--- a/10-cert-manager.yaml Wed Feb 12 02:17:00 2020 -0600
+++ b/10-cert-manager.yaml Sat May 02 04:28:25 2020 -0500
@@ -2,9 +2,26 @@
# from https://github.com/jetstack/cert-manager/releases. No changes, aside
# from this header have been made.
+# Copyright YEAR The Jetstack cert-manager contributors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls name: certificaterequests.cert-manager.io
additionalPrinterColumns:
@@ -26,8 +43,14 @@
in RFC3339 form and is in UTC.
+ name: cert-manager-webhook + namespace: cert-manager - preserveUnknownFields: false listKind: CertificateRequestList
@@ -36,6 +59,7 @@
singular: certificaterequest
+ preserveUnknownFields: false @@ -43,7 +67,6 @@
description: CertificateRequest is a type to represent a Certificate Signing
description: 'APIVersion defines the versioned schema of this representation
@@ -59,15 +82,11 @@
description: CertificateRequestSpec defines the desired state of CertificateRequest
description: Byte slice containing the PEM encoded CertificateSigningRequest
description: Requested certificate default Duration
@@ -83,9 +102,6 @@
with the provided name will be used. The 'name' field in this stanza
is required at all times. The group field refers to the API group
of the issuer which defaults to 'cert-manager.io' if empty.
@@ -93,11 +109,13 @@
description: Usages is the set of x509 actions that are enabled for
a given key. Defaults are ('digital signature', 'key encipherment')
description: 'KeyUsage specifies valid usage contexts for keys. See:
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
@@ -108,7 +126,6 @@
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
@@ -133,36 +150,36 @@
description: CertificateStatus defines the observed state of CertificateRequest
and resulting signed certificate.
description: Byte slice containing the PEM encoded certificate authority
of the signed certificate.
description: Byte slice containing a PEM encoded signed certificate
resulting from the given certificate signing request.
description: CertificateRequestCondition contains condition information
for a CertificateRequest.
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
description: Message is a human readable description of the details
of the last transition, complementing reason.
@@ -174,28 +191,39 @@
description: Status of the condition, one of ('True', 'False',
description: Type of the condition, currently ('Ready', 'InvalidRequest').
description: FailureTime stores the time that this CertificateRequest
failed. This is used to influence garbage collection and back-off.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls name: certificates.cert-manager.io
additionalPrinterColumns:
@@ -220,8 +248,14 @@
in RFC3339 form and is in UTC.
+ name: cert-manager-webhook + namespace: cert-manager - preserveUnknownFields: false listKind: CertificateList
@@ -230,253 +264,511 @@
+ preserveUnknownFields: false
- description: Certificate is a type to represent a Certificate from ACME- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: CertificateSpec defines the desired state of Certificate. A- valid Certificate requires at least one of a CommonName, DNSName, or URISAN- description: CommonName is a common name to be used on the Certificate.- The CommonName should have a length of 64 characters or fewer to avoid- generating invalid CSRs.- description: DNSNames is a list of subject alt names to be used on the- description: Certificate default Duration- description: IPAddresses is a list of IP addresses to be used on the- description: IsCA will mark this Certificate as valid for signing. This- implies that the 'cert sign' usage is set- description: IssuerRef is a reference to the issuer for this certificate.- If the 'kind' field is not set, or set to 'Issuer', an Issuer resource- with the given name in the same namespace as the Certificate will- be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer- with the provided name will be used. The 'name' field in this stanza- is required at all times.- description: KeyAlgorithm is the private key algorithm of the corresponding- private key for this certificate. If provided, allowed values are- either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is- not provided, key size of 256 will be used for "ecdsa" key algorithm- and key size of 2048 will be used for "rsa" key algorithm.- description: KeyEncoding is the private key cryptography standards (PKCS)- for this certificate's private key to be encoded in. If provided,- allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,- respectively. If KeyEncoding is not specified, then PKCS#1 will be- description: KeySize is the key bit size of the corresponding private- key for this certificate. If provided, value must be between 2048- and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",- and value must be one of (256, 384, 521) when KeyAlgorithm is set- description: Organization is the organization to be used on the Certificate- description: Certificate renew before expiration duration- description: SecretName is the name of the secret resource to store- description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).- description: Countries to be used on the Certificate.- description: Cities to be used on the Certificate.- description: Organizational Units to be used on the Certificate.- description: Postal codes to be used on the Certificate.- description: State/Provinces to be used on the Certificate.- description: Serial number to be used on the Certificate.- description: Street addresses to be used on the Certificate.- description: URISANs is a list of URI Subject Alternative Names to be- set on this Certificate.- description: Usages is the set of x509 actions that are enabled for- a given key. Defaults are ('digital signature', 'key encipherment')- description: 'KeyUsage specifies valid usage contexts for keys. See:- https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12- Valid KeyUsage values are as follows: "signing", "digital signature",- "content commitment", "key encipherment", "key agreement", "data- encipherment", "cert sign", "crl sign", "encipher only", "decipher- only", "any", "server auth", "client auth", "code signing", "email- protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec- user", "timestamping", "ocsp signing", "microsoft sgc", "netscape- description: CertificateStatus defines the observed state of Certificate- description: CertificateCondition contains condition information for- description: LastTransitionTime is the timestamp corresponding- to the last status change of this condition.- description: Message is a human readable description of the details- of the last transition, complementing reason.- description: Reason is a brief machine readable explanation for- the condition's last transition.- description: Status of the condition, one of ('True', 'False',- description: Type of the condition, currently ('Ready').- description: The expiration time of the certificate stored in the secret- named by this resource in spec.secretName.+ description: Certificate is a type to represent a Certificate from ACME + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CertificateSpec defines the desired state of Certificate. + A valid Certificate requires at least one of a CommonName, DNSName, + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: DNSNames is a list of subject alt names to be used on + description: Certificate default Duration + description: EmailSANs is a list of Email Subject Alternative Names + to be set on this Certificate. + description: IPAddresses is a list of IP addresses to be used on the + description: IsCA will mark this Certificate as valid for signing. + This implies that the 'cert sign' usage is set + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize + is not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + description: KeyEncoding is the private key cryptography standards + (PKCS) for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + description: Organization is the organization to be used on the Certificate + description: Certificate renew before expiration duration + description: SecretName is the name of the secret resource to store + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + description: Countries to be used on the Certificate. + description: Cities to be used on the Certificate. + description: Organizational Units to be used on the Certificate. + description: Postal codes to be used on the Certificate. + description: State/Provinces to be used on the Certificate. + description: Serial number to be used on the Certificate. + description: Street addresses to be used on the Certificate. + description: URISANs is a list of URI Subject Alternative Names to + be set on this Certificate. + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: CertificateStatus defines the observed state of Certificate + description: CertificateCondition contains condition information + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, currently ('Ready'). + description: The expiration time of the certificate stored in the + secret named by this resource in spec.secretName. + description: Certificate is a type to represent a Certificate from ACME + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CertificateSpec defines the desired state of Certificate. + A valid Certificate requires at least one of a CommonName, DNSName, + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: DNSNames is a list of subject alt names to be used on + description: Certificate default Duration + description: EmailSANs is a list of Email Subject Alternative Names + to be set on this Certificate. + description: IPAddresses is a list of IP addresses to be used on the + description: IsCA will mark this Certificate as valid for signing. + This implies that the 'cert sign' usage is set + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize + is not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + description: KeyEncoding is the private key cryptography standards + (PKCS) for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + description: Certificate renew before expiration duration + description: SecretName is the name of the secret resource to store + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + description: Countries to be used on the Certificate. + description: Cities to be used on the Certificate. + description: Organizational Units to be used on the Certificate. + description: Organizations to be used on the Certificate. + description: Postal codes to be used on the Certificate. + description: State/Provinces to be used on the Certificate. + description: Serial number to be used on the Certificate. + description: Street addresses to be used on the Certificate. + description: URISANs is a list of URI Subject Alternative Names to + be set on this Certificate. + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: CertificateStatus defines the observed state of Certificate + description: CertificateCondition contains condition information + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, currently ('Ready'). + description: The expiration time of the certificate stored in the + secret named by this resource in spec.secretName. apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls name: challenges.acme.cert-manager.io
additionalPrinterColumns:
@@ -497,13 +789,20 @@
in RFC3339 form and is in UTC.
