--- a/10-cert-manager.yaml Sat Nov 21 02:19:20 2020 -0600
+++ b/10-cert-manager.yaml Sat Nov 21 02:19:48 2020 -0600
@@ -1,4 +1,4 @@
-# This is the official 0.15.2 cert-manager.yaml manifest+# This is the official 0.16.1 cert-manager.yaml manifest # from https://github.com/jetstack/cert-manager/releases. No changes, aside
# from this header have been made.
@@ -30,7 +30,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -77,157 +77,512 @@
+ description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a 'one-shot' resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the CertificateRequest resource. + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a + ClusterIssuer with the provided name will be used. The 'name' field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to 'cert-manager.io' + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the CertificateRequest. This is set and managed + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off.
- description: CertificateRequest is a type to represent a Certificate Signing- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: CertificateRequestSpec defines the desired state of CertificateRequest- description: Byte slice containing the PEM encoded CertificateSigningRequest- description: Requested certificate default Duration- description: IsCA will mark the resulting certificate as valid for signing.- This implies that the 'cert sign' usage is set- description: IssuerRef is a reference to the issuer for this CertificateRequest. If- the 'kind' field is not set, or set to 'Issuer', an Issuer resource- with the given name in the same namespace as the CertificateRequest- will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer- with the provided name will be used. The 'name' field in this stanza- is required at all times. The group field refers to the API group- of the issuer which defaults to 'cert-manager.io' if empty.- description: Usages is the set of x509 actions that are enabled for- a given key. Defaults are ('digital signature', 'key encipherment')- description: 'KeyUsage specifies valid usage contexts for keys. See:- https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12- Valid KeyUsage values are as follows: "signing", "digital signature",- "content commitment", "key encipherment", "key agreement", "data- encipherment", "cert sign", "crl sign", "encipher only", "decipher- only", "any", "server auth", "client auth", "code signing", "email- protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec- user", "timestamping", "ocsp signing", "microsoft sgc", "netscape- description: CertificateStatus defines the observed state of CertificateRequest- and resulting signed certificate.- description: Byte slice containing the PEM encoded certificate authority- of the signed certificate.- description: Byte slice containing a PEM encoded signed certificate- resulting from the given certificate signing request.- description: CertificateRequestCondition contains condition information- for a CertificateRequest.+ description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a 'one-shot' resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the CertificateRequest resource. + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a + ClusterIssuer with the provided name will be used. The 'name' field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to 'cert-manager.io'
- description: LastTransitionTime is the timestamp corresponding- to the last status change of this condition.- description: Message is a human readable description of the details- of the last transition, complementing reason.- description: Reason is a brief machine readable explanation for- the condition's last transition.- description: Status of the condition, one of ('True', 'False',- description: Type of the condition, currently ('Ready', 'InvalidRequest').- description: FailureTime stores the time that this CertificateRequest- failed. This is used to influence garbage collection and back-off.+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the CertificateRequest. This is set and managed + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a 'one-shot' resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the CertificateRequest resource. + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a + ClusterIssuer with the provided name will be used. The 'name' field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to 'cert-manager.io' + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the CertificateRequest. This is set and managed + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. # Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
@@ -241,7 +596,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -293,7 +648,10 @@
- description: Certificate is a type to represent a Certificate from ACME+ description: "A Certificate resource should be created to ensure an up to + date and signed x509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." @@ -309,9 +667,7 @@
- description: CertificateSpec defines the desired state of Certificate.- A valid Certificate requires at least one of a CommonName, DNSName,+ description: Desired state of the Certificate resource. @@ -324,29 +680,34 @@
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- description: DNSNames is a list of subject alt names to be used on+ description: DNSNames is a list of DNS subjectAltNames to be set on - description: Certificate default Duration+ description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If overridden + and `renewBefore` is greater than the actual certificate duration, + the certificate will be automatically renewed 2/3rds of the way + through the certificate's duration. - description: EmailSANs is a list of Email Subject Alternative Names- to be set on this Certificate.+ description: EmailSANs is a list of email subjectAltNames to be set - description: IPAddresses is a list of IP addresses to be used on the+ description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. - description: IsCA will mark this Certificate as valid for signing.- This implies that the 'cert sign' usage is set+ description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the description: IssuerRef is a reference to the issuer for this certificate.
@@ -360,15 +721,18 @@
+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. description: KeyAlgorithm is the private key algorithm of the corresponding
private key for this certificate. If provided, allowed values are
- either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize+ either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for "ecdsa" key algorithm
and key size of 2048 will be used for "rsa" key algorithm.
@@ -387,10 +751,11 @@
description: KeySize is the key bit size of the corresponding private
- key for this certificate. If provided, value must be between 2048- and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",- and value must be one of (256, 384, 521) when KeyAlgorithm is set+ key for this certificate. If `keyAlgorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not specified. + No other values are allowed. @@ -423,12 +788,13 @@
- description: The key of the secret to select from. Must+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: PKCS12 configures options for storing a PKCS12 keystore
@@ -454,15 +820,17 @@
- description: The key of the secret to select from. Must+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - description: Organization is the organization to be used on the Certificate+ description: Organization is a list of organizations to be used on @@ -482,11 +850,17 @@
- description: Certificate renew before expiration duration+ description: The amount of time before the currently issued certificate's + `notAfter` time that cert-manager will begin to attempt to renew + the certificate. If this value is greater than the total duration + of the certificate (i.e. notAfter - notBefore), it will be automatically + renewed 2/3rds of the way through the certificate's duration. - description: SecretName is the name of the secret resource to store+ description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
@@ -526,15 +900,15 @@
- description: URISANs is a list of URI Subject Alternative Names to- be set on this Certificate.+ description: URISANs is a list of URI subjectAltNames to be set on - description: Usages is the set of x509 actions that are enabled for- a given key. Defaults are ('digital signature', 'key encipherment')+ description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` description: 'KeyUsage specifies valid usage contexts for keys.
