- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: cert-manager.io
- preserveUnknownFields: false
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhookClientConfig:
- service:
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- path: /convert
- names:
- kind: CertificateRequest
- listKind: CertificateRequestList
- plural: certificaterequests
- shortNames:
- - cr
- - crs
- singular: certificaterequest
- scope: Namespaced
- subresources:
- status: {}
- versions:
- - name: v1alpha2
- served: true
- storage: true
- "schema":
- "openAPIV3Schema":
- description: "A CertificateRequest is used to request a signed certificate
- from one of the configured issuers. \n All fields within the CertificateRequest's
- `spec` are immutable after creation. A CertificateRequest will either succeed
- or fail, as denoted by its `status.state` field. \n A CertificateRequest
- is a 'one-shot' resource, meaning it represents a single point in time request
- for a certificate and cannot be re-used."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - csr
- - issuerRef
- properties:
- csr:
- description: The PEM-encoded x509 certificate signing request to be
- submitted to the CA for signing.
- type: string
- format: byte
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types.
- type: string
- isCA:
- description: IsCA will request to mark the certificate as valid for
- certificate signing when submitting to the issuer. This will automatically
- add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If
- the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the CertificateRequest
- will be used. If the 'kind' field is set to 'ClusterIssuer', a
- ClusterIssuer with the provided name will be used. The 'name' field
- in this stanza is required at all times. The group field refers
- to the API group of the issuer which defaults to 'cert-manager.io'
- if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for
- the certificate. Defaults to `digital signature` and `key encipherment`
- if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys.
- description: Status of the CertificateRequest. This is set and managed
- automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also
- known as the CA (Certificate Authority). This is set on a best-effort
- basis by different issuers. If not set, the CA is assumed to be
- unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate
- signing request. If not set, the CertificateRequest has either not
- been completed or has failed. More information on failure can be
- found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a
- CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information
- for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready',
- 'InvalidRequest').
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest
- failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- - name: v1alpha3
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: "A CertificateRequest is used to request a signed certificate
- from one of the configured issuers. \n All fields within the CertificateRequest's
- `spec` are immutable after creation. A CertificateRequest will either succeed
- or fail, as denoted by its `status.state` field. \n A CertificateRequest
- is a 'one-shot' resource, meaning it represents a single point in time request
- for a certificate and cannot be re-used."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - csr
- - issuerRef
- properties:
- csr:
- description: The PEM-encoded x509 certificate signing request to be
- submitted to the CA for signing.
- type: string
- format: byte
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types.
- type: string
- isCA:
- description: IsCA will request to mark the certificate as valid for
- certificate signing when submitting to the issuer. This will automatically
- add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If
- the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the CertificateRequest
- will be used. If the 'kind' field is set to 'ClusterIssuer', a
- ClusterIssuer with the provided name will be used. The 'name' field
- in this stanza is required at all times. The group field refers
- to the API group of the issuer which defaults to 'cert-manager.io'
- if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- usages:
- description: Usages is the set of x509 usages that are requested for
- the certificate. Defaults to `digital signature` and `key encipherment`
- if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys.
- description: Status of the CertificateRequest. This is set and managed
- automatically.
- type: object
- properties:
- ca:
- description: The PEM encoded x509 certificate of the signer, also
- known as the CA (Certificate Authority). This is set on a best-effort
- basis by different issuers. If not set, the CA is assumed to be
- unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded x509 certificate resulting from the certificate
- signing request. If not set, the CertificateRequest has either not
- been completed or has failed. More information on failure can be
- found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a
- CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information
- for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready',
- 'InvalidRequest').
- type: string
- failureTime:
- description: FailureTime stores the time that this CertificateRequest
- failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- - name: v1beta1
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: "A CertificateRequest is used to request a signed certificate
- from one of the configured issuers. \n All fields within the CertificateRequest's
- `spec` are immutable after creation. A CertificateRequest will either succeed
- or fail, as denoted by its `status.state` field. \n A CertificateRequest
- is a 'one-shot' resource, meaning it represents a single point in time request
- for a certificate and cannot be re-used."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the CertificateRequest resource.
- type: object
- required:
- - issuerRef
- - request
- properties:
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types.
- type: string
- isCA:
- description: IsCA will request to mark the certificate as valid for
- certificate signing when submitting to the issuer. This will automatically
- add the `cert sign` usage to the list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If
- the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the CertificateRequest
- will be used. If the 'kind' field is set to 'ClusterIssuer', a
- ClusterIssuer with the provided name will be used. The 'name' field
- in this stanza is required at all times. The group field refers
- to the API group of the issuer which defaults to 'cert-manager.io'
- if empty.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: The PEM-encoded x509 certificate signing request to be
- submitted to the CA for signing.
- type: string
- format: byte
- usages:
- description: Usages is the set of x509 usages that are requested for
- the certificate. Defaults to `digital signature` and `key encipherment`
- if not specified.
- type: array
- items:
- description: 'KeyUsage specifies valid usage contexts for keys.
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: cert-manager.io
- preserveUnknownFields: false
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhookClientConfig:
- service:
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- path: /convert
- names:
- kind: Certificate
- listKind: CertificateList
- plural: certificates
- shortNames:
- - cert
- - certs
- singular: certificate
- scope: Namespaced
- subresources:
- status: {}
- versions:
- - name: v1alpha2
- served: true
- storage: true
- "schema":
- "openAPIV3Schema":
- description: "A Certificate resource should be created to ensure an up to
- date and signed x509 certificate is stored in the Kubernetes Secret resource
- named in `spec.secretName`. \n The stored certificate will be renewed before
- it expires (as configured by `spec.renewBefore`)."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate.
- The CommonName should have a length of 64 characters or fewer to
- avoid generating invalid CSRs. This value is ignored by TLS clients
- when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on
- the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types. If overridden
- and `renewBefore` is greater than the actual certificate duration,
- the certificate will be automatically renewed 2/3rds of the way
- through the certificate's duration.
- type: string
- emailSANs:
- description: EmailSANs is a list of email subjectAltNames to be set
- on the Certificate.
- type: array
- items:
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to
- be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate
- signing. This will automatically add the `cert sign` usage to the
- list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate.
- If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the Certificate will
- be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
- with the provided name will be used. The 'name' field in this stanza
- is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keyAlgorithm:
- description: KeyAlgorithm is the private key algorithm of the corresponding
- private key for this certificate. If provided, allowed values are
- either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
- is not provided, key size of 256 will be used for "ecdsa" key algorithm
- and key size of 2048 will be used for "rsa" key algorithm.
- type: string
- enum:
- - rsa
- - ecdsa
- keyEncoding:
- description: KeyEncoding is the private key cryptography standards
- (PKCS) for this certificate's private key to be encoded in. If provided,
- allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
- respectively. If KeyEncoding is not specified, then PKCS#1 will
- be used by default.
- type: string
- enum:
- - pkcs1
- - pkcs8
- keySize:
- description: KeySize is the key bit size of the corresponding private
- key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
- values are `2048`, `4096` or `8192`, and will default to `2048`
- if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
- are `256`, `384` or `521`, and will default to `256` if not specified.
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates.
- Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information
- for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready',
- `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate
- controller of the most recent failure to complete a CertificateRequest
- for this Certificate resource. If set, cert-manager will not re-request
- another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private
- key to be used for the next certificate iteration. The keymanager
- controller will automatically set this field if the `Issuing` condition
- is set to `True`. It will automatically unset this field when the
- Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the
- secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret
- named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will
- be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued.
- \n When a CertificateRequest resource is created, it will have the
- `cert-manager.io/certificate-revision` set to one greater than the
- current value of this field. \n Upon issuance, this field will be
- set to the value of the annotation on the CertificateRequest resource
- used to issue the certificate. \n Persisting the value on the CertificateRequest
- resource allows the certificates controller to know whether a request
- is part of an old issuance or if it is part of the ongoing revision's
- issuance by checking if the revision value in the annotation is
- greater than this field."
- type: integer
- - name: v1alpha3
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: "A Certificate resource should be created to ensure an up to
- date and signed x509 certificate is stored in the Kubernetes Secret resource
- named in `spec.secretName`. \n The stored certificate will be renewed before
- it expires (as configured by `spec.renewBefore`)."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate.
- The CommonName should have a length of 64 characters or fewer to
- avoid generating invalid CSRs. This value is ignored by TLS clients
- when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on
- the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types. If overridden
- and `renewBefore` is greater than the actual certificate duration,
- the certificate will be automatically renewed 2/3rds of the way
- through the certificate's duration.
- type: string
- emailSANs:
- description: EmailSANs is a list of email subjectAltNames to be set
- on the Certificate.
- type: array
- items:
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to
- be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate
- signing. This will automatically add the `cert sign` usage to the
- list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate.
- If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the Certificate will
- be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
- with the provided name will be used. The 'name' field in this stanza
- is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keyAlgorithm:
- description: KeyAlgorithm is the private key algorithm of the corresponding
- private key for this certificate. If provided, allowed values are
- either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
- is not provided, key size of 256 will be used for "ecdsa" key algorithm
- and key size of 2048 will be used for "rsa" key algorithm.
- type: string
- enum:
- - rsa
- - ecdsa
- keyEncoding:
- description: KeyEncoding is the private key cryptography standards
- (PKCS) for this certificate's private key to be encoded in. If provided,
- allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
- respectively. If KeyEncoding is not specified, then PKCS#1 will
- be used by default.
- type: string
- enum:
- - pkcs1
- - pkcs8
- keySize:
- description: KeySize is the key bit size of the corresponding private
- key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
- values are `2048`, `4096` or `8192`, and will default to `2048`
- if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
- are `256`, `384` or `521`, and will default to `256` if not specified.
- description: Status of the Certificate. This is set and managed automatically.
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates.
- Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information
- for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready',
- `Issuing`).
- type: string
- lastFailureTime:
- description: LastFailureTime is the time as recorded by the Certificate
- controller of the most recent failure to complete a CertificateRequest
- for this Certificate resource. If set, cert-manager will not re-request
- another Certificate until 1 hour has elapsed from this time.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private
- key to be used for the next certificate iteration. The keymanager
- controller will automatically set this field if the `Issuing` condition
- is set to `True`. It will automatically unset this field when the
- Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the
- secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret
- named by this resource in spec.secretName is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will
- be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued.
- \n When a CertificateRequest resource is created, it will have the
- `cert-manager.io/certificate-revision` set to one greater than the
- current value of this field. \n Upon issuance, this field will be
- set to the value of the annotation on the CertificateRequest resource
- used to issue the certificate. \n Persisting the value on the CertificateRequest
- resource allows the certificates controller to know whether a request
- is part of an old issuance or if it is part of the ongoing revision's
- issuance by checking if the revision value in the annotation is
- greater than this field."
- type: integer
- - name: v1beta1
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: "A Certificate resource should be created to ensure an up to
- date and signed x509 certificate is stored in the Kubernetes Secret resource
- named in `spec.secretName`. \n The stored certificate will be renewed before
- it expires (as configured by `spec.renewBefore`)."
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Certificate resource.
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- commonName:
- description: 'CommonName is a common name to be used on the Certificate.
- The CommonName should have a length of 64 characters or fewer to
- avoid generating invalid CSRs. This value is ignored by TLS clients
- when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- type: string
- dnsNames:
- description: DNSNames is a list of DNS subjectAltNames to be set on
- the Certificate.
- type: array
- items:
- type: string
- duration:
- description: The requested 'duration' (i.e. lifetime) of the Certificate.
- This option may be ignored/overridden by some issuer types. If overridden
- and `renewBefore` is greater than the actual certificate duration,
- the certificate will be automatically renewed 2/3rds of the way
- through the certificate's duration.
- type: string
- emailSANs:
- description: EmailSANs is a list of email subjectAltNames to be set
- on the Certificate.