+ name: cert-manager-webhook + namespace: cert-manager group: acme.cert-manager.io
- preserveUnknownFields: false+ preserveUnknownFields: false @@ -511,9 +810,6 @@
description: Challenge is a type to represent a Challenge request with an ACME
description: 'APIVersion defines the versioned schema of this representation
@@ -528,15 +824,6 @@
description: AuthzURL is the URL to the ACME Authorization resource
@@ -552,9 +839,6 @@
not exist, processing will be retried. If the Issuer is not an 'ACME'
Issuer, an error will be returned and the Challenge will be marked
@@ -562,29 +846,23 @@
description: Key is the ACME challenge key for this challenge
description: Solver contains the domain solving configuration that should
be used to solve this challenge resource.
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
the configuration for ACME-DNS servers
description: The key of the secret to select from. Must
@@ -594,23 +872,21 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderAkamai is a structure containing
the DNS configuration for Akamai DNS—Zone Record Management
- - clientSecretSecretRef- - serviceConsumerDomain description: The key of the secret to select from. Must
@@ -620,10 +896,10 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: The key of the secret to select from. Must
@@ -633,10 +909,37 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + - clientSecretSecretRef + - serviceConsumerDomain + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS description: The key of the secret to select from. Must
@@ -646,41 +949,16 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderAzureDNS is a structure- containing the configuration for Azure DNS- - clientSecretSecretRef- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'@@ -689,19 +967,20 @@
+ - clientSecretSecretRef description: ACMEIssuerDNS01ProviderCloudDNS is a structure
containing the DNS configuration for Google Cloud DNS
description: The key of the secret to select from. Must
@@ -711,17 +990,17 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderCloudflare is a structure
containing the DNS configuration for Cloudflare
description: The key of the secret to select from. Must
@@ -731,10 +1010,10 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: The key of the secret to select from. Must
@@ -744,26 +1023,26 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
containing the DNS configuration for DigitalOcean Domains
description: The key of the secret to select from. Must
@@ -773,12 +1052,15 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
the configuration for RFC2136 DNS
description: 'The IP address of the DNS supporting RFC2136.
@@ -798,9 +1080,6 @@
description: The name of the secret containing the TSIG
value. If ``tsigKeyName`` is defined, this field is required.
description: The key of the secret to select from. Must
@@ -810,12 +1089,15 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
the Route 53 configuration for AWS
description: 'The AccessKeyID is used for authentication.
@@ -841,9 +1123,6 @@
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
description: The key of the secret to select from. Must
@@ -853,14 +1132,16 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderWebhook specifies configuration
for a webhook DNS01 provider, including where to POST ChallengePayload
description: Additional configuration that should be passed
@@ -883,6 +1164,11 @@
the webhook provider implementation. This will typically
be the name of the provider, e.g. 'cloudflare'.
description: ACMEChallengeSolverHTTP01 contains configuration detailing
how to solve HTTP01 challenges within a Kubernetes cluster. Typically
@@ -890,7 +1176,6 @@
that configure ingress controllers to direct traffic to 'solver
pods', which are responsible for responding to the ACME server's
description: The ingress based HTTP01 challenge solver will
@@ -898,7 +1183,6 @@
in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
description: The ingress class to use when creating Ingress
@@ -916,7 +1200,6 @@
description: Optional pod template used to configure the
ACME challenge solver pods used for HTTP01 challenges
description: ObjectMeta overrides for the pod used to
@@ -924,36 +1207,33 @@
fields may be set. If labels or annotations overlap
with in-built values, the values here will override
description: Annotations that should be added to
the create ACME HTTP01 solver pods.
description: Labels that should be added to the
created ACME HTTP01 solver pods.
description: PodSpec defines overrides for the HTTP01
challenge solver pod. Only the 'nodeSelector', 'affinity'
and 'tolerations' fields are supported currently.
All other fields will be ignored.
description: If specified, the pod's scheduling
description: Describes node affinity scheduling
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
@@ -971,38 +1251,27 @@
sum if the node matches the corresponding
matchExpressions; the node(s) with the
highest sum are the most preferred.
description: An empty preferred scheduling
term matches all objects with implicit
weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches no
objects (i.e. is also a no-op).
description: A node selector term,
associated with the corresponding
description: A list of node selector
requirements by node's labels.
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
description: The label key
@@ -1033,23 +1302,23 @@
description: A list of node selector
requirements by node's fields.
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
description: The label key
@@ -1080,15 +1349,26 @@
description: Weight associated with
matching the corresponding nodeSelectorTerm,
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met at
@@ -1099,36 +1379,26 @@
due to an update), the system may or may
not try to eventually evict the pod from
description: Required. A list of node
selector terms. The terms are ORed.
description: A null or empty node
selector term matches no objects.
The requirements of them are ANDed.
The TopologySelectorTerm type implements
a subset of the NodeSelectorTerm.
description: A list of node selector
requirements by node's labels.
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
description: The label key
@@ -1159,23 +1429,23 @@
description: A list of node selector
requirements by node's fields.