@@ -572,10 +946,12 @@
- description: CertificateStatus defines the observed state of Certificate+ description: Status of the Certificate. This is set and managed automatically. + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. description: CertificateCondition contains condition information
@@ -607,9 +983,14 @@
- description: Type of the condition, currently ('Ready').+ description: Type of the condition, known values are ('Ready', + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. nextPrivateKeySecretName:
@@ -621,7 +1002,17 @@
description: The expiration time of the certificate stored in the
- secret named by this resource in spec.secretName.+ secret named by this resource in `spec.secretName`. + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. @@ -641,7 +1032,10 @@
- description: Certificate is a type to represent a Certificate from ACME+ description: "A Certificate resource should be created to ensure an up to + date and signed x509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." @@ -657,9 +1051,7 @@
- description: CertificateSpec defines the desired state of Certificate.- A valid Certificate requires at least one of a CommonName, DNSName,+ description: Desired state of the Certificate resource. @@ -672,29 +1064,34 @@
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- description: DNSNames is a list of subject alt names to be used on+ description: DNSNames is a list of DNS subjectAltNames to be set on - description: Certificate default Duration+ description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If overridden + and `renewBefore` is greater than the actual certificate duration, + the certificate will be automatically renewed 2/3rds of the way + through the certificate's duration. - description: EmailSANs is a list of Email Subject Alternative Names- to be set on this Certificate.+ description: EmailSANs is a list of email subjectAltNames to be set - description: IPAddresses is a list of IP addresses to be used on the+ description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. - description: IsCA will mark this Certificate as valid for signing.- This implies that the 'cert sign' usage is set+ description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the description: IssuerRef is a reference to the issuer for this certificate.
@@ -708,15 +1105,18 @@
+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. description: KeyAlgorithm is the private key algorithm of the corresponding
private key for this certificate. If provided, allowed values are
- either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize+ either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for "ecdsa" key algorithm
and key size of 2048 will be used for "rsa" key algorithm.
@@ -735,10 +1135,11 @@
description: KeySize is the key bit size of the corresponding private
- key for this certificate. If provided, value must be between 2048- and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",- and value must be one of (256, 384, 521) when KeyAlgorithm is set+ key for this certificate. If `keyAlgorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not specified. + No other values are allowed. @@ -771,12 +1172,13 @@
- description: The key of the secret to select from. Must+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: PKCS12 configures options for storing a PKCS12 keystore
@@ -802,12 +1204,13 @@
- description: The key of the secret to select from. Must+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: Options to control private keys used for the Certificate.
@@ -825,11 +1228,402 @@
- description: Certificate renew before expiration duration+ description: The amount of time before the currently issued certificate's + `notAfter` time that cert-manager will begin to attempt to renew + the certificate. If this value is greater than the total duration + of the certificate (i.e. notAfter - notBefore), it will be automatically + renewed 2/3rds of the way through the certificate's duration. - description: SecretName is the name of the secret resource to store+ description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + description: Countries to be used on the Certificate. + description: Cities to be used on the Certificate. + description: Organizational Units to be used on the Certificate. + description: Organizations to be used on the Certificate. + description: Postal codes to be used on the Certificate. + description: State/Provinces to be used on the Certificate. + description: Serial number to be used on the Certificate. + description: Street addresses to be used on the Certificate. + description: URISANs is a list of URI subjectAltNames to be set on + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the Certificate. This is set and managed automatically. + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + description: CertificateCondition contains condition information + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + description: "A Certificate resource should be created to ensure an up to + date and signed x509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Certificate resource. + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: DNSNames is a list of DNS subjectAltNames to be set on + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If overridden + and `renewBefore` is greater than the actual certificate duration, + the certificate will be automatically renewed 2/3rds of the way + through the certificate's duration. + description: EmailSANs is a list of email subjectAltNames to be set + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Options to control private keys used for the Certificate. + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either "rsa" or "ecdsa" If `algorithm` is specified and + `size` is not provided, key size of 256 will be used for "ecdsa" + key algorithm and key size of 2048 will be used for "rsa" key + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and + PKCS#8, respectively. Defaults to PKCS#1 if not specified. + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. No other values are allowed. + description: The amount of time before the currently issued certificate's + `notAfter` time that cert-manager will begin to attempt to renew + the certificate. If this value is greater than the total duration + of the certificate (i.e. notAfter - notBefore), it will be automatically + renewed 2/3rds of the way through the certificate's duration. + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
@@ -874,15 +1668,15 @@
- description: URISANs is a list of URI Subject Alternative Names to- be set on this Certificate.+ description: URISANs is a list of URI subjectAltNames to be set on - description: Usages is the set of x509 actions that are enabled for- a given key. Defaults are ('digital signature', 'key encipherment')+ description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` description: 'KeyUsage specifies valid usage contexts for keys.