- type: array
- items:
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP address subjectAltNames to
- be set on the Certificate.
- type: array
- items:
- type: string
- isCA:
- description: IsCA will mark this Certificate as valid for certificate
- signing. This will automatically add the `cert sign` usage to the
- list of `usages`.
- type: boolean
- issuerRef:
- description: IssuerRef is a reference to the issuer for this certificate.
- If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the Certificate will
- be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
- with the provided name will be used. The 'name' field in this stanza
- is required at all times.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: acme.cert-manager.io
- preserveUnknownFields: false
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhookClientConfig:
- service:
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- path: /convert
- names:
- kind: Challenge
- listKind: ChallengeList
- plural: challenges
- singular: challenge
- scope: Namespaced
- subresources:
- status: {}
- versions:
- - name: v1alpha2
- served: true
- storage: true
- "schema":
- "openAPIV3Schema":
- description: Challenge is a type to represent a Challenge request with an
- ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authzURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authzURL:
- description: AuthzURL is the URL to the ACME Authorization resource
- that this challenge is a part of.
- type: string
- dnsName:
- description: DNSName is the identifier that this challenge is for,
- e.g. example.com. If the requested DNSName is a 'wildcard', this
- field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
- it must be `example.com`.
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type
- Issuer which should be used to create this Challenge. If the Issuer
- does not exist, processing will be retried. If the Issuer is not
- an 'ACME' Issuer, an error will be returned and the Challenge will
- be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'Key is the ACME challenge key for this challenge For
- HTTP01 challenges, this is the value that must be responded with
- to complete the HTTP01 challenge in the format: `<private key JWK
- thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
- this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
- from acme server for challenge>` text that must be set as the TXT
- record content.'
- type: string
- solver:
- description: Solver contains the domain solving configuration that
- should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations
- by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
- API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage
- DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset
- MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset
- MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that
- tells cert-manager in which Cloud DNS zone the challenge
- record has to be created. If left empty cert-manager
- will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge
- records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare.
- Note: using an API token to authenticate is now the
- recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when
- using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name
- System") (https://datatracker.ietf.org/doc/rfc2136/) to
- manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed in
- square brackets (e.g [2001:db8::1])Â ; port is optional.
- This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS
- supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values are
- be scheduled onto the node. If the anti-affinity
- requirements specified by this field
- cease to be met at some point during
- pod execution (e.g. due to a pod label
- update), the system may or may not try
- to eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding to
- each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this
- pod should be co-located (affinity)
- or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value of
- the label with key <topologyKey> matches
- that of any node on which a pod of
- the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over
- a set of resources, in this case
- pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- are ANDed.
- type: array
- items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
- relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the
- label key that the selector
- applies to.
- type: string
- operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
- type: string
- values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
- merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be
- co-located (affinity) or not co-located
- (anti-affinity) with the pods
- matching the labelSelector in
- the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which
- must be true for the pod to fit on a node. Selector
- which must match a node''s labels for the pod
- to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached
- to tolerates any taint that matches the triple
- <key,value,effect> using the matching operator
- <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint
- effect to match. Empty means match all
- taint effects. When specified, allowed
- values are NoSchedule, PreferNoSchedule
- and NoExecute.
- type: string
- key:
- description: Key is the taint key that the
- toleration applies to. Empty means match
- all taint keys. If the key is empty, operator
- must be Exists; this combination means
- to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's
- relationship to the value. Valid operators
- are Exists and Equal. Defaults to Equal.
- Exists is equivalent to wildcard for value,
- so that a pod can tolerate all taints
- of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents
- the period of time the toleration (which
- must be of effect NoExecute, otherwise
- this field is ignored) tolerates the taint.
- By default, it is not set, which means
- tolerate the taint forever (do not evict).
- Zero and negative values will be treated
- as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the
- toleration matches to. If the operator
- is Exists, the value should be empty,
- otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver
- service
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- If not specified, the solver will be treated as the 'default'
- solver with the lowest priority, i.e. if any other solver has
- a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used
- to solve. If specified and a match is found, a dnsNames
- selector will take precedence over a dnsZones selector.
- If multiple solvers match with the same dnsNames value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used
- to solve. The most specific DNS zone match specified here
- will take precedence over other DNS zone matches, so a solver
- specifying sys.example.com will be selected over one specifying
- example.com for the domain www.sys.example.com. If multiple
- solvers match with the same dnsZones value, the solver with
- the most matching labels in matchLabels will be selected.
- If neither has more matches, the solver defined earlier
- in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set
- of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: Token is the ACME challenge token for this challenge.
- This is the raw value returned from the ACME server.
- type: string
- type:
- description: Type is the type of ACME challenge this resource represents.
- One of "http-01" or "dns-01".
- type: string
- enum:
- - http-01
- - dns-01
- url:
- description: URL is the URL of the ACME Challenge resource for this
- challenge. This can be used to lookup details about the status of
- this challenge.
- type: string
- wildcard:
- description: Wildcard will be true if this challenge is for a wildcard
- identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: Presented will be set to true if the challenge values
- for this challenge are currently 'presented'. This *does not* imply
- the self check is passing. Only that the values have been 'submitted'
- for the appropriate challenge mechanism (i.e. the DNS01 TXT record
- has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Processing is used to denote whether this challenge should
- be processed or not. This field will only be set to true by the
- 'scheduling' component. It will only be set to false by the 'challenges'
- controller, after the challenge has reached a final state or timed
- out. If this field is set to false, the challenge controller will
- not take any more action.
- type: boolean
- reason:
- description: Reason contains human readable information on why the
- Challenge is in the current state.
- type: string
- state:
- description: State contains the current 'state' of the challenge.
- If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- - name: v1alpha3
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: Challenge is a type to represent a Challenge request with an
- ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authzURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authzURL:
- description: AuthzURL is the URL to the ACME Authorization resource
- that this challenge is a part of.
- type: string
- dnsName:
- description: DNSName is the identifier that this challenge is for,
- e.g. example.com. If the requested DNSName is a 'wildcard', this
- field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
- it must be `example.com`.
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type
- Issuer which should be used to create this Challenge. If the Issuer
- does not exist, processing will be retried. If the Issuer is not
- an 'ACME' Issuer, an error will be returned and the Challenge will
- be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'Key is the ACME challenge key for this challenge For
- HTTP01 challenges, this is the value that must be responded with
- to complete the HTTP01 challenge in the format: `<private key JWK
- thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
- this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
- from acme server for challenge>` text that must be set as the TXT
- record content.'
- type: string
- solver:
- description: Solver contains the domain solving configuration that
- should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations
- by performing the DNS01 challenge flow.
- type: object
- properties:
- acmedns:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
- API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage
- DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azuredns:
- description: Use the Microsoft Azure DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset
- MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset
- MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
- type: string
- clouddns:
- description: Use the Google Cloud DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that
- tells cert-manager in which Cloud DNS zone the challenge
- record has to be created. If left empty cert-manager
- will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge
- records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare.
- Note: using an API token to authenticate is now the
- recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when
- using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name
- System") (https://datatracker.ietf.org/doc/rfc2136/) to
- manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed in
- square brackets (e.g [2001:db8::1])Â ; port is optional.
- This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS
- supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values are
- be scheduled onto the node. If the anti-affinity
- requirements specified by this field
- cease to be met at some point during
- pod execution (e.g. due to a pod label
- update), the system may or may not try
- to eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding to
- each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this
- pod should be co-located (affinity)
- or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value of
- the label with key <topologyKey> matches
- that of any node on which a pod of
- the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over
- a set of resources, in this case
- pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- are ANDed.
- type: array
- items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
- relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the
- label key that the selector
- applies to.
- type: string
- operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
- type: string
- values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
- merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- pod's namespace"
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be
- co-located (affinity) or not co-located
- (anti-affinity) with the pods
- matching the labelSelector in
- the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
- type: string
- nodeSelector:
- description: 'NodeSelector is a selector which
- must be true for the pod to fit on a node. Selector
- which must match a node''s labels for the pod
- to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached
- to tolerates any taint that matches the triple
- <key,value,effect> using the matching operator
- <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint
- effect to match. Empty means match all
- taint effects. When specified, allowed
- values are NoSchedule, PreferNoSchedule
- and NoExecute.
- type: string
- key:
- description: Key is the taint key that the
- toleration applies to. Empty means match
- all taint keys. If the key is empty, operator
- must be Exists; this combination means
- to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's
- relationship to the value. Valid operators
- are Exists and Equal. Defaults to Equal.
- Exists is equivalent to wildcard for value,
- so that a pod can tolerate all taints
- of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents
- the period of time the toleration (which
- must be of effect NoExecute, otherwise
- this field is ignored) tolerates the taint.
- By default, it is not set, which means
- tolerate the taint forever (do not evict).
- Zero and negative values will be treated
- as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the
- toleration matches to. If the operator
- is Exists, the value should be empty,
- otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver
- service
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- If not specified, the solver will be treated as the 'default'
- solver with the lowest priority, i.e. if any other solver has
- a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used
- to solve. If specified and a match is found, a dnsNames
- selector will take precedence over a dnsZones selector.
- If multiple solvers match with the same dnsNames value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used
- to solve. The most specific DNS zone match specified here
- will take precedence over other DNS zone matches, so a solver
- specifying sys.example.com will be selected over one specifying
- example.com for the domain www.sys.example.com. If multiple
- solvers match with the same dnsZones value, the solver with
- the most matching labels in matchLabels will be selected.
- If neither has more matches, the solver defined earlier
- in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set
- of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: Token is the ACME challenge token for this challenge.
- This is the raw value returned from the ACME server.
- type: string
- type:
- description: Type is the type of ACME challenge this resource represents.
- One of "http-01" or "dns-01".
- type: string
- enum:
- - http-01
- - dns-01
- url:
- description: URL is the URL of the ACME Challenge resource for this
- challenge. This can be used to lookup details about the status of
- this challenge.
- type: string
- wildcard:
- description: Wildcard will be true if this challenge is for a wildcard
- identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: Presented will be set to true if the challenge values
- for this challenge are currently 'presented'. This *does not* imply
- the self check is passing. Only that the values have been 'submitted'
- for the appropriate challenge mechanism (i.e. the DNS01 TXT record
- has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Processing is used to denote whether this challenge should
- be processed or not. This field will only be set to true by the
- 'scheduling' component. It will only be set to false by the 'challenges'
- controller, after the challenge has reached a final state or timed
- out. If this field is set to false, the challenge controller will
- not take any more action.
- type: boolean
- reason:
- description: Reason contains human readable information on why the
- Challenge is in the current state.
- type: string
- state:
- description: State contains the current 'state' of the challenge.
- If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- - name: v1beta1
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: Challenge is a type to represent a Challenge request with an
- ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authorizationURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authorizationURL:
- description: The URL to the ACME Authorization resource that this
- challenge is a part of.
- type: string
- dnsName:
- description: dnsName is the identifier that this challenge is for,
- e.g. example.com. If the requested DNSName is a 'wildcard', this
- field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
- it must be `example.com`.
- type: string
- issuerRef:
- description: References a properly configured ACME-type Issuer which
- should be used to create this Challenge. If the Issuer does not
- exist, processing will be retried. If the Issuer is not an 'ACME'
- Issuer, an error will be returned and the Challenge will be marked
- as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'The ACME challenge key for this challenge For HTTP01
- challenges, this is the value that must be responded with to complete
- the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
- from acme server for challenge>`. For DNS01 challenges, this is
- the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
- from acme server for challenge>` text that must be set as the TXT
- record content.'
- type: string
- solver:
- description: Contains the domain solving configuration that should
- be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations
- by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
- API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage
- DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: if both this and ClientSecret are left unset
- MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset
- MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that
- tells cert-manager in which Cloud DNS zone the challenge
- record has to be created. If left empty cert-manager
- will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge
- records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare.