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
description: The label key
@@ -1206,14 +1476,24 @@
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the same
node, zone, etc. as some other pod(s)).
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
@@ -1232,37 +1512,27 @@
the corresponding podAffinityTerm; the
node(s) with the highest sum are the most
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
description: Required. A pod affinity
term, associated with the corresponding
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -1270,10 +1540,6 @@
@@ -1304,10 +1570,17 @@
description: matchLabels is
a map of {key,value} pairs.
@@ -1319,17 +1592,16 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should be
co-located (affinity) or not
@@ -1344,12 +1616,20 @@
is running. Empty topologyKey
description: weight associated with
matching the corresponding podAffinityTerm,
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met at
@@ -1364,7 +1644,6 @@
corresponding to each podAffinityTerm
are intersected, i.e. all terms must be
description: Defines a set of pods (namely
those matching the labelSelector relative
@@ -1376,31 +1655,22 @@
key <topologyKey> matches that of any
node on which a pod of the set of pods
description: A label query over a
set of resources, in this case pods.
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
that contains values, a key,
and an operator that relates
@@ -1425,10 +1695,17 @@
array must be empty. This
description: matchLabels is a
map of {key,value} pairs. A
single {key,value} in the matchLabels
@@ -1439,17 +1716,16 @@
contains only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against); null
or empty list means "this pod's
description: This pod should be co-located
(affinity) or not co-located (anti-affinity)
@@ -1462,11 +1738,15 @@
selected pods is running. Empty
topologyKey is not allowed.
description: Describes pod anti-affinity scheduling
rules (e.g. avoid putting this pod in the
same node, zone, etc. as some other pod(s)).
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
@@ -1485,37 +1765,27 @@
has pods which matches the corresponding
podAffinityTerm; the node(s) with the
highest sum are the most preferred.
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
description: Required. A pod affinity
term, associated with the corresponding
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -1523,10 +1793,6 @@
@@ -1557,10 +1823,17 @@
description: matchLabels is
a map of {key,value} pairs.
@@ -1572,17 +1845,16 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should be
co-located (affinity) or not
@@ -1597,12 +1869,20 @@
is running. Empty topologyKey
description: weight associated with
matching the corresponding podAffinityTerm,
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements
specified by this field are not met at
@@ -1617,7 +1897,6 @@
corresponding to each podAffinityTerm
are intersected, i.e. all terms must be
description: Defines a set of pods (namely
those matching the labelSelector relative
@@ -1629,31 +1908,22 @@
key <topologyKey> matches that of any
node on which a pod of the set of pods
description: A label query over a
set of resources, in this case pods.
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
that contains values, a key,
and an operator that relates
@@ -1678,10 +1948,17 @@
array must be empty. This
description: matchLabels is a
map of {key,value} pairs. A
single {key,value} in the matchLabels
@@ -1692,17 +1969,16 @@
contains only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against); null
or empty list means "this pod's
description: This pod should be co-located
(affinity) or not co-located (anti-affinity)
@@ -1715,23 +1991,27 @@
selected pods is running. Empty
topologyKey is not allowed.
description: 'NodeSelector is a selector which must
be true for the pod to fit on a node. Selector
which must match a node''s labels for the pod
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
description: If specified, the pod's tolerations.
description: The pod this Toleration is attached
to tolerates any taint that matches the triple
<key,value,effect> using the matching operator
description: Effect indicates the taint effect
@@ -1763,22 +2043,27 @@
the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict
immediately) by the system.
description: Value is the taint value the
toleration matches to. If the operator is
Exists, the value should be empty, otherwise
description: Optional service type for Kubernetes solver
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
description: List of DNSNames that this solver will be used
@@ -1788,9 +2073,9 @@
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier in
the list will be selected.
description: List of DNSZones that this solver will be used
to solve. The most specific DNS zone match specified here
@@ -1801,15 +2086,17 @@
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier in
the list will be selected.
description: A label selector that is used to refine the set
of certificate's that this challenge solver will apply to.
description: Token is the ACME challenge token for this challenge.
@@ -1826,8 +2113,16 @@
description: Wildcard will be true if this challenge is for a wildcard
identifier, for example '*.example.com'
description: Presented will be set to true if the challenge values for
@@ -1851,7 +2146,6 @@
description: State contains the current 'state' of the challenge. If
not set, the state of the challenge is unknown.
@@ -1860,15 +2154,24 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls name: clusterissuers.cert-manager.io
additionalPrinterColumns:
@@ -1886,19 +2189,25 @@
in RFC3339 form and is in UTC.
+ name: cert-manager-webhook + namespace: cert-manager - preserveUnknownFields: false listKind: ClusterIssuerList
+ preserveUnknownFields: false
description: 'APIVersion defines the versioned schema of this representation
@@ -1915,35 +2224,25 @@
description: IssuerSpec is the specification of an Issuer. This includes
any configuration required for the issuer.
description: ACMEIssuer contains the specification for an ACME issuer
description: Email is the email for this account
- description: ExternalAcccountBinding is a reference to a CA external+ description: ExternalAccountBinding is a reference to a CA external account of the ACME server.
description: keyAlgorithm is the MAC key algorithm that the
key is used for. Valid values are "HS256", "HS384" and "HS512".
description: keyID is the ID of the CA key that the External
@@ -1957,9 +2256,6 @@
with the External Account Binding keyID above. The secret
key stored in the Secret **must** be un-padded, base64 URL
description: The key of the secret to select from. Must
@@ -1969,12 +2265,17 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: PrivateKey is the name of a secret containing the private
key for this user account.
description: The key of the secret to select from. Must be a
@@ -1984,6 +2285,9 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Server is the ACME server URL
@@ -1993,25 +2297,15 @@
description: Solvers is a list of challenge solvers that will be
used to solve ACME challenges for the matching domains.
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
containing the configuration for ACME-DNS servers
description: The key of the secret to select from.
@@ -2023,23 +2317,21 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderAkamai is a structure
containing the DNS configuration for Akamai DNS—Zone
- - clientSecretSecretRef- - serviceConsumerDomain description: The key of the secret to select from.
@@ -2051,10 +2343,10 @@
TODO: Add other useful fields. apiVersion, kind,
description: The key of the secret to select from.
@@ -2066,10 +2358,10 @@
TODO: Add other useful fields. apiVersion, kind,
description: The key of the secret to select from.
@@ -2081,25 +2373,24 @@
TODO: Add other useful fields. apiVersion, kind,
+ - clientSecretSecretRef + - serviceConsumerDomain description: ACMEIssuerDNS01ProviderAzureDNS is a structure
containing the configuration for Azure DNS
- - clientSecretSecretRef description: The key of the secret to select from.