@@ -920,10 +1714,12 @@
- description: CertificateStatus defines the observed state of Certificate+ description: Status of the Certificate. This is set and managed automatically. + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. description: CertificateCondition contains condition information
@@ -955,9 +1751,14 @@
- description: Type of the condition, currently ('Ready').+ description: Type of the condition, known values are ('Ready', + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. nextPrivateKeySecretName:
@@ -969,7 +1770,17 @@
description: The expiration time of the certificate stored in the
- secret named by this resource in spec.secretName.+ secret named by this resource in `spec.secretName`. + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. @@ -997,7 +1808,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.state
@@ -1040,2050 +1851,1116 @@
- description: Challenge is a type to represent a Challenge request with an ACME- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: AuthzURL is the URL to the ACME Authorization resource- that this challenge is a part of.- description: DNSName is the identifier that this challenge is for, e.g.- example.com. If the requested DNSName is a 'wildcard', this field- MUST be set to the non-wildcard domain, e.g. for `*.example.com`,- it must be `example.com`.- description: IssuerRef references a properly configured ACME-type Issuer- which should be used to create this Challenge. If the Issuer does- not exist, processing will be retried. If the Issuer is not an 'ACME'- Issuer, an error will be returned and the Challenge will be marked- description: 'Key is the ACME challenge key for this challenge For HTTP01- challenges, this is the value that must be responded with to complete- the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key- from acme server for challenge>`. For DNS01 challenges, this is the- base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key- from acme server for challenge>` text that must be set as the TXT- description: Solver contains the domain solving configuration that should- be used to solve this challenge resource.- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing- the configuration for ACME-DNS servers- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: ACMEIssuerDNS01ProviderAkamai is a structure containing- the DNS configuration for Akamai DNS—Zone Record Management- - clientSecretSecretRef- - serviceConsumerDomain- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: ACMEIssuerDNS01ProviderAzureDNS is a structure- containing the configuration for Azure DNS- description: if both this and ClientSecret are left unset- description: if both this and ClientID are left unset MSI- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- - AzureUSGovernmentCloud- description: when specifying ClientID and ClientSecret then- this field is also needed- description: ACMEIssuerDNS01ProviderCloudDNS is a structure- containing the DNS configuration for Google Cloud DNS- serviceAccountSecretRef:- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: ACMEIssuerDNS01ProviderCloudflare is a structure- containing the DNS configuration for Cloudflare- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: CNAMEStrategy configures how the DNS01 provider- should handle CNAME records when found in DNS zones.- description: ACMEIssuerDNS01ProviderDigitalOcean is a structure- containing the DNS configuration for DigitalOcean Domains- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing- the configuration for RFC2136 DNS- description: The IP address or hostname of an authoritative- DNS server supporting RFC2136 in the form host:port. If- the host is an IPv6 address it must be enclosed in square- brackets (e.g [2001:db8::1]) ; port is optional. This- description: 'The TSIG Algorithm configured in the DNS supporting- RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``- are defined. Supported values are (case-insensitive):- ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or- description: The TSIG Key name configured in the DNS. If- ``tsigSecretSecretRef`` is defined, this field is required.- description: The name of the secret containing the TSIG- value. If ``tsigKeyName`` is defined, this field is required.- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: ACMEIssuerDNS01ProviderRoute53 is a structure containing- the Route 53 configuration for AWS- description: 'The AccessKeyID is used for authentication.- If not set we fall-back to using env vars, shared credentials- file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'- description: If set, the provider will manage only this- zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName- description: Always set the region when using AccessKeyID- description: Role is a Role ARN which the Route53 provider- will assume using either the explicit credentials AccessKeyID/SecretAccessKey- or the inferred credentials from environment variables,- shared credentials file or AWS Instance metadata- secretAccessKeySecretRef:- description: The SecretAccessKey is used for authentication.- If not set we fall-back to using env vars, shared credentials- file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: ACMEIssuerDNS01ProviderWebhook specifies configuration- for a webhook DNS01 provider, including where to POST ChallengePayload- description: Additional configuration that should be passed- to the webhook apiserver when challenges are processed.- This can contain arbitrary JSON data. Secret values should- not be specified in this stanza. If secret values are- needed (e.g. credentials for a DNS service), you should- use a SecretKeySelector to reference a Secret resource.- For details on the schema of this field, consult the webhook- provider implementation's documentation.- x-kubernetes-preserve-unknown-fields: true- description: The API group name that should be used when- POSTing ChallengePayload resources to the webhook apiserver.- This should be the same as the GroupName specified in- the webhook provider implementation.- description: The name of the solver to use, as defined in- the webhook provider implementation. This will typically- be the name of the provider, e.g. 'cloudflare'.- description: ACMEChallengeSolverHTTP01 contains configuration detailing- how to solve HTTP01 challenges within a Kubernetes cluster. Typically- this is accomplished through creating 'routes' of some description- that configure ingress controllers to direct traffic to 'solver- pods', which are responsible for responding to the ACME server's- description: The ingress based HTTP01 challenge solver will- solve challenges by creating or modifying Ingress resources- in order to route requests for '/.well-known/acme-challenge/XYZ'- to 'challenge solver' pods that are provisioned by cert-manager- for each Challenge to be completed.- description: The ingress class to use when creating Ingress- resources to solve ACME challenges that use this challenge- solver. Only one of 'class' or 'name' may be specified.- description: Optional ingress template used to configure- the ACME challenge solver ingress used for HTTP01 challenges- description: ObjectMeta overrides for the ingress used- to solve HTTP01 challenges. Only the 'labels' and- 'annotations' fields may be set. If labels or annotations- overlap with in-built values, the values here will- override the in-built values.- description: Annotations that should be added to- the created ACME HTTP01 solver ingress.- description: Labels that should be added to the- created ACME HTTP01 solver ingress.- description: The name of the ingress resource that should- have ACME challenge solving routes inserted into it in- order to solve HTTP01 challenges. This is typically used- in conjunction with ingress controllers like ingress-gce,- which maintains a 1:1 mapping between external IPs and- description: Optional pod template used to configure the- ACME challenge solver pods used for HTTP01 challenges- description: ObjectMeta overrides for the pod used to- solve HTTP01 challenges. Only the 'labels' and 'annotations'- fields may be set. If labels or annotations overlap- with in-built values, the values here will override- description: Annotations that should be added to- the create ACME HTTP01 solver pods.- description: Labels that should be added to the- created ACME HTTP01 solver pods.- description: PodSpec defines overrides for the HTTP01- challenge solver pod. Only the 'nodeSelector', 'affinity'- and 'tolerations' fields are supported currently.- All other fields will be ignored.- description: If specified, the pod's scheduling- description: Describes node affinity scheduling- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer to- schedule pods to nodes that satisfy the- affinity expressions specified by this- field, but it may choose a node that violates- one or more of the expressions. The node- that is most preferred is the one with- the greatest sum of weights, i.e. for- each node that meets all of the scheduling- requirements (resource request, requiredDuringScheduling- affinity expressions, etc.), compute a- sum by iterating through the elements- of this field and adding "weight" to the- sum if the node matches the corresponding- matchExpressions; the node(s) with the- highest sum are the most preferred.- description: An empty preferred scheduling- term matches all objects with implicit- weight 0 (i.e. it's a no-op). A null- preferred scheduling term matches no- objects (i.e. is also a no-op).+ description: Challenge is a type to represent a Challenge request with an + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + description: DNSName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Challenge. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Challenge will + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: 'Key is the ACME challenge key for this challenge For + HTTP01 challenges, this is the value that must be responded with + to complete the HTTP01 challenge in the format: `<private key JWK + thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, + this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key + from acme server for challenge>` text that must be set as the TXT + description: Solver contains the domain solving configuration that + should be used to solve this challenge resource. + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage DNS01 + description: if both this and ClientSecret are left unset + description: if both this and ClientID are left unset + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage DNS01 + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 challenge + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with Cloudflare. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required when + using API key based authentication. + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: Use the DigitalOcean DNS API to manage DNS01 + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 challenge + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node.