- Note: using an API token to authenticate is now the
- recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when
- using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01
- challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a
- Secret resource. In some instances, `key` is a required
- field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this
- field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred
- to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name
- System") (https://datatracker.ietf.org/doc/rfc2136/) to
- manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed in
- square brackets (e.g [2001:db8::1])Â ; port is optional.
- This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS
- supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values are
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: cert-manager.io
- preserveUnknownFields: false
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhookClientConfig:
- service:
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- path: /convert
- names:
- kind: ClusterIssuer
- listKind: ClusterIssuerList
- plural: clusterissuers
- singular: clusterissuer
- scope: Cluster
- subresources:
- status: {}
- versions:
- - name: v1alpha2
- served: true
- storage: true
- "schema":
- "openAPIV3Schema":
- description: A ClusterIssuer represents a certificate issuing authority which
- can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
- however it is cluster-scoped and therefore can be referenced by resources
- that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555
- (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- email:
- description: Email is the email address to be associated with
- the ACME account. This field is optional, but it is strongly
- recommended to be set. It will be used to contact you in case
- of issues with your account or certificates, including expiry
- notification emails. This field may be updated after the account
- is initially registered.
- type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server. If set, upon registration cert-manager
- will attempt to associate the given external account credentials
- with the registered ACME account.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or
- indeed with the External Account Binding keyID above. The
- secret key stored in the Secret **must** be un-padded, base64
- URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field
- may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource
- that will be used to store the automatically generated ACME
- account private key. Optionally, a `key` may be specified to
- select a specific entry within the named Secret resource. If
- `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field may
- be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More
- settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to
- use to verify connections to the TPP instance. If specified,
- system roots will not be used and the issuing CA for the
- TPP instance must be verifiable using the provided root.
- If not specified, the connection will be verified using
- the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret
- must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint
- of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted
- by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only
- be set if the Issuer is configured to use an ACME server to issue
- certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with
- the latest registered ACME account, in order to track changes
- made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a
- CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for
- an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready').
- type: string
- - name: v1alpha3
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: A ClusterIssuer represents a certificate issuing authority which
- can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
- however it is cluster-scoped and therefore can be referenced by resources
- that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555
- (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- email:
- description: Email is the email address to be associated with
- the ACME account. This field is optional, but it is strongly
- recommended to be set. It will be used to contact you in case
- of issues with your account or certificates, including expiry
- notification emails. This field may be updated after the account
- is initially registered.
- type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server. If set, upon registration cert-manager
- will attempt to associate the given external account credentials
- with the registered ACME account.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or
- indeed with the External Account Binding keyID above. The
- secret key stored in the Secret **must** be un-padded, base64
- URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field
- may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource
- that will be used to store the automatically generated ACME
- account private key. Optionally, a `key` may be specified to
- select a specific entry within the named Secret resource. If
- `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field may
- be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More
- settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to
- use to verify connections to the TPP instance. If specified,
- system roots will not be used and the issuing CA for the
- TPP instance must be verifiable using the provided root.
- If not specified, the connection will be verified using
- the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret
- must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint
- of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted
- by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only
- be set if the Issuer is configured to use an ACME server to issue
- certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with
- the latest registered ACME account, in order to track changes
- made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a
- CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for
- an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready').
- type: string
- - name: v1beta1
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: A ClusterIssuer represents a certificate issuing authority which
- can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
- however it is cluster-scoped and therefore can be referenced by resources
- that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555
- (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- email:
- description: Email is the email address to be associated with
- the ACME account. This field is optional, but it is strongly
- recommended to be set. It will be used to contact you in case
- of issues with your account or certificates, including expiry
- notification emails. This field may be updated after the account
- is initially registered.
- type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server. If set, upon registration cert-manager
- will attempt to associate the given external account credentials
- with the registered ACME account.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or
- indeed with the External Account Binding keyID above. The
- secret key stored in the Secret **must** be un-padded, base64
- URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field
- may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource
- that will be used to store the automatically generated ACME
- account private key. Optionally, a `key` may be specified to
- select a specific entry within the named Secret resource. If
- `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field may
- be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: cert-manager.io
- preserveUnknownFields: false
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhookClientConfig:
- service:
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- path: /convert
- names:
- kind: Issuer
- listKind: IssuerList
- plural: issuers
- singular: issuer
- scope: Namespaced
- subresources:
- status: {}
- versions:
- - name: v1alpha2
- served: true
- storage: true
- "schema":
- "openAPIV3Schema":
- description: An Issuer represents a certificate issuing authority which can
- be referenced as part of `issuerRef` fields. It is scoped to a single namespace
- and can therefore only be referenced by resources within the same namespace.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555
- (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- email:
- description: Email is the email address to be associated with
- the ACME account. This field is optional, but it is strongly
- recommended to be set. It will be used to contact you in case
- of issues with your account or certificates, including expiry
- notification emails. This field may be updated after the account
- is initially registered.
- type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server. If set, upon registration cert-manager
- will attempt to associate the given external account credentials
- with the registered ACME account.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or
- indeed with the External Account Binding keyID above. The
- secret key stored in the Secret **must** be un-padded, base64
- URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field
- may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource
- that will be used to store the automatically generated ACME
- account private key. Optionally, a `key` may be specified to
- select a specific entry within the named Secret resource. If
- `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field may
- be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More
- settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to
- use to verify connections to the TPP instance. If specified,
- system roots will not be used and the issuing CA for the
- TPP instance must be verifiable using the provided root.
- If not specified, the connection will be verified using
- the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret
- must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint
- of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted
- by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only
- be set if the Issuer is configured to use an ACME server to issue
- certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with
- the latest registered ACME account, in order to track changes
- made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a
- CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for
- an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready').
- type: string
- - name: v1alpha3
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: An Issuer represents a certificate issuing authority which can
- be referenced as part of `issuerRef` fields. It is scoped to a single namespace
- and can therefore only be referenced by resources within the same namespace.
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555
- (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- email:
- description: Email is the email address to be associated with
- the ACME account. This field is optional, but it is strongly
- recommended to be set. It will be used to contact you in case
- of issues with your account or certificates, including expiry
- notification emails. This field may be updated after the account
- is initially registered.
- type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server. If set, upon registration cert-manager
- will attempt to associate the given external account credentials
- with the registered ACME account.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or
- indeed with the External Account Binding keyID above. The
- secret key stored in the Secret **must** be un-padded, base64
- URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field
- may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource
- that will be used to store the automatically generated ACME
- account private key. Optionally, a `key` may be specified to
- select a specific entry within the named Secret resource. If
- `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field may
- be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More
- settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to
- use to verify connections to the TPP instance. If specified,
- system roots will not be used and the issuing CA for the
- TPP instance must be verifiable using the provided root.
- If not specified, the connection will be verified using
- the cert-manager system root certificates.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret
- must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint
- of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted
- by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only
- be set if the Issuer is configured to use an ACME server to issue
- certificates.
- type: object
- properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with
- the latest registered ACME account, in order to track changes
- made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a
- CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for
- an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the
- details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation
- for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are ('Ready').
- type: string
- - name: v1beta1
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: An Issuer represents a certificate issuing authority which can
- be referenced as part of `issuerRef` fields. It is scoped to a single namespace
- and can therefore only be referenced by resources within the same namespace.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555
- (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- email:
- description: Email is the email address to be associated with
- the ACME account. This field is optional, but it is strongly
- recommended to be set. It will be used to contact you in case
- of issues with your account or certificates, including expiry
- notification emails. This field may be updated after the account
- is initially registered.
- type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server. If set, upon registration cert-manager
- will attempt to associate the given external account credentials
- with the registered ACME account.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or
- indeed with the External Account Binding keyID above. The
- secret key stored in the Secret **must** be un-padded, base64
- URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field
- may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource
- that will be used to store the automatically generated ACME
- account private key. Optionally, a `key` may be specified to
- select a specific entry within the named Secret resource. If
- `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's
- `data` field to be used. Some instances of this field may
- be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- name: Age
- type: date
- group: acme.cert-manager.io
- preserveUnknownFields: false
- conversion:
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- strategy: Webhook
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- webhookClientConfig:
- service:
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- path: /convert
- names:
- kind: Order
- listKind: OrderList
- plural: orders
- singular: order
- scope: Namespaced
- subresources:
- status: {}
- versions:
- - name: v1alpha2
- served: true
- storage: true
- "schema":
- "openAPIV3Schema":
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - csr
- - dnsNames
- - issuerRef
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER
- encoded CSR. If specified, this value must also be present in `dnsNames`.
- This field must match the corresponding field on the DER encoded
- CSR.
- type: string
- csr:
- description: Certificate signing request bytes in DER encoding. This
- will be used when finalizing the order. This field must be set on
- the order.
- type: string
- format: byte
- dnsNames:
- description: DNSNames is a list of DNS names that should be included
- as part of the Order validation process. This field must match the
- corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type
- Issuer which should be used to create this Order. If the Issuer
- does not exist, processing will be retried. If the Issuer is not
- an 'ACME' Issuer, an error will be returned and the Order will be
- marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server
- on what authorizations must be completed in order to validate the
- DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME
- server on an authorization that must be completed in order validate
- a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered
- by the ACME server. One of these challenge types will be selected
- when validating the DNS name and an appropriate Challenge
- resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the
- ACME server for an Order. An appropriate Challenge resource
- can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented
- for this challenge. This is used to compute the 'key'
- that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered,
- e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
- the raw value retrieved from the ACME server. Only 'http-01'
- and 'dns-01' are supported by cert-manager, other values
- will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can
- be used to retrieve additional metadata about the Challenge
- from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part
- of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization
- when first fetched from the ACME server. If an Authorization
- is already 'valid', the Order controller will not create a
- Challenge resource for the authorization. This will occur
- when working with an ACME server that enables 'authz reuse'
- (such as Let's Encrypt's production endpoint). If not set
- and 'identifier' is set, the state is assumed to be pending
- and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be
- completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is
- for a wildcard DNS name. If this is true, the identifier will
- be the *non-wildcard* version of the DNS name. For example,
- if '*.example.com' is the DNS name being validated, this field
- will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate
- for this Order. This field will be populated after the order has
- been successfully finalized with the ACME server, and the order
- has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This
- is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates
- for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why
- the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource.
- States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the
- resource is first created. The Order controller will populate this
- field when the Order is first processed. This field will be immutable
- after it is initially set.
- type: string
- - name: v1alpha3
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - csr
- - dnsNames
- - issuerRef
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER
- encoded CSR. If specified, this value must also be present in `dnsNames`.
- This field must match the corresponding field on the DER encoded
- CSR.
- type: string
- csr:
- description: Certificate signing request bytes in DER encoding. This
- will be used when finalizing the order. This field must be set on
- the order.
- type: string
- format: byte
- dnsNames:
- description: DNSNames is a list of DNS names that should be included
- as part of the Order validation process. This field must match the
- corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type
- Issuer which should be used to create this Order. If the Issuer
- does not exist, processing will be retried. If the Issuer is not
- an 'ACME' Issuer, an error will be returned and the Order will be
- marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server
- on what authorizations must be completed in order to validate the
- DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME
- server on an authorization that must be completed in order validate
- a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered
- by the ACME server. One of these challenge types will be selected
- when validating the DNS name and an appropriate Challenge
- resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the
- ACME server for an Order. An appropriate Challenge resource
- can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented
- for this challenge. This is used to compute the 'key'
- that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered,
- e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
- the raw value retrieved from the ACME server. Only 'http-01'
- and 'dns-01' are supported by cert-manager, other values
- will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can
- be used to retrieve additional metadata about the Challenge
- from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part
- of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization
- when first fetched from the ACME server. If an Authorization
- is already 'valid', the Order controller will not create a
- Challenge resource for the authorization. This will occur
- when working with an ACME server that enables 'authz reuse'
- (such as Let's Encrypt's production endpoint). If not set
- and 'identifier' is set, the state is assumed to be pending
- and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be
- completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is
- for a wildcard DNS name. If this is true, the identifier will
- be the *non-wildcard* version of the DNS name. For example,
- if '*.example.com' is the DNS name being validated, this field
- will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate
- for this Order. This field will be populated after the order has
- been successfully finalized with the ACME server, and the order
- has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This
- is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates
- for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why
- the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource.