@@ -2111,13 +2402,16 @@
TODO: Add other useful fields. apiVersion, kind,
@@ -2126,19 +2420,20 @@
+ - clientSecretSecretRef description: ACMEIssuerDNS01ProviderCloudDNS is a structure
containing the DNS configuration for Google Cloud DNS
description: The key of the secret to select from.
@@ -2150,17 +2445,17 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderCloudflare is a structure
containing the DNS configuration for Cloudflare
description: The key of the secret to select from.
@@ -2172,10 +2467,10 @@
TODO: Add other useful fields. apiVersion, kind,
description: The key of the secret to select from.
@@ -2187,27 +2482,27 @@
TODO: Add other useful fields. apiVersion, kind,
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
description: ACMEIssuerDNS01ProviderDigitalOcean is a
structure containing the DNS configuration for DigitalOcean
description: The key of the secret to select from.
@@ -2219,12 +2514,15 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRFC2136 is a structure
containing the configuration for RFC2136 DNS
description: 'The IP address of the DNS supporting
@@ -2247,9 +2545,6 @@
description: The name of the secret containing the
TSIG value. If ``tsigKeyName`` is defined, this
description: The key of the secret to select from.
@@ -2261,12 +2556,15 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRoute53 is a structure
containing the Route 53 configuration for AWS
description: 'The AccessKeyID is used for authentication.
@@ -2293,9 +2591,6 @@
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
description: The key of the secret to select from.
@@ -2307,14 +2602,16 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderWebhook specifies
configuration for a webhook DNS01 provider, including
where to POST ChallengePayload resources.
description: Additional configuration that should
@@ -2338,6 +2635,11 @@
in the webhook provider implementation. This will
typically be the name of the provider, e.g. 'cloudflare'.
description: ACMEChallengeSolverHTTP01 contains configuration
detailing how to solve HTTP01 challenges within a Kubernetes
@@ -2345,7 +2647,6 @@
'routes' of some description that configure ingress controllers
to direct traffic to 'solver pods', which are responsible
for responding to the ACME server's HTTP requests.
description: The ingress based HTTP01 challenge solver
@@ -2353,7 +2654,6 @@
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
description: The ingress class to use when creating
@@ -2372,7 +2672,6 @@
description: Optional pod template used to configure
the ACME challenge solver pods used for HTTP01 challenges
description: ObjectMeta overrides for the pod
@@ -2380,36 +2679,33 @@
and 'annotations' fields may be set. If labels
or annotations overlap with in-built values,
the values here will override the in-built values.
description: Annotations that should be added
to the create ACME HTTP01 solver pods.
description: Labels that should be added to
the created ACME HTTP01 solver pods.
description: PodSpec defines overrides for the
HTTP01 challenge solver pod. Only the 'nodeSelector',
'affinity' and 'tolerations' fields are supported
currently. All other fields will be ignored.
description: If specified, the pod's scheduling
description: Describes node affinity scheduling
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -2430,7 +2726,6 @@
corresponding matchExpressions;
the node(s) with the highest sum
description: An empty preferred
scheduling term matches all objects
@@ -2438,22 +2733,16 @@
a no-op). A null preferred scheduling
term matches no objects (i.e.
description: A node selector
term, associated with the
description: A list of node
description: A node selector
requirement is a selector
@@ -2461,10 +2750,6 @@
@@ -2500,14 +2785,18 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -2515,10 +2804,6 @@
@@ -2554,16 +2839,27 @@
description: Weight associated
with matching the corresponding
nodeSelectorTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -2575,15 +2871,11 @@
(e.g. due to an update), the system
may or may not try to eventually
evict the pod from its node.
description: Required. A list
of node selector terms. The
description: A null or empty
node selector term matches
@@ -2591,13 +2883,11 @@
of them are ANDed. The TopologySelectorTerm
type implements a subset of
description: A list of node
description: A node selector
requirement is a selector
@@ -2605,10 +2895,6 @@
@@ -2644,14 +2930,18 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -2659,10 +2949,6 @@
@@ -2698,15 +2984,25 @@
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the
same node, zone, etc. as some other
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -2727,30 +3023,21 @@
which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -2758,7 +3045,6 @@
@@ -2767,10 +3053,6 @@
@@ -2806,10 +3088,17 @@
pairs. A single {key,value}
@@ -2823,8 +3112,7 @@
"value". The requirements
specifies which namespaces
@@ -2832,9 +3120,9 @@
description: This pod should
@@ -2851,13 +3139,21 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -2873,7 +3169,6 @@
the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -2885,22 +3180,17 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -2908,10 +3198,6 @@
@@ -2942,10 +3228,17 @@
pairs. A single {key,value}
@@ -2958,17 +3251,16 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -2984,12 +3276,16 @@
running. Empty topologyKey
description: Describes pod anti-affinity
scheduling rules (e.g. avoid putting
this pod in the same node, zone, etc.
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -3010,30 +3306,21 @@
has pods which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -3041,7 +3328,6 @@
@@ -3050,10 +3336,6 @@
@@ -3089,10 +3371,17 @@
pairs. A single {key,value}
@@ -3106,8 +3395,7 @@
"value". The requirements
specifies which namespaces
@@ -3115,9 +3403,9 @@
description: This pod should
@@ -3134,13 +3422,21 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity
requirements specified by this field
@@ -3156,7 +3452,6 @@
elements, the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -3168,22 +3463,17 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -3191,10 +3481,6 @@
@@ -3225,10 +3511,17 @@
pairs. A single {key,value}
@@ -3241,17 +3534,16 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -3267,24 +3559,28 @@
running. Empty topologyKey
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node.
Selector which must match a node''s labels
for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
description: If specified, the pod's tolerations.
description: The pod this Toleration is
attached to tolerates any taint that matches
the triple <key,value,effect> using the
matching operator <operator>.
description: Effect indicates the taint
@@ -3319,8 +3615,8 @@
(do not evict). Zero and negative
values will be treated as 0 (evict
immediately) by the system.
description: Value is the taint value
the toleration matches to. If the
@@ -3328,14 +3624,19 @@
be empty, otherwise just a regular
description: Optional service type for Kubernetes
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
description: List of DNSNames that this solver will be
@@ -3345,9 +3646,9 @@
value, the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: List of DNSZones that this solver will be
used to solve. The most specific DNS zone match specified
@@ -3358,45 +3659,41 @@
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: A label selector that is used to refine the
set of certificate's that this challenge solver will
description: SecretName is the name of the secret used to sign Certificates
description: Vault authentication
description: This Secret contains a AppRole and Secret
description: Where the authentication path is mounted in
@@ -3405,9 +3702,6 @@
description: The key of the secret to select from. Must
@@ -3417,13 +3711,17 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This contains a Role and Secret with a ServiceAccount
token to authenticate with vault.
description: The Vault mountPath here is the mount path
@@ -3441,9 +3739,6 @@
description: The required Secret field containing a Kubernetes
ServiceAccount JWT used for authenticating with Vault.