- description: A node selector term,- associated with the corresponding- description: A list of node selector- requirements by node's labels.- description: A node selector- requirement is a selector- that contains values, a key,- and an operator that relates- description: The label key- that the selector applies- description: Represents- a key's relationship to- operators are In, NotIn,- description: An array of- operator is In or NotIn,- be non-empty. If the operator- is Exists or DoesNotExist,- be empty. If the operator- is Gt or Lt, the values- array must have a single- interpreted as an integer.- during a strategic merge- description: A list of node selector- requirements by node's fields.- description: A node selector- requirement is a selector- that contains values, a key,- and an operator that relates- description: The label key- that the selector applies- description: Represents- a key's relationship to- operators are In, NotIn,- description: An array of- operator is In or NotIn,- be non-empty. If the operator- is Exists or DoesNotExist,- be empty. If the operator- is Gt or Lt, the values- array must have a single- interpreted as an integer.- during a strategic merge- description: Weight associated with- matching the corresponding nodeSelectorTerm,- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not met at- scheduling time, the pod will not be scheduled- onto the node. If the affinity requirements- specified by this field cease to be met- at some point during pod execution (e.g.- due to an update), the system may or may- not try to eventually evict the pod from- description: Required. A list of node- selector terms. The terms are ORed.- description: A null or empty node- selector term matches no objects.- The requirements of them are ANDed.- The TopologySelectorTerm type implements- a subset of the NodeSelectorTerm.- description: A list of node selector- requirements by node's labels.- description: A node selector- requirement is a selector- that contains values, a key,- and an operator that relates- description: The label key- that the selector applies- description: Represents- a key's relationship to- operators are In, NotIn,- description: An array of- operator is In or NotIn,- be non-empty. If the operator- is Exists or DoesNotExist,- be empty. If the operator- is Gt or Lt, the values- array must have a single- interpreted as an integer.- during a strategic merge- description: A list of node selector- requirements by node's fields.- description: A node selector- requirement is a selector- that contains values, a key,- and an operator that relates- description: The label key- that the selector applies- description: Represents- a key's relationship to- operators are In, NotIn,- description: An array of- operator is In or NotIn,- be non-empty. If the operator- is Exists or DoesNotExist,- be empty. If the operator- is Gt or Lt, the values- array must have a single- interpreted as an integer.- during a strategic merge- description: Describes pod affinity scheduling- rules (e.g. co-locate this pod in the same- node, zone, etc. as some other pod(s)).- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer to- schedule pods to nodes that satisfy the- affinity expressions specified by this- field, but it may choose a node that violates- one or more of the expressions. The node- that is most preferred is the one with- the greatest sum of weights, i.e. for- each node that meets all of the scheduling- requirements (resource request, requiredDuringScheduling- affinity expressions, etc.), compute a- sum by iterating through the elements- of this field and adding "weight" to the- sum if the node has pods which matches- the corresponding podAffinityTerm; the- node(s) with the highest sum are the most- description: The weights of all of the- matched WeightedPodAffinityTerm fields- are added per-node to find the most- description: Required. A pod affinity- term, associated with the corresponding- description: A label query over- a set of resources, in this- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector- that relates the key and- values. If the operator- description: matchLabels is- a map of {key,value} pairs.- A single {key,value} in- the matchLabels map is equivalent- to an element of matchExpressions,- whose key field is "key",- the operator is "In", and- the values array contains- only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against);- null or empty list means "this- description: This pod should be- co-located (affinity) or not- co-located (anti-affinity) with- the pods matching the labelSelector- in the specified namespaces,- where co-located is defined- as running on a node whose value- of the label with key topologyKey- matches that of any node on- which any of the selected pods- is running. Empty topologyKey- description: weight associated with- matching the corresponding podAffinityTerm,- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not met at- scheduling time, the pod will not be scheduled- onto the node. If the affinity requirements- specified by this field cease to be met- at some point during pod execution (e.g.- due to a pod label update), the system- may or may not try to eventually evict- the pod from its node. When there are- multiple elements, the lists of nodes- corresponding to each podAffinityTerm- are intersected, i.e. all terms must be- description: Defines a set of pods (namely- those matching the labelSelector relative- to the given namespace(s)) that this- pod should be co-located (affinity)- or not co-located (anti-affinity) with,- where co-located is defined as running- on a node whose value of the label with- key <topologyKey> matches that of any- node on which a pod of the set of pods- description: A label query over a- set of resources, in this case pods.- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector- that contains values, a key,- and an operator that relates- description: key is the- label key that the selector- description: operator represents- a key's relationship to- operators are In, NotIn,- Exists and DoesNotExist.- description: values is an- array of string values.- or NotIn, the values array- or DoesNotExist, the values- array must be empty. This- array is replaced during- a strategic merge patch.- description: matchLabels is a- map of {key,value} pairs. A- single {key,value} in the matchLabels- map is equivalent to an element- of matchExpressions, whose key- field is "key", the operator- is "In", and the values array- contains only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against); null- or empty list means "this pod's+ description: Required. A list of node + selector terms. The terms are ORed.