- States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the
- resource is first created. The Order controller will populate this
- field when the Order is first processed. This field will be immutable
- after it is initially set.
- type: string
- - name: v1beta1
- served: true
- storage: false
- "schema":
- "openAPIV3Schema":
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - dnsNames
- - issuerRef
- - request
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER
- encoded CSR. If specified, this value must also be present in `dnsNames`.
- This field must match the corresponding field on the DER encoded
- CSR.
- type: string
- dnsNames:
- description: DNSNames is a list of DNS names that should be included
- as part of the Order validation process. This field must match the
- corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type
- Issuer which should be used to create this Order. If the Issuer
- does not exist, processing will be retried. If the Issuer is not
- an 'ACME' Issuer, an error will be returned and the Order will be
- marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: Certificate signing request bytes in DER encoding. This
- will be used when finalizing the order. This field must be set on
- the order.
- type: string
- format: byte
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server
- on what authorizations must be completed in order to validate the
- DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME
- server on an authorization that must be completed in order validate
- a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered
- by the ACME server. One of these challenge types will be selected
- when validating the DNS name and an appropriate Challenge
- resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the
- ACME server for an Order. An appropriate Challenge resource
- can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented
- for this challenge. This is used to compute the 'key'
- that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered,
- e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
- the raw value retrieved from the ACME server. Only 'http-01'
- and 'dns-01' are supported by cert-manager, other values
- will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can
- be used to retrieve additional metadata about the Challenge
- from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part
- of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization
- when first fetched from the ACME server. If an Authorization
- is already 'valid', the Order controller will not create a
- Challenge resource for the authorization. This will occur
- when working with an ACME server that enables 'authz reuse'
- (such as Let's Encrypt's production endpoint). If not set
- and 'identifier' is set, the state is assumed to be pending
- and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be
- completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is
- for a wildcard DNS name. If this is true, the identifier will
- be the *non-wildcard* version of the DNS name. For example,
- if '*.example.com' is the DNS name being validated, this field
- will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate
- for this Order. This field will be populated after the order has
- been successfully finalized with the ACME server, and the order
- has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This
- is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates
- for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why
- the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource.
- States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the
- resource is first created. The Order controller will populate this
- field when the Order is first processed. This field will be immutable
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: "A CertificateRequest is used to request a signed certificate
+ from one of the configured issuers. \n All fields within the CertificateRequest's
+ `spec` are immutable after creation. A CertificateRequest will either succeed
+ or fail, as denoted by its `status.state` field. \n A CertificateRequest
+ is a 'one-shot' resource, meaning it represents a single point in time request
+ for a certificate and cannot be re-used."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the CertificateRequest resource.
+ properties:
+ csr:
+ description: The PEM-encoded x509 certificate signing request to be
+ submitted to the CA for signing.
+ format: byte
+ type: string
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types.
+ type: string
+ isCA:
+ description: IsCA will request to mark the certificate as valid for
+ certificate signing when submitting to the issuer. This will automatically
+ add the `cert sign` usage to the list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer', a
+ ClusterIssuer with the provided name will be used. The 'name' field
+ in this stanza is required at all times. The group field refers
+ to the API group of the issuer which defaults to 'cert-manager.io'
+ if empty.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ usages:
+ description: Usages is the set of x509 usages that are requested for
+ the certificate. Defaults to `digital signature` and `key encipherment`
+ if not specified.
+ items:
+ description: 'KeyUsage specifies valid usage contexts for keys.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: "A CertificateRequest is used to request a signed certificate
+ from one of the configured issuers. \n All fields within the CertificateRequest's
+ `spec` are immutable after creation. A CertificateRequest will either succeed
+ or fail, as denoted by its `status.state` field. \n A CertificateRequest
+ is a 'one-shot' resource, meaning it represents a single point in time request
+ for a certificate and cannot be re-used."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the CertificateRequest resource.
+ properties:
+ csr:
+ description: The PEM-encoded x509 certificate signing request to be
+ submitted to the CA for signing.
+ format: byte
+ type: string
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types.
+ type: string
+ isCA:
+ description: IsCA will request to mark the certificate as valid for
+ certificate signing when submitting to the issuer. This will automatically
+ add the `cert sign` usage to the list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer', a
+ ClusterIssuer with the provided name will be used. The 'name' field
+ in this stanza is required at all times. The group field refers
+ to the API group of the issuer which defaults to 'cert-manager.io'
+ if empty.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ usages:
+ description: Usages is the set of x509 usages that are requested for
+ the certificate. Defaults to `digital signature` and `key encipherment`
+ if not specified.
+ items:
+ description: 'KeyUsage specifies valid usage contexts for keys.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: "A CertificateRequest is used to request a signed certificate
+ from one of the configured issuers. \n All fields within the CertificateRequest's
+ `spec` are immutable after creation. A CertificateRequest will either succeed
+ or fail, as denoted by its `status.state` field. \n A CertificateRequest
+ is a 'one-shot' resource, meaning it represents a single point in time request
+ for a certificate and cannot be re-used."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the CertificateRequest resource.
+ properties:
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types.
+ type: string
+ isCA:
+ description: IsCA will request to mark the certificate as valid for
+ certificate signing when submitting to the issuer. This will automatically
+ add the `cert sign` usage to the list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer', a
+ ClusterIssuer with the provided name will be used. The 'name' field
+ in this stanza is required at all times. The group field refers
+ to the API group of the issuer which defaults to 'cert-manager.io'
+ if empty.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ request:
+ description: The PEM-encoded x509 certificate signing request to be
+ submitted to the CA for signing.
+ format: byte
+ type: string
+ usages:
+ description: Usages is the set of x509 usages that are requested for
+ the certificate. Defaults to `digital signature` and `key encipherment`
+ if not specified.
+ items:
+ description: 'KeyUsage specifies valid usage contexts for keys.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: "A CertificateRequest is used to request a signed certificate
+ from one of the configured issuers. \n All fields within the CertificateRequest's
+ `spec` are immutable after creation. A CertificateRequest will either succeed
+ or fail, as denoted by its `status.state` field. \n A CertificateRequest
+ is a 'one-shot' resource, meaning it represents a single point in time request
+ for a certificate and cannot be re-used."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the CertificateRequest resource.
+ properties:
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types.
+ type: string
+ isCA:
+ description: IsCA will request to mark the certificate as valid for
+ certificate signing when submitting to the issuer. This will automatically
+ add the `cert sign` usage to the list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer', a
+ ClusterIssuer with the provided name will be used. The 'name' field
+ in this stanza is required at all times. The group field refers
+ to the API group of the issuer which defaults to 'cert-manager.io'
+ if empty.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ request:
+ description: The PEM-encoded x509 certificate signing request to be
+ submitted to the CA for signing.
+ format: byte
+ type: string
+ usages:
+ description: Usages is the set of x509 usages that are requested for
+ the certificate. If usages are set they SHOULD be encoded inside
+ the CSR spec Defaults to `digital signature` and `key encipherment`
+ if not specified.
+ items:
+ description: 'KeyUsage specifies valid usage contexts for keys.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: "A Certificate resource should be created to ensure an up to
+ date and signed x509 certificate is stored in the Kubernetes Secret resource
+ named in `spec.secretName`. \n The stored certificate will be renewed before
+ it expires (as configured by `spec.renewBefore`)."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Certificate resource.
+ properties:
+ commonName:
+ description: 'CommonName is a common name to be used on the Certificate.
+ The CommonName should have a length of 64 characters or fewer to
+ avoid generating invalid CSRs. This value is ignored by TLS clients
+ when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS subjectAltNames to be set on
+ the Certificate.
+ items:
+ type: string
+ type: array
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types. If overridden
+ and `renewBefore` is greater than the actual certificate duration,
+ the certificate will be automatically renewed 2/3rds of the way
+ through the certificate's duration.
+ type: string
+ emailSANs:
+ description: EmailSANs is a list of email subjectAltNames to be set
+ on the Certificate.
+ items:
+ type: string
+ type: array
+ ipAddresses:
+ description: IPAddresses is a list of IP address subjectAltNames to
+ be set on the Certificate.
+ items:
+ type: string
+ type: array
+ isCA:
+ description: IsCA will mark this Certificate as valid for certificate
+ signing. This will automatically add the `cert sign` usage to the
+ list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this certificate.
+ If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the Certificate will
+ be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+ with the provided name will be used. The 'name' field in this stanza
+ is required at all times.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ keyAlgorithm:
+ description: KeyAlgorithm is the private key algorithm of the corresponding
+ private key for this certificate. If provided, allowed values are
+ either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
+ is not provided, key size of 256 will be used for "ecdsa" key algorithm
+ and key size of 2048 will be used for "rsa" key algorithm.
+ enum:
+ - rsa
+ - ecdsa
+ type: string
+ keyEncoding:
+ description: KeyEncoding is the private key cryptography standards
+ (PKCS) for this certificate's private key to be encoded in. If provided,
+ allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
+ respectively. If KeyEncoding is not specified, then PKCS#1 will
+ be used by default.
+ enum:
+ - pkcs1
+ - pkcs8
+ type: string
+ keySize:
+ description: KeySize is the key bit size of the corresponding private
+ key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
+ values are `2048`, `4096` or `8192`, and will default to `2048`
+ if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
+ are `256`, `384` or `521`, and will default to `256` if not specified.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: "A Certificate resource should be created to ensure an up to
+ date and signed x509 certificate is stored in the Kubernetes Secret resource
+ named in `spec.secretName`. \n The stored certificate will be renewed before
+ it expires (as configured by `spec.renewBefore`)."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Certificate resource.
+ properties:
+ commonName:
+ description: 'CommonName is a common name to be used on the Certificate.
+ The CommonName should have a length of 64 characters or fewer to
+ avoid generating invalid CSRs. This value is ignored by TLS clients
+ when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS subjectAltNames to be set on
+ the Certificate.
+ items:
+ type: string
+ type: array
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types. If overridden
+ and `renewBefore` is greater than the actual certificate duration,
+ the certificate will be automatically renewed 2/3rds of the way
+ through the certificate's duration.
+ type: string
+ emailSANs:
+ description: EmailSANs is a list of email subjectAltNames to be set
+ on the Certificate.
+ items:
+ type: string
+ type: array
+ ipAddresses:
+ description: IPAddresses is a list of IP address subjectAltNames to
+ be set on the Certificate.
+ items:
+ type: string
+ type: array
+ isCA:
+ description: IsCA will mark this Certificate as valid for certificate
+ signing. This will automatically add the `cert sign` usage to the
+ list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this certificate.
+ If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the Certificate will
+ be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+ with the provided name will be used. The 'name' field in this stanza
+ is required at all times.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ keyAlgorithm:
+ description: KeyAlgorithm is the private key algorithm of the corresponding
+ private key for this certificate. If provided, allowed values are
+ either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
+ is not provided, key size of 256 will be used for "ecdsa" key algorithm
+ and key size of 2048 will be used for "rsa" key algorithm.
+ enum:
+ - rsa
+ - ecdsa
+ type: string
+ keyEncoding:
+ description: KeyEncoding is the private key cryptography standards
+ (PKCS) for this certificate's private key to be encoded in. If provided,
+ allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
+ respectively. If KeyEncoding is not specified, then PKCS#1 will
+ be used by default.