Use of 'ambient credentials' is not supported.
description: The key of the secret to select from. Must
@@ -3453,11 +3748,15 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This Secret contains the Vault token key
description: The key of the secret to select from. Must
@@ -3467,40 +3766,39 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Base64 encoded CA bundle to validate Vault server certificate.
Only used if the Server URL is using HTTPS protocol. This parameter
is ignored for plain HTTP protocol connection. If not set the
system root certificates are used to validate the TLS connection.
description: Vault URL path to the certificate role
description: Server is the vault connection address
description: VenafiIssuer describes issuer configuration details for
description: Cloud specifies the Venafi cloud configuration settings.
Only one of TPP or Cloud may be specified.
description: APITokenSecretRef is a secret key selector for
the Venafi Cloud API token.
description: The key of the secret to select from. Must
@@ -3510,52 +3808,60 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for Venafi Cloud
description: TPP specifies Trust Protection Platform configuration
settings. Only one of TPP or Cloud may be specified.
- description: CABundle is a PEM encoded TLS certifiate to use+ description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system
roots will not be used and the issuing CA for the TPP instance
must be verifiable using the provided root. If not specified,
the connection will be verified using the cert-manager system
description: CredentialsRef is a reference to a Secret containing
the username and password for the TPP server. The secret must
contain two keys, 'username' and 'password'.
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for the Venafi TPP instance
description: Zone is the Venafi Policy Zone to use for this issuer.
All requests made to the Venafi platform will be restricted by
the named zone policy. This field is required.
description: IssuerStatus contains status information about an Issuer
description: LastRegisteredEmail is the email associated with the
@@ -3566,21 +3872,17 @@
description: URI is the unique account identifier, which can also
be used to retrieve account details from the CA
description: IssuerCondition contains condition information for an
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
description: Message is a human readable description of the details
of the last transition, complementing reason.
@@ -3592,23 +3894,34 @@
description: Status of the condition, one of ('True', 'False',
description: Type of the condition, currently ('Ready').
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls name: issuers.cert-manager.io
additionalPrinterColumns:
@@ -3626,19 +3939,25 @@
in RFC3339 form and is in UTC.
+ name: cert-manager-webhook + namespace: cert-manager - preserveUnknownFields: false+ preserveUnknownFields: false
description: 'APIVersion defines the versioned schema of this representation
@@ -3655,35 +3974,25 @@
description: IssuerSpec is the specification of an Issuer. This includes
any configuration required for the issuer.
description: ACMEIssuer contains the specification for an ACME issuer
description: Email is the email for this account
- description: ExternalAcccountBinding is a reference to a CA external+ description: ExternalAccountBinding is a reference to a CA external account of the ACME server.
description: keyAlgorithm is the MAC key algorithm that the
key is used for. Valid values are "HS256", "HS384" and "HS512".
description: keyID is the ID of the CA key that the External
@@ -3697,9 +4006,6 @@
with the External Account Binding keyID above. The secret
key stored in the Secret **must** be un-padded, base64 URL
description: The key of the secret to select from. Must
@@ -3709,12 +4015,17 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: PrivateKey is the name of a secret containing the private
key for this user account.
description: The key of the secret to select from. Must be a
@@ -3724,6 +4035,9 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Server is the ACME server URL
@@ -3733,25 +4047,15 @@
description: Solvers is a list of challenge solvers that will be
used to solve ACME challenges for the matching domains.
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
containing the configuration for ACME-DNS servers
description: The key of the secret to select from.
@@ -3763,23 +4067,21 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderAkamai is a structure
containing the DNS configuration for Akamai DNS—Zone
- - clientSecretSecretRef- - serviceConsumerDomain description: The key of the secret to select from.
@@ -3791,10 +4093,10 @@
TODO: Add other useful fields. apiVersion, kind,
description: The key of the secret to select from.
@@ -3806,10 +4108,10 @@
TODO: Add other useful fields. apiVersion, kind,
description: The key of the secret to select from.
@@ -3821,25 +4123,24 @@
TODO: Add other useful fields. apiVersion, kind,
+ - clientSecretSecretRef + - serviceConsumerDomain description: ACMEIssuerDNS01ProviderAzureDNS is a structure
containing the configuration for Azure DNS
- - clientSecretSecretRef description: The key of the secret to select from.
@@ -3851,13 +4152,16 @@
TODO: Add other useful fields. apiVersion, kind,
@@ -3866,19 +4170,20 @@
+ - clientSecretSecretRef description: ACMEIssuerDNS01ProviderCloudDNS is a structure
containing the DNS configuration for Google Cloud DNS
description: The key of the secret to select from.
@@ -3890,17 +4195,17 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderCloudflare is a structure
containing the DNS configuration for Cloudflare
description: The key of the secret to select from.
@@ -3912,10 +4217,10 @@
TODO: Add other useful fields. apiVersion, kind,
description: The key of the secret to select from.
@@ -3927,27 +4232,27 @@
TODO: Add other useful fields. apiVersion, kind,
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
description: ACMEIssuerDNS01ProviderDigitalOcean is a
structure containing the DNS configuration for DigitalOcean
description: The key of the secret to select from.
@@ -3959,12 +4264,15 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRFC2136 is a structure
containing the configuration for RFC2136 DNS
description: 'The IP address of the DNS supporting
@@ -3987,9 +4295,6 @@
description: The name of the secret containing the
TSIG value. If ``tsigKeyName`` is defined, this
description: The key of the secret to select from.
@@ -4001,12 +4306,15 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRoute53 is a structure
containing the Route 53 configuration for AWS
description: 'The AccessKeyID is used for authentication.
@@ -4033,9 +4341,6 @@
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
description: The key of the secret to select from.