- description: This pod should be co-located- (affinity) or not co-located (anti-affinity)- with the pods matching the labelSelector- in the specified namespaces, where- co-located is defined as running- on a node whose value of the label- with key topologyKey matches that- of any node on which any of the- selected pods is running. Empty- topologyKey is not allowed.- description: Describes pod anti-affinity scheduling- rules (e.g. avoid putting this pod in the- same node, zone, etc. as some other pod(s)).- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer to- schedule pods to nodes that satisfy the- anti-affinity expressions specified by- this field, but it may choose a node that- violates one or more of the expressions.- The node that is most preferred is the- one with the greatest sum of weights,- i.e. for each node that meets all of the- scheduling requirements (resource request,- requiredDuringScheduling anti-affinity- expressions, etc.), compute a sum by iterating- through the elements of this field and- adding "weight" to the sum if the node- has pods which matches the corresponding- podAffinityTerm; the node(s) with the- highest sum are the most preferred.- description: The weights of all of the- matched WeightedPodAffinityTerm fields- are added per-node to find the most- description: Required. A pod affinity- term, associated with the corresponding- description: A label query over- a set of resources, in this- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector- that relates the key and+ description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single
- values. If the operator- description: matchLabels is- a map of {key,value} pairs.- A single {key,value} in- the matchLabels map is equivalent- to an element of matchExpressions,- whose key field is "key",- the operator is "In", and- the values array contains- only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against);- null or empty list means "this- description: This pod should be- co-located (affinity) or not- co-located (anti-affinity) with- the pods matching the labelSelector- in the specified namespaces,- where co-located is defined- as running on a node whose value- of the label with key topologyKey- matches that of any node on- which any of the selected pods- is running. Empty topologyKey- description: weight associated with- matching the corresponding podAffinityTerm,- requiredDuringSchedulingIgnoredDuringExecution:- description: If the anti-affinity requirements- specified by this field are not met at- scheduling time, the pod will not be scheduled- onto the node. If the anti-affinity requirements- specified by this field cease to be met- at some point during pod execution (e.g.- due to a pod label update), the system- may or may not try to eventually evict- the pod from its node. When there are- multiple elements, the lists of nodes- corresponding to each podAffinityTerm- are intersected, i.e. all terms must be- description: Defines a set of pods (namely- those matching the labelSelector relative- to the given namespace(s)) that this- pod should be co-located (affinity)- or not co-located (anti-affinity) with,- where co-located is defined as running- on a node whose value of the label with- key <topologyKey> matches that of any- node on which a pod of the set of pods- description: A label query over a- set of resources, in this case pods.- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector- that contains values, a key,- and an operator that relates- description: key is the- label key that the selector- description: operator represents- a key's relationship to- operators are In, NotIn,- Exists and DoesNotExist.- description: values is an- array of string values.- or NotIn, the values array- or DoesNotExist, the values- array must be empty. This- array is replaced during- a strategic merge patch.- description: matchLabels is a- map of {key,value} pairs. A- single {key,value} in the matchLabels- map is equivalent to an element- of matchExpressions, whose key- field is "key", the operator- is "In", and the values array- contains only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against); null- or empty list means "this pod's- description: This pod should be co-located- (affinity) or not co-located (anti-affinity)- with the pods matching the labelSelector- in the specified namespaces, where- co-located is defined as running- on a node whose value of the label- with key topologyKey matches that- of any node on which any of the- selected pods is running. Empty- topologyKey is not allowed.- description: 'NodeSelector is a selector which must- be true for the pod to fit on a node. Selector- which must match a node''s labels for the pod- to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'- description: If specified, the pod's tolerations.- description: The pod this Toleration is attached- to tolerates any taint that matches the triple- <key,value,effect> using the matching operator- description: Effect indicates the taint effect- to match. Empty means match all taint effects.- When specified, allowed values are NoSchedule,- PreferNoSchedule and NoExecute.- description: Key is the taint key that the- toleration applies to. Empty means match- all taint keys. If the key is empty, operator- must be Exists; this combination means to- match all values and all keys.- description: Operator represents a key's relationship- to the value. Valid operators are Exists- and Equal. Defaults to Equal. Exists is- equivalent to wildcard for value, so that- a pod can tolerate all taints of a particular- description: TolerationSeconds represents- the period of time the toleration (which- must be of effect NoExecute, otherwise this- field is ignored) tolerates the taint. By- default, it is not set, which means tolerate- the taint forever (do not evict). Zero and- negative values will be treated as 0 (evict- immediately) by the system.- description: Value is the taint value the- toleration matches to. If the operator is- Exists, the value should be empty, otherwise- description: Optional service type for Kubernetes solver- description: Selector selects a set of DNSNames on the Certificate- resource that should be solved using this challenge solver.- description: List of DNSNames that this solver will be used- to solve. If specified and a match is found, a dnsNames selector- will take precedence over a dnsZones selector. If multiple- solvers match with the same dnsNames value, the solver with- the most matching labels in matchLabels will be selected.- If neither has more matches, the solver defined earlier in- the list will be selected.- description: List of DNSZones that this solver will be used- to solve. The most specific DNS zone match specified here- will take precedence over other DNS zone matches, so a solver- specifying sys.example.com will be selected over one specifying- example.com for the domain www.sys.example.com. If multiple- solvers match with the same dnsZones value, the solver with- the most matching labels in matchLabels will be selected.- If neither has more matches, the solver defined earlier in- the list will be selected.- description: A label selector that is used to refine the set- of certificate's that this challenge solver will apply to.- description: Token is the ACME challenge token for this challenge. This- is the raw value returned from the ACME server.- description: Type is the type of ACME challenge this resource represents,- e.g. "dns01" or "http01".- description: URL is the URL of the ACME Challenge resource for this- challenge. This can be used to lookup details about the status of- description: Wildcard will be true if this challenge is for a wildcard- identifier, for example '*.example.com'.- description: Presented will be set to true if the challenge values for- this challenge are currently 'presented'. This *does not* imply the- self check is passing. Only that the values have been 'submitted'- for the appropriate challenge mechanism (i.e. the DNS01 TXT record- has been presented, or the HTTP01 configuration has been configured).- description: Processing is used to denote whether this challenge should- be processed or not. This field will only be set to true by the 'scheduling'- component. It will only be set to false by the 'challenges' controller,- after the challenge has reached a final state or timed out. If this- field is set to false, the challenge controller will not take any- description: Reason contains human readable information on why the Challenge- is in the current state.- description: State contains the current 'state' of the challenge. If- not set, the state of the challenge is unknown.----
