           image: "quay.io/jetstack/cert-manager-webhook:v1.5.3"
17017           imagePullPolicy: IfNotPresent
17018           args:
17019           - --v=2
17020           - --secure-port=10250
17021           - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
17022           - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
17023           - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
17024           ports:
17025           - name: https
17026             protocol: TCP
17027             containerPort: 10250
17028           livenessProbe:
17029             httpGet:
17030               path: /livez
17031               port: 6080
17032               scheme: HTTP
17033             initialDelaySeconds: 60
17034             periodSeconds: 10
17035             timeoutSeconds: 1
17036             successThreshold: 1
17037             failureThreshold: 3
17038           readinessProbe:
17039             httpGet:
17040               path: /healthz
17041               port: 6080
17042               scheme: HTTP
17043             initialDelaySeconds: 5
17044             periodSeconds: 5
17045             timeoutSeconds: 1
17046             successThreshold: 1
17047             failureThreshold: 3
17048           env:
17049           - name: POD_NAMESPACE
17050             valueFrom:
17051               fieldRef:
17052                 fieldPath: metadata.namespace
17053           resources:
17054             {}
17055 ---
17056 # Source: cert-manager/templates/webhook-mutating-webhook.yaml
17057 apiVersion: admissionregistration.k8s.io/v1
17058 kind: MutatingWebhookConfiguration
17059 metadata:
17060   name: cert-manager-webhook
17061   labels:
17062     app: webhook
17063     app.kubernetes.io/name: webhook
17064     app.kubernetes.io/instance: cert-manager
17065     app.kubernetes.io/component: "webhook"
17066     app.kubernetes.io/version: "v1.5.3"
17067   annotations:
17068     cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
17069 webhooks:
17070   - name: webhook.cert-manager.io
17071     rules:
17072       - apiGroups:
17073           - "cert-manager.io"
17074           - "acme.cert-manager.io"
17075         apiVersions:
17076           - "v1"
17077         operations:
17078           - CREATE
17079           - UPDATE
17080         resources:
17081           - "*/*"
17082     # We don't actually support `v1beta1` but is listed here as it is a
17083     # required value for
17084     # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
17085     # The API server reads the supported versions in order, so _should always_
17086     # attempt a `v1` request which is understood by the cert-manager webhook.
17087     # Any `v1beta1` request will return an error and fail closed for that
17088     # resource (the whole object request is rejected). When we no longer
17089     # support v1.16 we can remove `v1beta1` from this list.
17090     admissionReviewVersions: ["v1", "v1beta1"]
17091     # This webhook only accepts v1 cert-manager resources.
17092     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
17093     # this webhook (after the resources have been converted to v1).
17094     matchPolicy: Equivalent
17095     timeoutSeconds: 10
17096     failurePolicy: Fail
17097     # Only include 'sideEffects' field in Kubernetes 1.12+
17098     sideEffects: None
17099     clientConfig:
17100       service:
17101         name: cert-manager-webhook
17102         namespace: "cert-manager"
17103         path: /mutate
17104 ---
17105 # Source: cert-manager/templates/webhook-validating-webhook.yaml
17106 apiVersion: admissionregistration.k8s.io/v1
17107 kind: ValidatingWebhookConfiguration
17108 metadata:
17109   name: cert-manager-webhook
17110   labels:
17111     app: webhook
17112     app.kubernetes.io/name: webhook
17113     app.kubernetes.io/instance: cert-manager
17114     app.kubernetes.io/component: "webhook"
17115     app.kubernetes.io/version: "v1.5.3"
17116   annotations:
17117     cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
17118 webhooks:
17119   - name: webhook.cert-manager.io
17120     namespaceSelector:
17121       matchExpressions:
17122       - key: "cert-manager.io/disable-validation"
17123         operator: "NotIn"
17124         values:
17125         - "true"
17126       - key: "name"
17127         operator: "NotIn"
17128         values:
17129         - cert-manager
17130     rules:
17131       - apiGroups:
17132           - "cert-manager.io"
17133           - "acme.cert-manager.io"
17134         apiVersions:
17135           - "v1"
17136         operations:
17137           - CREATE
17138           - UPDATE
17139         resources:
17140           - "*/*"
17141     # We don't actually support `v1beta1` but is listed here as it is a
17142     # required value for
17143     # [Kubernetes v1.16](https://github.com/kubernetes/kubernetes/issues/82025).
17144     # The API server reads the supported versions in order, so _should always_
17145     # attempt a `v1` request which is understood by the cert-manager webhook.
17146     # Any `v1beta1` request will return an error and fail closed for that
17147     # resource (the whole object request is rejected). When we no longer
17148     # support v1.16 we can remove `v1beta1` from this list.
17149     admissionReviewVersions: ["v1", "v1beta1"]
17150     # This webhook only accepts v1 cert-manager resources.
17151     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
17152     # this webhook (after the resources have been converted to v1).
17153     matchPolicy: Equivalent
17154     timeoutSeconds: 10
17155     failurePolicy: Fail
17156     sideEffects: None
17157     clientConfig:
17158       service:
17159         name: cert-manager-webhook
17160         namespace: "cert-manager"
17161         path: /validate