@@ -4047,14 +4352,16 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderWebhook specifies
configuration for a webhook DNS01 provider, including
where to POST ChallengePayload resources.
description: Additional configuration that should
@@ -4078,6 +4385,11 @@
in the webhook provider implementation. This will
typically be the name of the provider, e.g. 'cloudflare'.
description: ACMEChallengeSolverHTTP01 contains configuration
detailing how to solve HTTP01 challenges within a Kubernetes
@@ -4085,7 +4397,6 @@
'routes' of some description that configure ingress controllers
to direct traffic to 'solver pods', which are responsible
for responding to the ACME server's HTTP requests.
description: The ingress based HTTP01 challenge solver
@@ -4093,7 +4404,6 @@
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
description: The ingress class to use when creating
@@ -4112,7 +4422,6 @@
description: Optional pod template used to configure
the ACME challenge solver pods used for HTTP01 challenges
description: ObjectMeta overrides for the pod
@@ -4120,36 +4429,33 @@
and 'annotations' fields may be set. If labels
or annotations overlap with in-built values,
the values here will override the in-built values.
description: Annotations that should be added
to the create ACME HTTP01 solver pods.
description: Labels that should be added to
the created ACME HTTP01 solver pods.
description: PodSpec defines overrides for the
HTTP01 challenge solver pod. Only the 'nodeSelector',
'affinity' and 'tolerations' fields are supported
currently. All other fields will be ignored.
description: If specified, the pod's scheduling
description: Describes node affinity scheduling
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -4170,7 +4476,6 @@
corresponding matchExpressions;
the node(s) with the highest sum
description: An empty preferred
scheduling term matches all objects
@@ -4178,22 +4483,16 @@
a no-op). A null preferred scheduling
term matches no objects (i.e.
description: A node selector
term, associated with the
description: A list of node
description: A node selector
requirement is a selector
@@ -4201,10 +4500,6 @@
@@ -4240,14 +4535,18 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -4255,10 +4554,6 @@
@@ -4294,16 +4589,27 @@
description: Weight associated
with matching the corresponding
nodeSelectorTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -4315,15 +4621,11 @@
(e.g. due to an update), the system
may or may not try to eventually
evict the pod from its node.
description: Required. A list
of node selector terms. The
description: A null or empty
node selector term matches
@@ -4331,13 +4633,11 @@
of them are ANDed. The TopologySelectorTerm
type implements a subset of
description: A list of node
description: A node selector
requirement is a selector
@@ -4345,10 +4645,6 @@
@@ -4384,14 +4680,18 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -4399,10 +4699,6 @@
@@ -4438,15 +4734,25 @@
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the
same node, zone, etc. as some other
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -4467,30 +4773,21 @@
which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -4498,7 +4795,6 @@
@@ -4507,10 +4803,6 @@
@@ -4546,10 +4838,17 @@
pairs. A single {key,value}
@@ -4563,8 +4862,7 @@
"value". The requirements
specifies which namespaces
@@ -4572,9 +4870,9 @@
description: This pod should
@@ -4591,13 +4889,21 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -4613,7 +4919,6 @@
the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -4625,22 +4930,17 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -4648,10 +4948,6 @@
@@ -4682,10 +4978,17 @@
pairs. A single {key,value}
@@ -4698,17 +5001,16 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -4724,12 +5026,16 @@
running. Empty topologyKey
description: Describes pod anti-affinity
scheduling rules (e.g. avoid putting
this pod in the same node, zone, etc.
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -4750,30 +5056,21 @@
has pods which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -4781,7 +5078,6 @@
@@ -4790,10 +5086,6 @@
@@ -4829,10 +5121,17 @@
pairs. A single {key,value}
@@ -4846,8 +5145,7 @@
"value". The requirements
specifies which namespaces
@@ -4855,9 +5153,9 @@
description: This pod should
@@ -4874,13 +5172,21 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity
requirements specified by this field
@@ -4896,7 +5202,6 @@
elements, the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -4908,22 +5213,17 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -4931,10 +5231,6 @@
@@ -4965,10 +5261,17 @@
pairs. A single {key,value}
@@ -4981,17 +5284,16 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -5007,24 +5309,28 @@
running. Empty topologyKey
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node.
Selector which must match a node''s labels
for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
description: If specified, the pod's tolerations.
description: The pod this Toleration is
attached to tolerates any taint that matches
the triple <key,value,effect> using the
matching operator <operator>.
description: Effect indicates the taint
@@ -5059,8 +5365,8 @@
(do not evict). Zero and negative
values will be treated as 0 (evict
immediately) by the system.
description: Value is the taint value
the toleration matches to. If the
@@ -5068,14 +5374,19 @@
be empty, otherwise just a regular
description: Optional service type for Kubernetes
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
description: List of DNSNames that this solver will be
@@ -5085,9 +5396,9 @@
value, the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: List of DNSZones that this solver will be
used to solve. The most specific DNS zone match specified
@@ -5098,45 +5409,41 @@
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: A label selector that is used to refine the
set of certificate's that this challenge solver will
description: SecretName is the name of the secret used to sign Certificates
description: Vault authentication
description: This Secret contains a AppRole and Secret
description: Where the authentication path is mounted in
@@ -5145,9 +5452,6 @@
description: The key of the secret to select from. Must
@@ -5157,13 +5461,17 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This contains a Role and Secret with a ServiceAccount
token to authenticate with vault.
description: The Vault mountPath here is the mount path
@@ -5181,9 +5489,6 @@
description: The required Secret field containing a Kubernetes
ServiceAccount JWT used for authenticating with Vault.
Use of 'ambient credentials' is not supported.
description: The key of the secret to select from. Must
@@ -5193,11 +5498,15 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This Secret contains the Vault token key
description: The key of the secret to select from. Must
@@ -5207,40 +5516,39 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Base64 encoded CA bundle to validate Vault server certificate.
Only used if the Server URL is using HTTPS protocol. This parameter
is ignored for plain HTTP protocol connection. If not set the
system root certificates are used to validate the TLS connection.
description: Vault URL path to the certificate role
description: Server is the vault connection address
description: VenafiIssuer describes issuer configuration details for
description: Cloud specifies the Venafi cloud configuration settings.
Only one of TPP or Cloud may be specified.
description: APITokenSecretRef is a secret key selector for
the Venafi Cloud API token.
description: The key of the secret to select from. Must
@@ -5250,52 +5558,60 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for Venafi Cloud
description: TPP specifies Trust Protection Platform configuration
settings. Only one of TPP or Cloud may be specified.
- description: CABundle is a PEM encoded TLS certifiate to use+ description: CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system
roots will not be used and the issuing CA for the TPP instance
must be verifiable using the provided root. If not specified,
the connection will be verified using the cert-manager system
description: CredentialsRef is a reference to a Secret containing
the username and password for the TPP server. The secret must
contain two keys, 'username' and 'password'.
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for the Venafi TPP instance
description: Zone is the Venafi Policy Zone to use for this issuer.
All requests made to the Venafi platform will be restricted by
the named zone policy. This field is required.
description: IssuerStatus contains status information about an Issuer
description: LastRegisteredEmail is the email associated with the
@@ -5306,21 +5622,17 @@
description: URI is the unique account identifier, which can also
be used to retrieve account details from the CA
description: IssuerCondition contains condition information for an
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
description: Message is a human readable description of the details
of the last transition, complementing reason.