+ enum:
+ - pkcs1
+ - pkcs8
+ type: string
+ keySize:
+ description: KeySize is the key bit size of the corresponding private
+ key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
+ values are `2048`, `4096` or `8192`, and will default to `2048`
+ if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
+ are `256`, `384` or `521`, and will default to `256` if not specified.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: "A Certificate resource should be created to ensure an up to
+ date and signed x509 certificate is stored in the Kubernetes Secret resource
+ named in `spec.secretName`. \n The stored certificate will be renewed before
+ it expires (as configured by `spec.renewBefore`)."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Certificate resource.
+ properties:
+ commonName:
+ description: 'CommonName is a common name to be used on the Certificate.
+ The CommonName should have a length of 64 characters or fewer to
+ avoid generating invalid CSRs. This value is ignored by TLS clients
+ when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS subjectAltNames to be set on
+ the Certificate.
+ items:
+ type: string
+ type: array
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types. If overridden
+ and `renewBefore` is greater than the actual certificate duration,
+ the certificate will be automatically renewed 2/3rds of the way
+ through the certificate's duration.
+ type: string
+ emailSANs:
+ description: EmailSANs is a list of email subjectAltNames to be set
+ on the Certificate.
+ items:
+ type: string
+ type: array
+ ipAddresses:
+ description: IPAddresses is a list of IP address subjectAltNames to
+ be set on the Certificate.
+ items:
+ type: string
+ type: array
+ isCA:
+ description: IsCA will mark this Certificate as valid for certificate
+ signing. This will automatically add the `cert sign` usage to the
+ list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this certificate.
+ If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the Certificate will
+ be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+ with the provided name will be used. The 'name' field in this stanza
+ is required at all times.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: "A Certificate resource should be created to ensure an up to
+ date and signed x509 certificate is stored in the Kubernetes Secret resource
+ named in `spec.secretName`. \n The stored certificate will be renewed before
+ it expires (as configured by `spec.renewBefore`)."
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Certificate resource.
+ properties:
+ commonName:
+ description: 'CommonName is a common name to be used on the Certificate.
+ The CommonName should have a length of 64 characters or fewer to
+ avoid generating invalid CSRs. This value is ignored by TLS clients
+ when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS subjectAltNames to be set on
+ the Certificate.
+ items:
+ type: string
+ type: array
+ duration:
+ description: The requested 'duration' (i.e. lifetime) of the Certificate.
+ This option may be ignored/overridden by some issuer types. If overridden
+ and `renewBefore` is greater than the actual certificate duration,
+ the certificate will be automatically renewed 2/3rds of the way
+ through the certificate's duration.
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of email subjectAltNames to
+ be set on the Certificate.
+ items:
+ type: string
+ type: array
+ ipAddresses:
+ description: IPAddresses is a list of IP address subjectAltNames to
+ be set on the Certificate.
+ items:
+ type: string
+ type: array
+ isCA:
+ description: IsCA will mark this Certificate as valid for certificate
+ signing. This will automatically add the `cert sign` usage to the
+ list of `usages`.
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this certificate.
+ If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the Certificate will
+ be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+ with the provided name will be used. The 'name' field in this stanza
+ is required at all times.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: Challenge is a type to represent a Challenge request with an
+ ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization resource
+ that this challenge is a part of.
+ type: string
+ dnsName:
+ description: DNSName is the identifier that this challenge is for,
+ e.g. example.com. If the requested DNSName is a 'wildcard', this
+ field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+ it must be `example.com`.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type
+ Issuer which should be used to create this Challenge. If the Issuer
+ does not exist, processing will be retried. If the Issuer is not
+ an 'ACME' Issuer, an error will be returned and the Challenge will
+ be marked as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: 'Key is the ACME challenge key for this challenge For
+ HTTP01 challenges, this is the value that must be responded with
+ to complete the HTTP01 challenge in the format: `<private key JWK
+ thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
+ this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+ from acme server for challenge>` text that must be set as the TXT
+ record content.'
+ type: string
+ solver:
+ description: Solver contains the domain solving configuration that
+ should be used to solve this challenge resource.
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations
+ by performing the DNS01 challenge flow.
+ properties:
+ acmedns:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+ API to manage DNS01 challenge records.
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ host:
+ type: string
+ required:
+ - accountSecretRef
+ - host
+ type: object
+ akamai:
+ description: Use the Akamai DNS zone management API to manage
+ DNS01 challenge records.
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ serviceConsumerDomain:
+ type: string
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ type: object
+ azuredns:
+ description: Use the Microsoft Azure DNS API to manage DNS01
+ challenge records.
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left unset
+ MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset
+ MSI will be used
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ environment:
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ type: string
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret
+ then this field is also needed
+ type: string
+ required:
+ - resourceGroupName
+ - subscriptionID
+ type: object
+ clouddns:
+ description: Use the Google Cloud DNS API to manage DNS01
+ challenge records.
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that
+ tells cert-manager in which Cloud DNS zone the challenge
+ record has to be created. If left empty cert-manager
+ will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - project
+ type: object
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge
+ records.
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare.
+ Note: using an API token to authenticate is now the
+ recommended method as it allows greater control of permissions.'
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ email:
+ description: Email of the account, only required when
+ using API key based authentication.
+ type: string
+ type: object
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ enum:
+ - None
+ - Follow
+ type: string
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01
+ challenge records.
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - tokenSecretRef
+ type: object
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name
+ System") (https://datatracker.ietf.org/doc/rfc2136/) to
+ manage DNS01 challenge records.
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port.
+ If the host is an IPv6 address it must be enclosed in
+ square brackets (e.g [2001:db8::1])Â ; port is optional.
+ This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS
+ supporting RFC2136. Used only when ``tsigSecretSecretRef``
+ and ``tsigKeyName`` are defined. Supported values are
+ be scheduled onto the node. If the anti-affinity
+ requirements specified by this field
+ cease to be met at some point during
+ pod execution (e.g. due to a pod label
+ update), the system may or may not try
+ to eventually evict the pod from its
+ node. When there are multiple elements,
+ the lists of nodes corresponding to
+ each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ items:
+ description: Defines a set of pods (namely
+ those matching the labelSelector relative
+ to the given namespace(s)) that this
+ pod should be co-located (affinity)
+ or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value of
+ the label with key <topologyKey> matches
+ that of any node on which a pod of
+ the set of pods is running
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this case
+ pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values, a
+ key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator
+ represents a key's relationship
+ to a set of values.
+ Valid operators are
+ In, NotIn, Exists and
+ DoesNotExist.
+ type: string
+ values:
+ description: values is
+ an array of string values.
+ If the operator is In
+ or NotIn, the values
+ array must be non-empty.
+ If the operator is Exists
+ or DoesNotExist, the
+ values array must be
+ empty. This array is
+ replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is
+ a map of {key,value} pairs.
+ A single {key,value} in the
+ matchLabels map is equivalent
+ to an element of matchExpressions,
+ whose key field is "key",
+ the operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: This pod should be
+ co-located (affinity) or not co-located
+ (anti-affinity) with the pods
+ matching the labelSelector in
+ the specified namespaces, where
+ co-located is defined as running
+ on a node whose value of the label
+ with key topologyKey matches that
+ of any node on which any of the
+ selected pods is running. Empty
+ topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: 'NodeSelector is a selector which
+ must be true for the pod to fit on a node. Selector
+ which must match a node''s labels for the pod
+ to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ priorityClassName:
+ description: If specified, the pod's priorityClassName.
+ type: string
+ serviceAccountName:
+ description: If specified, the pod's service account
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ items:
+ description: The pod this Toleration is attached
+ to tolerates any taint that matches the triple
+ <key,value,effect> using the matching operator
+ <operator>.
+ properties:
+ effect:
+ description: Effect indicates the taint
+ effect to match. Empty means match all
+ taint effects. When specified, allowed
+ values are NoSchedule, PreferNoSchedule
+ and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the
+ toleration applies to. Empty means match
+ all taint keys. If the key is empty, operator
+ must be Exists; this combination means
+ to match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's
+ relationship to the value. Valid operators
+ are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value,
+ so that a pod can tolerate all taints
+ of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents
+ the period of time the toleration (which
+ must be of effect NoExecute, otherwise
+ this field is ignored) tolerates the taint.
+ By default, it is not set, which means
+ tolerate the taint forever (do not evict).
+ Zero and negative values will be treated
+ as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: Value is the taint value the
+ toleration matches to. If the operator
+ is Exists, the value should be empty,
+ otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ serviceType:
+ description: Optional service type for Kubernetes solver
+ service
+ type: string
+ type: object
+ type: object
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate
+ resource that should be solved using this challenge solver.
+ If not specified, the solver will be treated as the 'default'
+ solver with the lowest priority, i.e. if any other solver has
+ a more specific match, it will be used instead.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used
+ to solve. If specified and a match is found, a dnsNames
+ selector will take precedence over a dnsZones selector.
+ If multiple solvers match with the same dnsNames value,
+ the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver will be used
+ to solve. The most specific DNS zone match specified here
+ will take precedence over other DNS zone matches, so a solver
+ specifying sys.example.com will be selected over one specifying
+ example.com for the domain www.sys.example.com. If multiple
+ solvers match with the same dnsZones value, the solver with
+ the most matching labels in matchLabels will be selected.
+ If neither has more matches, the solver defined earlier
+ in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: A label selector that is used to refine the set
+ of certificate's that this challenge solver will apply to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: Token is the ACME challenge token for this challenge.
+ This is the raw value returned from the ACME server.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this resource represents.
+ One of "http-01" or "dns-01".
+ enum:
+ - http-01
+ - dns-01
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource for this
+ challenge. This can be used to lookup details about the status of
+ this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is for a wildcard
+ identifier, for example '*.example.com'.
+ type: boolean
+ required:
+ - authzURL
+ - dnsName
+ - issuerRef
+ - key
+ - solver
+ - token
+ - type
+ - url
+ type: object
+ status:
+ properties:
+ presented:
+ description: Presented will be set to true if the challenge values
+ for this challenge are currently 'presented'. This *does not* imply
+ the self check is passing. Only that the values have been 'submitted'
+ for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+ has been presented, or the HTTP01 configuration has been configured).
+ type: boolean
+ processing:
+ description: Processing is used to denote whether this challenge should
+ be processed or not. This field will only be set to true by the
+ 'scheduling' component. It will only be set to false by the 'challenges'
+ controller, after the challenge has reached a final state or timed
+ out. If this field is set to false, the challenge controller will
+ not take any more action.
+ type: boolean
+ reason:
+ description: Reason contains human readable information on why the
+ Challenge is in the current state.
+ type: string
+ state:
+ description: State contains the current 'state' of the challenge.
+ If not set, the state of the challenge is unknown.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ type: object
+ required:
+ - metadata
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.dnsName
+ name: Domain
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: Challenge is a type to represent a Challenge request with an
+ ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization resource
+ that this challenge is a part of.
+ type: string
+ dnsName:
+ description: DNSName is the identifier that this challenge is for,
+ e.g. example.com. If the requested DNSName is a 'wildcard', this
+ field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+ it must be `example.com`.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type
+ Issuer which should be used to create this Challenge. If the Issuer
+ does not exist, processing will be retried. If the Issuer is not
+ an 'ACME' Issuer, an error will be returned and the Challenge will
+ be marked as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: 'Key is the ACME challenge key for this challenge For
+ HTTP01 challenges, this is the value that must be responded with
+ to complete the HTTP01 challenge in the format: `<private key JWK
+ thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
+ this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+ from acme server for challenge>` text that must be set as the TXT
+ record content.'
+ type: string
+ solver:
+ description: Solver contains the domain solving configuration that
+ should be used to solve this challenge resource.
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations
+ by performing the DNS01 challenge flow.
+ properties:
+ acmedns:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+ API to manage DNS01 challenge records.
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ host:
+ type: string
+ required:
+ - accountSecretRef
+ - host
+ type: object
+ akamai:
+ description: Use the Akamai DNS zone management API to manage
+ DNS01 challenge records.