-# Source: cert-manager/templates/templates.regular.out-apiVersion: apiextensions.k8s.io/v1beta1-kind: CustomResourceDefinition- name: clusterissuers.cert-manager.io- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'- app.kubernetes.io/name: 'cert-manager'- app.kubernetes.io/instance: 'cert-manager'- app.kubernetes.io/managed-by: 'Helm'- helm.sh/chart: 'cert-manager-v0.15.2'- additionalPrinterColumns:- - JSONPath: .status.conditions[?(@.type=="Ready")].status- - JSONPath: .status.conditions[?(@.type=="Ready")].message- - JSONPath: .metadata.creationTimestamp- description: CreationTimestamp is a timestamp representing the server time when- this object was created. It is not guaranteed to be set in happens-before order- across separate operations. Clients may not set this value. It is represented- in RFC3339 form and is in UTC.- preserveUnknownFields: false- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.- namespace: 'cert-manager'- name: 'cert-manager-webhook'- listKind: ClusterIssuerList- singular: clusterissuer- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: IssuerSpec is the specification of an Issuer. This includes- any configuration required for the issuer.- description: ACMEIssuer contains the specification for an ACME issuer- description: Email is the email for this account- externalAccountBinding:- description: ExternalAccountBinding is a reference to a CA external- account of the ACME server.- description: keyAlgorithm is the MAC key algorithm that the- key is used for. Valid values are "HS256", "HS384" and "HS512".- description: keyID is the ID of the CA key that the External- description: keySecretRef is a Secret Key Selector referencing- a data item in a Kubernetes Secret which holds the symmetric- MAC key of the External Account Binding. The `key` is the- index string that is paired with the key data in the Secret- and should not be confused with the key data itself, or indeed- with the External Account Binding keyID above. The secret- key stored in the Secret **must** be un-padded, base64 URL- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: PrivateKey is the name of a secret containing the private- key for this user account.- description: The key of the secret to select from. Must be a- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: Server is the ACME server URL- description: If true, skip verifying the ACME server TLS certificate- description: Solvers is a list of challenge solvers that will be- used to solve ACME challenges for the matching domains.- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure- containing the configuration for ACME-DNS servers- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderAkamai is a structure- containing the DNS configuration for Akamai DNS—Zone- - clientSecretSecretRef- - serviceConsumerDomain- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderAzureDNS is a structure- containing the configuration for Azure DNS- description: if both this and ClientSecret are left- description: if both this and ClientID are left unset- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- - AzureUSGovernmentCloud- description: when specifying ClientID and ClientSecret- then this field is also needed- description: ACMEIssuerDNS01ProviderCloudDNS is a structure- containing the DNS configuration for Google Cloud DNS- serviceAccountSecretRef:- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderCloudflare is a structure- containing the DNS configuration for Cloudflare- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: CNAMEStrategy configures how the DNS01 provider- should handle CNAME records when found in DNS zones.- description: ACMEIssuerDNS01ProviderDigitalOcean is a- structure containing the DNS configuration for DigitalOcean- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderRFC2136 is a structure- containing the configuration for RFC2136 DNS- description: The IP address or hostname of an authoritative- DNS server supporting RFC2136 in the form host:port.- If the host is an IPv6 address it must be enclosed- in square brackets (e.g [2001:db8::1]) ; port is- optional. This field is required.- description: 'The TSIG Algorithm configured in the- DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``- and ``tsigKeyName`` are defined. Supported values- are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,- ``HMACSHA256`` or ``HMACSHA512``.'- description: The TSIG Key name configured in the DNS.- If ``tsigSecretSecretRef`` is defined, this field- description: The name of the secret containing the- TSIG value. If ``tsigKeyName`` is defined, this- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderRoute53 is a structure- containing the Route 53 configuration for AWS- description: 'The AccessKeyID is used for authentication.- If not set we fall-back to using env vars, shared- credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'- description: If set, the provider will manage only- this zone in Route53 and will not do an lookup using- the route53:ListHostedZonesByName api call.- description: Always set the region when using AccessKeyID- description: Role is a Role ARN which the Route53- provider will assume using either the explicit credentials- AccessKeyID/SecretAccessKey or the inferred credentials- from environment variables, shared credentials file- or AWS Instance metadata- secretAccessKeySecretRef:- description: The SecretAccessKey is used for authentication.- If not set we fall-back to using env vars, shared- credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderWebhook specifies- configuration for a webhook DNS01 provider, including- where to POST ChallengePayload resources.- description: Additional configuration that should- be passed to the webhook apiserver when challenges- are processed. This can contain arbitrary JSON data.- Secret values should not be specified in this stanza.- If secret values are needed (e.g. credentials for- a DNS service), you should use a SecretKeySelector- to reference a Secret resource. For details on the- schema of this field, consult the webhook provider- implementation's documentation.- x-kubernetes-preserve-unknown-fields: true- description: The API group name that should be used- when POSTing ChallengePayload resources to the webhook- apiserver. This should be the same as the GroupName- specified in the webhook provider implementation.- description: The name of the solver to use, as defined- in the webhook provider implementation. This will- typically be the name of the provider, e.g. 'cloudflare'.- description: ACMEChallengeSolverHTTP01 contains configuration- detailing how to solve HTTP01 challenges within a Kubernetes- cluster. Typically this is accomplished through creating- 'routes' of some description that configure ingress controllers- to direct traffic to 'solver pods', which are responsible- for responding to the ACME server's HTTP requests.- description: The ingress based HTTP01 challenge solver- will solve challenges by creating or modifying Ingress- resources in order to route requests for '/.well-known/acme-challenge/XYZ'- to 'challenge solver' pods that are provisioned by cert-manager- for each Challenge to be completed.- description: The ingress class to use when creating- Ingress resources to solve ACME challenges that- use this challenge solver. Only one of 'class' or- 'name' may be specified.- description: Optional ingress template used to configure- the ACME challenge solver ingress used for HTTP01- description: ObjectMeta overrides for the ingress- used to solve HTTP01 challenges. Only the 'labels'- and 'annotations' fields may be set. If labels- or annotations overlap with in-built values,- the values here will override the in-built values.- description: Annotations that should be added- to the created ACME HTTP01 solver ingress.- description: Labels that should be added to- the created ACME HTTP01 solver ingress.- description: The name of the ingress resource that- should have ACME challenge solving routes inserted- into it in order to solve HTTP01 challenges. This- is typically used in conjunction with ingress controllers- like ingress-gce, which maintains a 1:1 mapping- between external IPs and ingress resources.- description: Optional pod template used to configure- the ACME challenge solver pods used for HTTP01 challenges- description: ObjectMeta overrides for the pod- used to solve HTTP01 challenges. Only the 'labels'- and 'annotations' fields may be set. If labels- or annotations overlap with in-built values,- the values here will override the in-built values.- description: Annotations that should be added- to the create ACME HTTP01 solver pods.- description: Labels that should be added to- the created ACME HTTP01 solver pods.- description: PodSpec defines overrides for the- HTTP01 challenge solver pod. Only the 'nodeSelector',- 'affinity' and 'tolerations' fields are supported- currently. All other fields will be ignored.- description: If specified, the pod's scheduling+ description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)).