@@ -5332,23 +5644,34 @@
description: Status of the condition, one of ('True', 'False',
description: Type of the condition, currently ('Ready').
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls name: orders.acme.cert-manager.io
additionalPrinterColumns:
@@ -5370,22 +5693,26 @@
in RFC3339 form and is in UTC.
+ name: cert-manager-webhook + namespace: cert-manager group: acme.cert-manager.io
- preserveUnknownFields: false+ preserveUnknownFields: false description: Order is a type to represent an Order with an ACME server
description: 'APIVersion defines the versioned schema of this representation
@@ -5400,10 +5727,6 @@
description: CommonName is the common name as specified on the DER encoded
@@ -5416,26 +5739,23 @@
description: Certificate signing request bytes in DER encoding. This
will be used when finalizing the order. This field must be set on
description: DNSNames is a list of DNS names that should be included
as part of the Order validation process. If CommonName is not specified,
the first DNSName specified will be used as the CommonName. At least
one of CommonName or a DNSNames must be set. This field must match
the corresponding field on the DER encoded CSR.
description: IssuerRef references a properly configured ACME-type Issuer
which should be used to create this Order. If the Issuer does not
exist, processing will be retried. If the Issuer is not an 'ACME'
Issuer, an error will be returned and the Order will be marked as
@@ -5443,37 +5763,33 @@
description: Authorizations contains data returned from the ACME server
- on what authoriations must be completed in order to validate the DNS- names specified on the Order.+ on what authorizations must be completed in order to validate the + DNS names specified on the Order. description: ACMEAuthorization contains data returned from the ACME
server on an authorization that must be completed in order validate
a DNS name on an ACME Order resource.
description: Challenges specifies the challenge types offered
by the ACME server. One of these challenge types will be selected
when validating the DNS name and an appropriate Challenge resource
will be created to perform the ACME challenge process.
description: Challenge specifies a challenge offered by the
ACME server for an Order. An appropriate Challenge resource
can be created to perform the ACME challenge process.
description: Token is the token that must be presented for
@@ -5489,6 +5805,12 @@
used to retrieve additional metadata about the Challenge
description: Identifier is the DNS name to be validated as part
@@ -5504,18 +5826,22 @@
'*.example.com' is the DNS name being validated, this field
will be 'true' and the 'identifier' field will be 'example.com'.
description: Certificate is a copy of the PEM encoded certificate for
this Order. This field will be populated after the order has been
successfully finalized with the ACME server, and the order has transitioned
description: FailureTime stores the time that this order failed. This
is used to influence garbage collection and back-off.
description: FinalizeURL of the Order. This is used to obtain certificates
for this order once it has been completed.
@@ -5527,7 +5853,6 @@
description: State contains the current state of this Order resource.
States 'success' and 'expired' are 'final'
@@ -5536,18 +5861,25 @@
description: URL of the Order. This will initially be empty when the
resource is first created. The Order controller will populate this
field when the Order is first processed. This field will be immutable
after it is initially set.
----
@@ -5564,9 +5896,9 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3 # Source: cert-manager/templates/serviceaccount.yaml
@@ -5579,9 +5911,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 # Source: cert-manager/templates/webhook-serviceaccount.yaml
@@ -5593,8 +5925,9 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v0.14.3 # Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -5605,8 +5938,9 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3 - apiGroups: ["cert-manager.io"]
resources: ["certificates"]
@@ -5627,216 +5961,60 @@
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
-apiVersion: rbac.authorization.k8s.io/v1beta1-kind: ClusterRoleBinding- name: cert-manager-cainjector- app.kubernetes.io/name: cainjector- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: cert-manager-cainjector- - name: cert-manager-cainjector- namespace: "cert-manager"----
-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-cainjector:leaderelection- app.kubernetes.io/name: cainjector- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- # Used for leader election by the controller- # TODO: refine the permission to *just* the leader election configmap- resources: ["configmaps"]- verbs: ["get", "create", "update", "patch"]----
-# grant cert-manager permission to manage the leaderelection configmap in the-# leader election namespace-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-cainjector:leaderelection- app.kubernetes.io/name: cainjector- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: cert-manager-cainjector:leaderelection- name: cert-manager-cainjector- namespace: cert-manager----
-# Source: cert-manager/templates/webhook-rbac.yaml----
-# apiserver gets the auth-delegator role to delegate auth decisions to-apiVersion: rbac.authorization.k8s.io/v1beta1-kind: ClusterRoleBinding- name: cert-manager-webhook:auth-delegator- app.kubernetes.io/name: webhook- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: system:auth-delegator- name: cert-manager-webhook- namespace: cert-manager----
-# apiserver gets the ability to read authentication. This allows it to-# read the specific configmap that has the requestheader-* entries to-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-webhook:webhook-authentication-reader- app.kubernetes.io/name: webhook- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: extension-apiserver-authentication-reader- name: cert-manager-webhook- namespace: cert-manager----
+# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1
- name: cert-manager-webhook:webhook-requester- app.kubernetes.io/name: webhook- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- - admission.cert-manager.io----
-# Source: cert-manager/templates/rbac.yaml-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager:leaderelection+ name: cert-manager-view app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" - # Used for leader election by the controller- # TODO: refine the permission to *just* the leader election configmap- resources: ["configmaps"]- verbs: ["get", "create", "update", "patch"]+ - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"]
-# grant cert-manager permission to manage the leaderelection configmap in the-# leader election namespace+# Source: cert-manager/templates/rbac.yaml +# ingress-shim controller role apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager:leaderelection+ name: cert-manager-controller-ingress-shim app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: cert-manager:leaderelection- namespace: cert-manager----
-# Issuer controller role-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-controller-issuers- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "issuers/status"]+ resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] verbs: ["create", "patch"]
+# Source: cert-manager/templates/rbac.yaml # ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -5846,8 +6024,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 - apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
@@ -5861,9 +6040,8 @@
verbs: ["create", "patch"]
+# Source: cert-manager/templates/rbac.yaml # Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -5873,8 +6051,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 - apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
@@ -5897,48 +6076,8 @@
verbs: ["create", "patch"]
-# Orders controller role-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-controller-orders- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- - apiGroups: ["acme.cert-manager.io"]- resources: ["orders", "orders/status"]- - apiGroups: ["acme.cert-manager.io"]- resources: ["orders", "challenges"]- verbs: ["get", "list", "watch"]- - apiGroups: ["cert-manager.io"]- resources: ["clusterissuers", "issuers"]- verbs: ["get", "list", "watch"]- - apiGroups: ["acme.cert-manager.io"]- resources: ["challenges"]- verbs: ["create", "delete"]- # We require these rules to support users with the OwnerReferencesPermissionEnforcement- # admission controller enabled:- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement- - apiGroups: ["acme.cert-manager.io"]- resources: ["orders/finalizers"]- verbs: ["get", "list", "watch"]- verbs: ["create", "patch"]----