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ serviceConsumerDomain:
+ type: string
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ type: object
+ azuredns:
+ description: Use the Microsoft Azure DNS API to manage DNS01
+ challenge records.
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left unset
+ MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset
+ MSI will be used
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ environment:
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ type: string
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret
+ then this field is also needed
+ type: string
+ required:
+ - resourceGroupName
+ - subscriptionID
+ type: object
+ clouddns:
+ description: Use the Google Cloud DNS API to manage DNS01
+ challenge records.
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that
+ tells cert-manager in which Cloud DNS zone the challenge
+ record has to be created. If left empty cert-manager
+ will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - project
+ type: object
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge
+ records.
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare.
+ Note: using an API token to authenticate is now the
+ recommended method as it allows greater control of permissions.'
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ email:
+ description: Email of the account, only required when
+ using API key based authentication.
+ type: string
+ type: object
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ enum:
+ - None
+ - Follow
+ type: string
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01
+ challenge records.
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - tokenSecretRef
+ type: object
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name
+ System") (https://datatracker.ietf.org/doc/rfc2136/) to
+ manage DNS01 challenge records.
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port.
+ If the host is an IPv6 address it must be enclosed in
+ square brackets (e.g [2001:db8::1])Â ; port is optional.
+ This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS
+ supporting RFC2136. Used only when ``tsigSecretSecretRef``
+ and ``tsigKeyName`` are defined. Supported values are
+ be scheduled onto the node. If the anti-affinity
+ requirements specified by this field
+ cease to be met at some point during
+ pod execution (e.g. due to a pod label
+ update), the system may or may not try
+ to eventually evict the pod from its
+ node. When there are multiple elements,
+ the lists of nodes corresponding to
+ each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ items:
+ description: Defines a set of pods (namely
+ those matching the labelSelector relative
+ to the given namespace(s)) that this
+ pod should be co-located (affinity)
+ or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value of
+ the label with key <topologyKey> matches
+ that of any node on which a pod of
+ the set of pods is running
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this case
+ pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values, a
+ key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator
+ represents a key's relationship
+ to a set of values.
+ Valid operators are
+ In, NotIn, Exists and
+ DoesNotExist.
+ type: string
+ values:
+ description: values is
+ an array of string values.
+ If the operator is In
+ or NotIn, the values
+ array must be non-empty.
+ If the operator is Exists
+ or DoesNotExist, the
+ values array must be
+ empty. This array is
+ replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is
+ a map of {key,value} pairs.
+ A single {key,value} in the
+ matchLabels map is equivalent
+ to an element of matchExpressions,
+ whose key field is "key",
+ the operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: This pod should be
+ co-located (affinity) or not co-located
+ (anti-affinity) with the pods
+ matching the labelSelector in
+ the specified namespaces, where
+ co-located is defined as running
+ on a node whose value of the label
+ with key topologyKey matches that
+ of any node on which any of the
+ selected pods is running. Empty
+ topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: 'NodeSelector is a selector which
+ must be true for the pod to fit on a node. Selector
+ which must match a node''s labels for the pod
+ to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ priorityClassName:
+ description: If specified, the pod's priorityClassName.
+ type: string
+ serviceAccountName:
+ description: If specified, the pod's service account
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ items:
+ description: The pod this Toleration is attached
+ to tolerates any taint that matches the triple
+ <key,value,effect> using the matching operator
+ <operator>.
+ properties:
+ effect:
+ description: Effect indicates the taint
+ effect to match. Empty means match all
+ taint effects. When specified, allowed
+ values are NoSchedule, PreferNoSchedule
+ and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the
+ toleration applies to. Empty means match
+ all taint keys. If the key is empty, operator
+ must be Exists; this combination means
+ to match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's
+ relationship to the value. Valid operators
+ are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value,
+ so that a pod can tolerate all taints
+ of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents
+ the period of time the toleration (which
+ must be of effect NoExecute, otherwise
+ this field is ignored) tolerates the taint.
+ By default, it is not set, which means
+ tolerate the taint forever (do not evict).
+ Zero and negative values will be treated
+ as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: Value is the taint value the
+ toleration matches to. If the operator
+ is Exists, the value should be empty,
+ otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ serviceType:
+ description: Optional service type for Kubernetes solver
+ service
+ type: string
+ type: object
+ type: object
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate
+ resource that should be solved using this challenge solver.
+ If not specified, the solver will be treated as the 'default'
+ solver with the lowest priority, i.e. if any other solver has
+ a more specific match, it will be used instead.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used
+ to solve. If specified and a match is found, a dnsNames
+ selector will take precedence over a dnsZones selector.
+ If multiple solvers match with the same dnsNames value,
+ the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver will be used
+ to solve. The most specific DNS zone match specified here
+ will take precedence over other DNS zone matches, so a solver
+ specifying sys.example.com will be selected over one specifying
+ example.com for the domain www.sys.example.com. If multiple
+ solvers match with the same dnsZones value, the solver with
+ the most matching labels in matchLabels will be selected.
+ If neither has more matches, the solver defined earlier
+ in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: A label selector that is used to refine the set
+ of certificate's that this challenge solver will apply to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: Token is the ACME challenge token for this challenge.
+ This is the raw value returned from the ACME server.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this resource represents.
+ One of "http-01" or "dns-01".
+ enum:
+ - http-01
+ - dns-01
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource for this
+ challenge. This can be used to lookup details about the status of
+ this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is for a wildcard
+ identifier, for example '*.example.com'.
+ type: boolean
+ required:
+ - authzURL
+ - dnsName
+ - issuerRef
+ - key
+ - solver
+ - token
+ - type
+ - url
+ type: object
+ status:
+ properties:
+ presented:
+ description: Presented will be set to true if the challenge values
+ for this challenge are currently 'presented'. This *does not* imply
+ the self check is passing. Only that the values have been 'submitted'
+ for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+ has been presented, or the HTTP01 configuration has been configured).
+ type: boolean
+ processing:
+ description: Processing is used to denote whether this challenge should
+ be processed or not. This field will only be set to true by the
+ 'scheduling' component. It will only be set to false by the 'challenges'
+ controller, after the challenge has reached a final state or timed
+ out. If this field is set to false, the challenge controller will
+ not take any more action.
+ type: boolean
+ reason:
+ description: Reason contains human readable information on why the
+ Challenge is in the current state.
+ type: string
+ state:
+ description: State contains the current 'state' of the challenge.
+ If not set, the state of the challenge is unknown.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ type: object
+ required:
+ - metadata
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.dnsName
+ name: Domain
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: Challenge is a type to represent a Challenge request with an
+ ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ authorizationURL:
+ description: The URL to the ACME Authorization resource that this
+ challenge is a part of.
+ type: string
+ dnsName:
+ description: dnsName is the identifier that this challenge is for,
+ e.g. example.com. If the requested DNSName is a 'wildcard', this
+ field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+ it must be `example.com`.
+ type: string
+ issuerRef:
+ description: References a properly configured ACME-type Issuer which
+ should be used to create this Challenge. If the Issuer does not
+ exist, processing will be retried. If the Issuer is not an 'ACME'
+ Issuer, an error will be returned and the Challenge will be marked
+ as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: 'The ACME challenge key for this challenge For HTTP01
+ challenges, this is the value that must be responded with to complete
+ the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
+ from acme server for challenge>`. For DNS01 challenges, this is
+ the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+ from acme server for challenge>` text that must be set as the TXT
+ record content.'
+ type: string
+ solver:
+ description: Contains the domain solving configuration that should
+ be used to solve this challenge resource.
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations
+ by performing the DNS01 challenge flow.
+ properties:
+ acmeDNS:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+ API to manage DNS01 challenge records.
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ host:
+ type: string
+ required:
+ - accountSecretRef
+ - host
+ type: object
+ akamai:
+ description: Use the Akamai DNS zone management API to manage
+ DNS01 challenge records.
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ serviceConsumerDomain:
+ type: string
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ type: object
+ azureDNS:
+ description: Use the Microsoft Azure DNS API to manage DNS01
+ challenge records.
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left unset
+ MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset
+ MSI will be used
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ environment:
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ type: string
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret
+ then this field is also needed
+ type: string
+ required:
+ - resourceGroupName
+ - subscriptionID
+ type: object
+ cloudDNS:
+ description: Use the Google Cloud DNS API to manage DNS01
+ challenge records.
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that
+ tells cert-manager in which Cloud DNS zone the challenge
+ record has to be created. If left empty cert-manager
+ will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - project
+ type: object
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge
+ records.
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare.
+ Note: using an API token to authenticate is now the
+ recommended method as it allows greater control of permissions.'
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ email:
+ description: Email of the account, only required when
+ using API key based authentication.
+ type: string
+ type: object
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ enum:
+ - None
+ - Follow
+ type: string
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01
+ challenge records.
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - tokenSecretRef
+ type: object
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name
+ System") (https://datatracker.ietf.org/doc/rfc2136/) to
+ manage DNS01 challenge records.
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port.
+ If the host is an IPv6 address it must be enclosed in
+ square brackets (e.g [2001:db8::1])Â ; port is optional.
+ This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS
+ supporting RFC2136. Used only when ``tsigSecretSecretRef``
+ and ``tsigKeyName`` are defined. Supported values are
+ be scheduled onto the node. If the anti-affinity
+ requirements specified by this field
+ cease to be met at some point during
+ pod execution (e.g. due to a pod label
+ update), the system may or may not try
+ to eventually evict the pod from its
+ node. When there are multiple elements,
+ the lists of nodes corresponding to
+ each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ items:
+ description: Defines a set of pods (namely
+ those matching the labelSelector relative
+ to the given namespace(s)) that this
+ pod should be co-located (affinity)
+ or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value of
+ the label with key <topologyKey> matches
+ that of any node on which a pod of
+ the set of pods is running
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this case
+ pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values, a
+ key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator
+ represents a key's relationship
+ to a set of values.
+ Valid operators are
+ In, NotIn, Exists and
+ DoesNotExist.
+ type: string
+ values:
+ description: values is
+ an array of string values.
+ If the operator is In
+ or NotIn, the values
+ array must be non-empty.
+ If the operator is Exists
+ or DoesNotExist, the
+ values array must be
+ empty. This array is
+ replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is
+ a map of {key,value} pairs.
+ A single {key,value} in the
+ matchLabels map is equivalent
+ to an element of matchExpressions,
+ whose key field is "key",
+ the operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ items:
+ type: string
+ type: array
+ topologyKey:
+ description: This pod should be
+ co-located (affinity) or not co-located
+ (anti-affinity) with the pods
+ matching the labelSelector in
+ the specified namespaces, where
+ co-located is defined as running
+ on a node whose value of the label
+ with key topologyKey matches that
+ of any node on which any of the
+ selected pods is running. Empty
+ topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ type: object
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: 'NodeSelector is a selector which
+ must be true for the pod to fit on a node. Selector
+ which must match a node''s labels for the pod
+ to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ priorityClassName:
+ description: If specified, the pod's priorityClassName.
+ type: string
+ serviceAccountName:
+ description: If specified, the pod's service account
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ items:
+ description: The pod this Toleration is attached
+ to tolerates any taint that matches the triple
+ <key,value,effect> using the matching operator
+ <operator>.
+ properties:
+ effect:
+ description: Effect indicates the taint
+ effect to match. Empty means match all
+ taint effects. When specified, allowed
+ values are NoSchedule, PreferNoSchedule
+ and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the
+ toleration applies to. Empty means match
+ all taint keys. If the key is empty, operator
+ must be Exists; this combination means
+ to match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's
+ relationship to the value. Valid operators
+ are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value,
+ so that a pod can tolerate all taints
+ of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents
+ the period of time the toleration (which
+ must be of effect NoExecute, otherwise
+ this field is ignored) tolerates the taint.