+# Source: cert-manager/templates/rbac.yaml # Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -5948,8 +6087,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 # Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
@@ -5978,6 +6118,12 @@
- apiGroups: ["extensions"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
+ # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
@@ -5988,42 +6134,114 @@
verbs: ["get", "list", "watch"]
-# ingress-shim controller role+# Source: cert-manager/templates/rbac.yaml +# Orders controller role apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-ingress-shim+ name: cert-manager-controller-orders + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["get", "list", "watch"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-issuers app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests"]- verbs: ["create", "update", "delete"]+ resources: ["issuers", "issuers/status"] - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions"]- resources: ["ingresses"]- verbs: ["get", "list", "watch"]- # We require these rules to support users with the OwnerReferencesPermissionEnforcement- # admission controller enabled:- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement- - apiGroups: ["extensions"]- resources: ["ingresses/finalizers"]+ verbs: ["get", "list", "watch", "create", "update", "delete"] verbs: ["create", "patch"]
+# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 + name: cert-manager-edit + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"]
+# Source: cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-cainjector + - name: cert-manager-cainjector + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6032,8 +6250,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 apiGroup: rbac.authorization.k8s.io
@@ -6042,9 +6261,29 @@
namespace: "cert-manager"
+# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-orders + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-orders + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6053,8 +6292,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 apiGroup: rbac.authorization.k8s.io
@@ -6063,9 +6303,50 @@
namespace: "cert-manager"
+# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-ingress-shim + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-ingress-shim + namespace: "cert-manager"
+# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-challenges + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-challenges + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6074,8 +6355,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 apiGroup: rbac.authorization.k8s.io
@@ -6084,112 +6366,98 @@
namespace: "cert-manager"
-apiVersion: rbac.authorization.k8s.io/v1beta1-kind: ClusterRoleBinding- name: cert-manager-controller-orders- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: cert-manager-controller-orders- namespace: "cert-manager"----
+# Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding- name: cert-manager-controller-challenges+ name: cert-manager-cainjector:leaderelection
- app.kubernetes.io/name: cert-manager+ app.kubernetes.io/name: cainjector app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- apiGroup: rbac.authorization.k8s.io- name: cert-manager-controller-challenges- namespace: "cert-manager"+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3 + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"]
+# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding- name: cert-manager-controller-ingress-shim+ name: cert-manager:leaderelection app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] +# Source: cert-manager/templates/cainjector-rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-cainjector:leaderelection + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3 apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-ingress-shim+ name: cert-manager-cainjector:leaderelection
- namespace: "cert-manager"+ name: cert-manager-cainjector + namespace: cert-manager
-apiVersion: rbac.authorization.k8s.io/v1+# Source: cert-manager/templates/rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 - name: cert-manager-view+ name: cert-manager:leaderelection app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- rbac.authorization.k8s.io/aggregate-to-view: "true"- rbac.authorization.k8s.io/aggregate-to-edit: "true"- rbac.authorization.k8s.io/aggregate-to-admin: "true"- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificaterequests", "issuers"]- verbs: ["get", "list", "watch"]----
-apiVersion: rbac.authorization.k8s.io/v1- name: cert-manager-edit- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0- rbac.authorization.k8s.io/aggregate-to-edit: "true"- rbac.authorization.k8s.io/aggregate-to-admin: "true"- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificaterequests", "issuers"]- verbs: ["create", "delete", "deletecollection", "patch", "update"]+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 + apiGroup: rbac.authorization.k8s.io + name: cert-manager:leaderelection + namespace: cert-manager # Source: cert-manager/templates/service.yaml
@@ -6199,8 +6467,9 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3 @@ -6210,7 +6479,7 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller" # Source: cert-manager/templates/webhook-service.yaml
@@ -6222,8 +6491,9 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v0.14.3 @@ -6231,10 +6501,9 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller+ app.kubernetes.io/component: "webhook" # Source: cert-manager/templates/cainjector-deployment.yaml
@@ -6246,30 +6515,31 @@
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller+ app.kubernetes.io/component: "cainjector" app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v0.14.3 serviceAccountName: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v0.13.0"+ image: "quay.io/jetstack/cert-manager-cainjector:v0.14.3" imagePullPolicy: IfNotPresent
@@ -6281,8 +6551,6 @@
fieldPath: metadata.namespace
# Source: cert-manager/templates/deployment.yaml
@@ -6294,24 +6562,25 @@
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.14.3
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller+ app.kubernetes.io/component: "controller" app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/component: "controller" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v0.14.3 prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
@@ -6320,7 +6589,7 @@
serviceAccountName: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v0.13.0"+ image: "quay.io/jetstack/cert-manager-controller:v0.14.3" imagePullPolicy: IfNotPresent
@@ -6339,11 +6608,7 @@
fieldPath: metadata.namespace
# Source: cert-manager/templates/webhook-deployment.yaml
@@ -6355,30 +6620,31 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v0.14.3
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller+ app.kubernetes.io/component: "webhook" app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v0.14.3 serviceAccountName: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v0.13.0"+ image: "quay.io/jetstack/cert-manager-webhook:v0.14.3" imagePullPolicy: IfNotPresent
@@ -6402,7 +6668,6 @@
fieldPath: metadata.namespace
@@ -6420,8 +6685,9 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v0.14.3 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
@@ -6432,12 +6698,14 @@
+ # Only include 'sideEffects' field in Kubernetes 1.12+ @@ -6445,46 +6713,6 @@
namespace: "cert-manager"
-# Source: cert-manager/templates/cainjector-psp-clusterrole.yaml----
-# Source: cert-manager/templates/cainjector-psp-clusterrolebinding.yaml----
-# Source: cert-manager/templates/cainjector-psp.yaml----
-# Source: cert-manager/templates/psp-clusterrole.yaml----
-# Source: cert-manager/templates/psp-clusterrolebinding.yaml----
-# Source: cert-manager/templates/psp.yaml----
-# Source: cert-manager/templates/servicemonitor.yaml----
-# Source: cert-manager/templates/webhook-psp-clusterrole.yaml----
-# Source: cert-manager/templates/webhook-psp-clusterrolebinding.yaml----
-# Source: cert-manager/templates/webhook-psp.yaml----
# Source: cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
@@ -6494,8 +6722,9 @@
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.13.0+ app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v0.14.3 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"
@@ -6516,15 +6745,17 @@
+ # Only include 'sideEffects' field in Kubernetes 1.12+ name: cert-manager-webhook
namespace: "cert-manager"