+ By default, it is not set, which means
+ tolerate the taint forever (do not evict).
+ Zero and negative values will be treated
+ as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: Value is the taint value the
+ toleration matches to. If the operator
+ is Exists, the value should be empty,
+ otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ serviceType:
+ description: Optional service type for Kubernetes solver
+ service
+ type: string
+ type: object
+ type: object
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate
+ resource that should be solved using this challenge solver.
+ If not specified, the solver will be treated as the 'default'
+ solver with the lowest priority, i.e. if any other solver has
+ a more specific match, it will be used instead.
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used
+ to solve. If specified and a match is found, a dnsNames
+ selector will take precedence over a dnsZones selector.
+ If multiple solvers match with the same dnsNames value,
+ the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ items:
+ type: string
+ type: array
+ dnsZones:
+ description: List of DNSZones that this solver will be used
+ to solve. The most specific DNS zone match specified here
+ will take precedence over other DNS zone matches, so a solver
+ specifying sys.example.com will be selected over one specifying
+ example.com for the domain www.sys.example.com. If multiple
+ solvers match with the same dnsZones value, the solver with
+ the most matching labels in matchLabels will be selected.
+ If neither has more matches, the solver defined earlier
+ in the list will be selected.
+ items:
+ type: string
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: A label selector that is used to refine the set
+ of certificate's that this challenge solver will apply to.
+ type: object
+ type: object
+ type: object
+ token:
+ description: The ACME challenge token for this challenge. This is
+ the raw value returned from the ACME server.
+ type: string
+ type:
+ description: The type of ACME challenge this resource represents.
+ One of "HTTP-01" or "DNS-01".
+ enum:
+ - HTTP-01
+ - DNS-01
+ type: string
+ url:
+ description: The URL of the ACME Challenge resource for this challenge.
+ This can be used to lookup details about the status of this challenge.
+ type: string
+ wildcard:
+ description: wildcard will be true if this challenge is for a wildcard
+ identifier, for example '*.example.com'.
+ type: boolean
+ required:
+ - authorizationURL
+ - dnsName
+ - issuerRef
+ - key
+ - solver
+ - token
+ - type
+ - url
+ type: object
+ status:
+ properties:
+ presented:
+ description: presented will be set to true if the challenge values
+ for this challenge are currently 'presented'. This *does not* imply
+ the self check is passing. Only that the values have been 'submitted'
+ for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+ has been presented, or the HTTP01 configuration has been configured).
+ type: boolean
+ processing:
+ description: Used to denote whether this challenge should be processed
+ or not. This field will only be set to true by the 'scheduling'
+ component. It will only be set to false by the 'challenges' controller,
+ after the challenge has reached a final state or timed out. If this
+ field is set to false, the challenge controller will not take any
+ more action.
+ type: boolean
+ reason:
+ description: Contains human readable information on why the Challenge
+ is in the current state.
+ type: string
+ state:
+ description: Contains the current 'state' of the challenge. If not
+ set, the state of the challenge is unknown.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.dnsName
+ name: Domain
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: Challenge is a type to represent a Challenge request with an
+ ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ authorizationURL:
+ description: The URL to the ACME Authorization resource that this
+ challenge is a part of.
+ type: string
+ dnsName:
+ description: dnsName is the identifier that this challenge is for,
+ e.g. example.com. If the requested DNSName is a 'wildcard', this
+ field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+ it must be `example.com`.
+ type: string
+ issuerRef:
+ description: References a properly configured ACME-type Issuer which
+ should be used to create this Challenge. If the Issuer does not
+ exist, processing will be retried. If the Issuer is not an 'ACME'
+ Issuer, an error will be returned and the Challenge will be marked
+ as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ key:
+ description: 'The ACME challenge key for this challenge For HTTP01
+ challenges, this is the value that must be responded with to complete
+ the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
+ from acme server for challenge>`. For DNS01 challenges, this is
+ the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+ from acme server for challenge>` text that must be set as the TXT
+ record content.'
+ type: string
+ solver:
+ description: Contains the domain solving configuration that should
+ be used to solve this challenge resource.
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations
+ by performing the DNS01 challenge flow.
+ properties:
+ acmeDNS:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
+ API to manage DNS01 challenge records.
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ host:
+ type: string
+ required:
+ - accountSecretRef
+ - host
+ type: object
+ akamai:
+ description: Use the Akamai DNS zone management API to manage
+ DNS01 challenge records.
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ serviceConsumerDomain:
+ type: string
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ type: object
+ azureDNS:
+ description: Use the Microsoft Azure DNS API to manage DNS01
+ challenge records.
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left unset
+ MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset
+ MSI will be used
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ environment:
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ type: string
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret
+ then this field is also needed
+ type: string
+ required:
+ - resourceGroupName
+ - subscriptionID
+ type: object
+ cloudDNS:
+ description: Use the Google Cloud DNS API to manage DNS01
+ challenge records.
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that
+ tells cert-manager in which Cloud DNS zone the challenge
+ record has to be created. If left empty cert-manager
+ will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - project
+ type: object
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge
+ records.
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare.
+ Note: using an API token to authenticate is now the
+ recommended method as it allows greater control of permissions.'
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ email:
+ description: Email of the account, only required when
+ using API key based authentication.
+ type: string
+ type: object
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ enum:
+ - None
+ - Follow
+ type: string
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01
+ challenge records.
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a
+ Secret resource. In some instances, `key` is a required
+ field.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this
+ field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred
+ to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - tokenSecretRef
+ type: object
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name
+ System") (https://datatracker.ietf.org/doc/rfc2136/) to
+ manage DNS01 challenge records.
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port.
+ If the host is an IPv6 address it must be enclosed in
+ square brackets (e.g [2001:db8::1])Â ; port is optional.
+ This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS
+ supporting RFC2136. Used only when ``tsigSecretSecretRef``
+ and ``tsigKeyName`` are defined. Supported values are
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: A ClusterIssuer represents a certificate issuing authority which
+ can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+ however it is cluster-scoped and therefore can be referenced by resources
+ that exist in *any* namespace, not just the same namespace as the referent.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the ClusterIssuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: A ClusterIssuer represents a certificate issuing authority which
+ can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+ however it is cluster-scoped and therefore can be referenced by resources
+ that exist in *any* namespace, not just the same namespace as the referent.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the ClusterIssuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: A ClusterIssuer represents a certificate issuing authority which
+ can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+ however it is cluster-scoped and therefore can be referenced by resources
+ that exist in *any* namespace, not just the same namespace as the referent.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the ClusterIssuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: A ClusterIssuer represents a certificate issuing authority which
+ can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
+ however it is cluster-scoped and therefore can be referenced by resources
+ that exist in *any* namespace, not just the same namespace as the referent.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the ClusterIssuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: An Issuer represents a certificate issuing authority which can
+ be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+ and can therefore only be referenced by resources within the same namespace.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Issuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: An Issuer represents a certificate issuing authority which can
+ be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+ and can therefore only be referenced by resources within the same namespace.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Issuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: An Issuer represents a certificate issuing authority which can
+ be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+ and can therefore only be referenced by resources within the same namespace.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Issuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: An Issuer represents a certificate issuing authority which can
+ be referenced as part of `issuerRef` fields. It is scoped to a single namespace
+ and can therefore only be referenced by resources within the same namespace.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Issuer resource.
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555
+ (ACME) server to obtain signed x509 certificates.
+ properties:
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account
+ key. If true, the Issuer resource will *not* request a new account
+ but will expect the account key to be supplied via an existing
+ secret. If false, the cert-manager system will generate a new
+ ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with
+ the ACME account. This field is optional, but it is strongly
+ recommended to be set. It will be used to contact you in case
+ of issues with your account or certificates, including expiry
+ notification emails. This field may be updated after the account
+ is initially registered.
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server. If set, upon registration cert-manager
+ will attempt to associate the given external account credentials
+ with the registered ACME account.
+ properties:
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ type: string
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or
+ indeed with the External Account Binding keyID above. The
+ secret key stored in the Secret **must** be un-padded, base64
+ URL encoded data.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field
+ may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
+ type: object
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server
+ outputs multiple. PreferredChain is no guarantee that this one
+ gets delivered by the ACME endpoint. For example, for Let''s
+ Encrypt''s DST crosssign you would use: "DST Root CA X3" or
+ "ISRG Root X1" for the newer Let''s Encrypt root CA. This value
+ picks the first certificate bundle in the ACME alternative chains
+ that has a certificate with this value as its issuer''s CN'
+ maxLength: 64
+ type: string
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource
+ that will be used to store the automatically generated ACME
+ account private key. Optionally, a `key` may be specified to
+ select a specific entry within the named Secret resource. If
+ `key` is not specified, a default of `tls.key` will be used.
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's
+ `data` field to be used. Some instances of this field may
+ be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: Order is a type to represent an Order with an ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the DER
+ encoded CSR. If specified, this value must also be present in `dnsNames`.
+ This field must match the corresponding field on the DER encoded
+ CSR.
+ type: string
+ csr:
+ description: Certificate signing request bytes in DER encoding. This
+ will be used when finalizing the order. This field must be set on
+ the order.
+ format: byte
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be included
+ as part of the Order validation process. This field must match the
+ corresponding field on the DER encoded CSR.
+ items:
+ type: string
+ type: array
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type
+ Issuer which should be used to create this Order. If the Issuer
+ does not exist, processing will be retried. If the Issuer is not
+ an 'ACME' Issuer, an error will be returned and the Order will be
+ marked as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - csr
+ - dnsNames
+ - issuerRef
+ type: object
+ status:
+ properties:
+ authorizations:
+ description: Authorizations contains data returned from the ACME server
+ on what authorizations must be completed in order to validate the
+ DNS names specified on the Order.
+ items:
+ description: ACMEAuthorization contains data returned from the ACME
+ server on an authorization that must be completed in order validate
+ a DNS name on an ACME Order resource.
+ properties:
+ challenges:
+ description: Challenges specifies the challenge types offered
+ by the ACME server. One of these challenge types will be selected
+ when validating the DNS name and an appropriate Challenge
+ resource will be created to perform the ACME challenge process.
+ items:
+ description: Challenge specifies a challenge offered by the
+ ACME server for an Order. An appropriate Challenge resource
+ can be created to perform the ACME challenge process.
+ properties:
+ token:
+ description: Token is the token that must be presented
+ for this challenge. This is used to compute the 'key'
+ that must also be presented.
+ type: string
+ type:
+ description: Type is the type of challenge being offered,
+ e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+ the raw value retrieved from the ACME server. Only 'http-01'
+ and 'dns-01' are supported by cert-manager, other values
+ will be ignored.
+ type: string
+ url:
+ description: URL is the URL of this challenge. It can
+ be used to retrieve additional metadata about the Challenge
+ from the ACME server.
+ type: string
+ required:
+ - token
+ - type
+ - url
+ type: object
+ type: array
+ identifier:
+ description: Identifier is the DNS name to be validated as part
+ of this authorization
+ type: string
+ initialState:
+ description: InitialState is the initial state of the ACME authorization
+ when first fetched from the ACME server. If an Authorization
+ is already 'valid', the Order controller will not create a
+ Challenge resource for the authorization. This will occur
+ when working with an ACME server that enables 'authz reuse'
+ (such as Let's Encrypt's production endpoint). If not set
+ and 'identifier' is set, the state is assumed to be pending
+ and a Challenge will be created.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL is the URL of the Authorization that must be
+ completed
+ type: string
+ wildcard:
+ description: Wildcard will be true if this authorization is
+ for a wildcard DNS name. If this is true, the identifier will
+ be the *non-wildcard* version of the DNS name. For example,
+ if '*.example.com' is the DNS name being validated, this field
+ will be 'true' and the 'identifier' field will be 'example.com'.
+ type: boolean
+ required:
+ - url
+ type: object
+ type: array
+ certificate:
+ description: Certificate is a copy of the PEM encoded certificate
+ for this Order. This field will be populated after the order has
+ been successfully finalized with the ACME server, and the order
+ has transitioned to the 'valid' state.
+ format: byte
+ type: string
+ failureTime:
+ description: FailureTime stores the time that this order failed. This
+ is used to influence garbage collection and back-off.
+ format: date-time
+ type: string
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order resource.
+ States 'success' and 'expired' are 'final'
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL of the Order. This will initially be empty when the
+ resource is first created. The Order controller will populate this
+ field when the Order is first processed. This field will be immutable
+ after it is initially set.
+ type: string
+ type: object
+ required:
+ - metadata
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: Order is a type to represent an Order with an ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the DER
+ encoded CSR. If specified, this value must also be present in `dnsNames`.
+ This field must match the corresponding field on the DER encoded
+ CSR.
+ type: string
+ csr:
+ description: Certificate signing request bytes in DER encoding. This
+ will be used when finalizing the order. This field must be set on
+ the order.
+ format: byte
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be included
+ as part of the Order validation process. This field must match the
+ corresponding field on the DER encoded CSR.
+ items:
+ type: string
+ type: array
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type
+ Issuer which should be used to create this Order. If the Issuer
+ does not exist, processing will be retried. If the Issuer is not
+ an 'ACME' Issuer, an error will be returned and the Order will be
+ marked as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - csr
+ - dnsNames
+ - issuerRef
+ type: object
+ status:
+ properties:
+ authorizations:
+ description: Authorizations contains data returned from the ACME server
+ on what authorizations must be completed in order to validate the
+ DNS names specified on the Order.
+ items:
+ description: ACMEAuthorization contains data returned from the ACME
+ server on an authorization that must be completed in order validate
+ a DNS name on an ACME Order resource.
+ properties:
+ challenges:
+ description: Challenges specifies the challenge types offered
+ by the ACME server. One of these challenge types will be selected
+ when validating the DNS name and an appropriate Challenge
+ resource will be created to perform the ACME challenge process.
+ items:
+ description: Challenge specifies a challenge offered by the
+ ACME server for an Order. An appropriate Challenge resource
+ can be created to perform the ACME challenge process.
+ properties:
+ token:
+ description: Token is the token that must be presented
+ for this challenge. This is used to compute the 'key'
+ that must also be presented.
+ type: string
+ type:
+ description: Type is the type of challenge being offered,
+ e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+ the raw value retrieved from the ACME server. Only 'http-01'
+ and 'dns-01' are supported by cert-manager, other values
+ will be ignored.
+ type: string
+ url:
+ description: URL is the URL of this challenge. It can
+ be used to retrieve additional metadata about the Challenge
+ from the ACME server.
+ type: string
+ required:
+ - token
+ - type
+ - url
+ type: object
+ type: array
+ identifier:
+ description: Identifier is the DNS name to be validated as part
+ of this authorization
+ type: string
+ initialState:
+ description: InitialState is the initial state of the ACME authorization
+ when first fetched from the ACME server. If an Authorization
+ is already 'valid', the Order controller will not create a
+ Challenge resource for the authorization. This will occur
+ when working with an ACME server that enables 'authz reuse'
+ (such as Let's Encrypt's production endpoint). If not set
+ and 'identifier' is set, the state is assumed to be pending
+ and a Challenge will be created.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL is the URL of the Authorization that must be
+ completed
+ type: string
+ wildcard:
+ description: Wildcard will be true if this authorization is
+ for a wildcard DNS name. If this is true, the identifier will
+ be the *non-wildcard* version of the DNS name. For example,
+ if '*.example.com' is the DNS name being validated, this field
+ will be 'true' and the 'identifier' field will be 'example.com'.
+ type: boolean
+ required:
+ - url
+ type: object
+ type: array
+ certificate:
+ description: Certificate is a copy of the PEM encoded certificate
+ for this Order. This field will be populated after the order has
+ been successfully finalized with the ACME server, and the order
+ has transitioned to the 'valid' state.
+ format: byte
+ type: string
+ failureTime:
+ description: FailureTime stores the time that this order failed. This
+ is used to influence garbage collection and back-off.
+ format: date-time
+ type: string
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order resource.
+ States 'success' and 'expired' are 'final'
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL of the Order. This will initially be empty when the
+ resource is first created. The Order controller will populate this
+ field when the Order is first processed. This field will be immutable
+ after it is initially set.
+ type: string
+ type: object
+ required:
+ - metadata
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: Order is a type to represent an Order with an ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the DER
+ encoded CSR. If specified, this value must also be present in `dnsNames`.
+ This field must match the corresponding field on the DER encoded
+ CSR.
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be included
+ as part of the Order validation process. This field must match the
+ corresponding field on the DER encoded CSR.
+ items:
+ type: string
+ type: array
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type
+ Issuer which should be used to create this Order. If the Issuer
+ does not exist, processing will be retried. If the Issuer is not
+ an 'ACME' Issuer, an error will be returned and the Order will be
+ marked as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ request:
+ description: Certificate signing request bytes in DER encoding. This
+ will be used when finalizing the order. This field must be set on
+ the order.
+ format: byte
+ type: string
+ required:
+ - dnsNames
+ - issuerRef
+ - request
+ type: object
+ status:
+ properties:
+ authorizations:
+ description: Authorizations contains data returned from the ACME server
+ on what authorizations must be completed in order to validate the
+ DNS names specified on the Order.
+ items:
+ description: ACMEAuthorization contains data returned from the ACME
+ server on an authorization that must be completed in order validate
+ a DNS name on an ACME Order resource.
+ properties:
+ challenges:
+ description: Challenges specifies the challenge types offered
+ by the ACME server. One of these challenge types will be selected
+ when validating the DNS name and an appropriate Challenge
+ resource will be created to perform the ACME challenge process.
+ items:
+ description: Challenge specifies a challenge offered by the
+ ACME server for an Order. An appropriate Challenge resource
+ can be created to perform the ACME challenge process.
+ properties:
+ token:
+ description: Token is the token that must be presented
+ for this challenge. This is used to compute the 'key'
+ that must also be presented.
+ type: string
+ type:
+ description: Type is the type of challenge being offered,
+ e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+ the raw value retrieved from the ACME server. Only 'http-01'
+ and 'dns-01' are supported by cert-manager, other values
+ will be ignored.
+ type: string
+ url:
+ description: URL is the URL of this challenge. It can
+ be used to retrieve additional metadata about the Challenge
+ from the ACME server.
+ type: string
+ required:
+ - token
+ - type
+ - url
+ type: object
+ type: array
+ identifier:
+ description: Identifier is the DNS name to be validated as part
+ of this authorization
+ type: string
+ initialState:
+ description: InitialState is the initial state of the ACME authorization
+ when first fetched from the ACME server. If an Authorization
+ is already 'valid', the Order controller will not create a
+ Challenge resource for the authorization. This will occur
+ when working with an ACME server that enables 'authz reuse'
+ (such as Let's Encrypt's production endpoint). If not set
+ and 'identifier' is set, the state is assumed to be pending
+ and a Challenge will be created.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL is the URL of the Authorization that must be
+ completed
+ type: string
+ wildcard:
+ description: Wildcard will be true if this authorization is
+ for a wildcard DNS name. If this is true, the identifier will
+ be the *non-wildcard* version of the DNS name. For example,
+ if '*.example.com' is the DNS name being validated, this field
+ will be 'true' and the 'identifier' field will be 'example.com'.
+ type: boolean
+ required:
+ - url
+ type: object
+ type: array
+ certificate:
+ description: Certificate is a copy of the PEM encoded certificate
+ for this Order. This field will be populated after the order has
+ been successfully finalized with the ACME server, and the order
+ has transitioned to the 'valid' state.
+ format: byte
+ type: string
+ failureTime:
+ description: FailureTime stores the time that this order failed. This
+ is used to influence garbage collection and back-off.
+ format: date-time
+ type: string
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order resource.
+ States 'success' and 'expired' are 'final'
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL of the Order. This will initially be empty when the
+ resource is first created. The Order controller will populate this
+ field when the Order is first processed. This field will be immutable
+ after it is initially set.
+ type: string
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: Order is a type to represent an Order with an ACME server
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the DER
+ encoded CSR. If specified, this value must also be present in `dnsNames`.
+ This field must match the corresponding field on the DER encoded
+ CSR.
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be included
+ as part of the Order validation process. This field must match the
+ corresponding field on the DER encoded CSR.
+ items:
+ type: string
+ type: array
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type
+ Issuer which should be used to create this Order. If the Issuer
+ does not exist, processing will be retried. If the Issuer is not
+ an 'ACME' Issuer, an error will be returned and the Order will be
+ marked as failed.
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ required:
+ - name
+ type: object
+ request:
+ description: Certificate signing request bytes in DER encoding. This
+ will be used when finalizing the order. This field must be set on
+ the order.
+ format: byte
+ type: string
+ required:
+ - dnsNames
+ - issuerRef
+ - request
+ type: object
+ status:
+ properties:
+ authorizations:
+ description: Authorizations contains data returned from the ACME server
+ on what authorizations must be completed in order to validate the
+ DNS names specified on the Order.
+ items:
+ description: ACMEAuthorization contains data returned from the ACME
+ server on an authorization that must be completed in order validate
+ a DNS name on an ACME Order resource.
+ properties:
+ challenges:
+ description: Challenges specifies the challenge types offered
+ by the ACME server. One of these challenge types will be selected
+ when validating the DNS name and an appropriate Challenge
+ resource will be created to perform the ACME challenge process.
+ items:
+ description: Challenge specifies a challenge offered by the
+ ACME server for an Order. An appropriate Challenge resource
+ can be created to perform the ACME challenge process.
+ properties:
+ token:
+ description: Token is the token that must be presented
+ for this challenge. This is used to compute the 'key'
+ that must also be presented.
+ type: string
+ type:
+ description: Type is the type of challenge being offered,
+ e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
+ the raw value retrieved from the ACME server. Only 'http-01'
+ and 'dns-01' are supported by cert-manager, other values
+ will be ignored.
+ type: string
+ url:
+ description: URL is the URL of this challenge. It can
+ be used to retrieve additional metadata about the Challenge
+ from the ACME server.
+ type: string
+ required:
+ - token
+ - type
+ - url
+ type: object
+ type: array
+ identifier:
+ description: Identifier is the DNS name to be validated as part
+ of this authorization
+ type: string
+ initialState:
+ description: InitialState is the initial state of the ACME authorization
+ when first fetched from the ACME server. If an Authorization
+ is already 'valid', the Order controller will not create a
+ Challenge resource for the authorization. This will occur
+ when working with an ACME server that enables 'authz reuse'
+ (such as Let's Encrypt's production endpoint). If not set
+ and 'identifier' is set, the state is assumed to be pending
+ and a Challenge will be created.
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL is the URL of the Authorization that must be
+ completed
+ type: string
+ wildcard:
+ description: Wildcard will be true if this authorization is
+ for a wildcard DNS name. If this is true, the identifier will
+ be the *non-wildcard* version of the DNS name. For example,
+ if '*.example.com' is the DNS name being validated, this field
+ will be 'true' and the 'identifier' field will be 'example.com'.
+ type: boolean
+ required:
+ - url
+ type: object
+ type: array
+ certificate:
+ description: Certificate is a copy of the PEM encoded certificate
+ for this Order. This field will be populated after the order has
+ been successfully finalized with the ACME server, and the order
+ has transitioned to the 'valid' state.
+ format: byte
+ type: string
+ failureTime:
+ description: FailureTime stores the time that this order failed. This
+ is used to influence garbage collection and back-off.
+ format: date-time
+ type: string
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order resource.
+ States 'success' and 'expired' are 'final'
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ type: string
+ url:
+ description: URL of the Order. This will initially be empty when the
+ resource is first created. The Order controller will populate this
+ field when the Order is first processed. This field will be immutable