- description: Describes node affinity scheduling- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer- to schedule pods to nodes that satisfy- the affinity expressions specified- by this field, but it may choose- a node that violates one or more- of the expressions. The node that- is most preferred is the one with- the greatest sum of weights, i.e.- for each node that meets all of- the scheduling requirements (resource- request, requiredDuringScheduling- affinity expressions, etc.), compute- a sum by iterating through the elements- of this field and adding "weight"- to the sum if the node matches the- corresponding matchExpressions;- the node(s) with the highest sum- are the most preferred.- description: An empty preferred- scheduling term matches all objects- with implicit weight 0 (i.e. it's- a no-op). A null preferred scheduling- term matches no objects (i.e.+ preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding
- description: A node selector- term, associated with the+ description: A label query over + a set of resources, in this - description: A list of node+ description: matchExpressions + is a list of label selector + requirements. The requirements - description: A node selector+ description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector requirement is a selector
@@ -3095,193 +2972,1205 @@
- description: Represents- is Exists or DoesNotExist,- which will be interpreted- description: A list of node- description: A node selector- requirement is a selector- description: Represents+ values. If the operator is Exists or DoesNotExist,
- which will be interpreted- description: Weight associated- with matching the corresponding- nodeSelectorTerm, in the range- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not- met at scheduling time, the pod- will not be scheduled onto the node.- If the affinity requirements specified- by this field cease to be met at- some point during pod execution- (e.g. due to an update), the system- may or may not try to eventually- evict the pod from its node.- description: Required. A list- of node selector terms. The- description: A null or empty- node selector term matches- no objects. The requirements- of them are ANDed. The TopologySelectorTerm- type implements a subset of+ description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: Token is the ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + description: Type is the type of ACME challenge this resource represents. + One of "http-01" or "dns-01". + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + description: Presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the + 'scheduling' component. It will only be set to false by the 'challenges' + controller, after the challenge has reached a final state or timed + out. If this field is set to false, the challenge controller will + not take any more action. + description: Reason contains human readable information on why the + Challenge is in the current state. + description: State contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + description: Challenge is a type to represent a Challenge request with an + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + description: DNSName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Challenge. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Challenge will + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: 'Key is the ACME challenge key for this challenge For + HTTP01 challenges, this is the value that must be responded with + to complete the HTTP01 challenge in the format: `<private key JWK + thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, + this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key + from acme server for challenge>` text that must be set as the TXT + description: Solver contains the domain solving configuration that + should be used to solve this challenge resource. + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage DNS01 + description: if both this and ClientSecret are left unset + description: if both this and ClientID are left unset + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage DNS01 + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 challenge + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with Cloudflare. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required when + using API key based authentication. + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: Use the DigitalOcean DNS API to manage DNS01 + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1])Â ; port is optional. + This field is required. + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 challenge + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + description: Required. A list of node + selector terms. The terms are ORed. + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this - description: A list of node+ description: matchExpressions + is a list of label selector + requirements. The requirements - description: A node selector- requirement is a selector- description: Represents- is Exists or DoesNotExist,- which will be interpreted- description: A list of node- description: A node selector+ description: A label selector requirement is a selector
@@ -3293,226 +4182,1708 @@
- description: Represents+ values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + values. If the operator is Exists or DoesNotExist,
- which will be interpreted- description: Describes pod affinity scheduling- rules (e.g. co-locate this pod in the- same node, zone, etc. as some other+ description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: Token is the ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + description: Type is the type of ACME challenge this resource represents. + One of "http-01" or "dns-01". + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + description: Presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the + 'scheduling' component. It will only be set to false by the 'challenges' + controller, after the challenge has reached a final state or timed + out. If this field is set to false, the challenge controller will + not take any more action. + description: Reason contains human readable information on why the + Challenge is in the current state. + description: State contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + description: Challenge is a type to represent a Challenge request with an + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: The URL to the ACME Authorization resource that this + challenge is a part of. + description: dnsName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + description: References a properly configured ACME-type Issuer which + should be used to create this Challenge. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: 'The ACME challenge key for this challenge For HTTP01 + challenges, this is the value that must be responded with to complete + the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key + from acme server for challenge>`. For DNS01 challenges, this is + the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key + from acme server for challenge>` text that must be set as the TXT + description: Contains the domain solving configuration that should + be used to solve this challenge resource. + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage DNS01 + description: if both this and ClientSecret are left unset + description: if both this and ClientID are left unset + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage DNS01 + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 challenge + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with Cloudflare. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required when + using API key based authentication. + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: Use the DigitalOcean DNS API to manage DNS01 + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1])Â ; port is optional. + This field is required. + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 challenge + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. - preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer- to schedule pods to nodes that satisfy- the affinity expressions specified- by this field, but it may choose- a node that violates one or more- of the expressions. The node that- is most preferred is the one with- the greatest sum of weights, i.e.- for each node that meets all of- the scheduling requirements (resource- request, requiredDuringScheduling- affinity expressions, etc.), compute- a sum by iterating through the elements- of this field and adding "weight"- to the sum if the node has pods- which matches the corresponding- podAffinityTerm; the node(s) with- the highest sum are the most preferred.+ description: Required. A list of node + selector terms. The terms are ORed. - description: The weights of all- of the matched WeightedPodAffinityTerm- fields are added per-node to find- the most preferred node(s)+ description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding
- description: Required. A pod- affinity term, associated- with the corresponding weight.+ description: A label query over + a set of resources, in this
- description: A label query- over a set of resources,- description: matchExpressions- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- to an element of matchExpressions,- is "In", and the values- "value". The requirements- description: namespaces- specifies which namespaces- the labelSelector applies- null or empty list means+ description: matchExpressions + is a list of label selector + requirements. The requirements
- description: This pod should- be co-located (affinity)- or not co-located (anti-affinity)- the labelSelector in the- where co-located is defined- as running on a node whose- value of the label with- key topologyKey matches- that of any node on which- any of the selected pods- is running. Empty topologyKey- description: weight associated- with matching the corresponding- podAffinityTerm, in the range- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not- met at scheduling time, the pod- will not be scheduled onto the node.- If the affinity requirements specified- by this field cease to be met at- some point during pod execution- (e.g. due to a pod label update),- the system may or may not try to- eventually evict the pod from its- node. When there are multiple elements,- the lists of nodes corresponding- to each podAffinityTerm are intersected,- i.e. all terms must be satisfied.- description: Defines a set of pods- (namely those matching the labelSelector- relative to the given namespace(s))- that this pod should be co-located- (affinity) or not co-located (anti-affinity)- with, where co-located is defined- as running on a node whose value- of the label with key <topologyKey>- matches that of any node on which- a pod of the set of pods is running+ description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding @@ -3612,638 +5983,6105 @@
running. Empty topologyKey
- description: Describes pod anti-affinity- scheduling rules (e.g. avoid putting- this pod in the same node, zone, etc.- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer- to schedule pods to nodes that satisfy- the anti-affinity expressions specified- by this field, but it may choose- a node that violates one or more- of the expressions. The node that- is most preferred is the one with- the greatest sum of weights, i.e.- for each node that meets all of- the scheduling requirements (resource- request, requiredDuringScheduling- anti-affinity expressions, etc.),- compute a sum by iterating through- the elements of this field and adding- "weight" to the sum if the node- has pods which matches the corresponding- podAffinityTerm; the node(s) with- the highest sum are the most preferred.- description: The weights of all- of the matched WeightedPodAffinityTerm- fields are added per-node to find- the most preferred node(s)+ description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: The ACME challenge token for this challenge. This is + the raw value returned from the ACME server. + description: The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + description: The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + description: wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + description: presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Used to denote whether this challenge should be processed + or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + description: Contains human readable information on why the Challenge + is in the current state. + description: Contains the current 'state' of the challenge. If not + set, the state of the challenge is unknown. +# Source: cert-manager/templates/templates.regular.out +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: clusterissuers.cert-manager.io + cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + app.kubernetes.io/managed-by: 'Helm' + helm.sh/chart: 'cert-manager-v0.16.1' + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + - JSONPath: .status.conditions[?(@.type=="Ready")].message + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + preserveUnknownFields: false + # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + namespace: 'cert-manager' + name: 'cert-manager-webhook' + listKind: ClusterIssuerList + singular: clusterissuer + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the ClusterIssuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the
- description: Required. A pod- affinity term, associated- with the corresponding weight.- description: A label query- over a set of resources,- description: matchExpressions+ description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist,
- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- to an element of matchExpressions,- is "In", and the values- "value". The requirements+ node selector requirements
- description: namespaces- specifies which namespaces- the labelSelector applies- null or empty list means- description: This pod should- be co-located (affinity)- or not co-located (anti-affinity)- the labelSelector in the- where co-located is defined- as running on a node whose- value of the label with- key topologyKey matches- that of any node on which- any of the selected pods- is running. Empty topologyKey+ description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means
- description: weight associated- with matching the corresponding- podAffinityTerm, in the range- requiredDuringSchedulingIgnoredDuringExecution:- description: If the anti-affinity- requirements specified by this field- are not met at scheduling time,- the pod will not be scheduled onto- the node. If the anti-affinity requirements- specified by this field cease to- be met at some point during pod- execution (e.g. due to a pod label- update), the system may or may not- try to eventually evict the pod- from its node. When there are multiple- elements, the lists of nodes corresponding- to each podAffinityTerm are intersected,- i.e. all terms must be satisfied.- description: Defines a set of pods- (namely those matching the labelSelector- relative to the given namespace(s))- that this pod should be co-located- (affinity) or not co-located (anti-affinity)- with, where co-located is defined- as running on a node whose value- of the label with key <topologyKey>- matches that of any node on which- a pod of the set of pods is running- description: A label query over- a set of resources, in this- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector+ description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources,
- values. If the operator- is Exists or DoesNotExist,+ description: matchExpressions
- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- is equivalent to an element- of matchExpressions, whose- key field is "key", the- the values array contains- only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against);- null or empty list means "this+ description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey
- description: This pod should- be co-located (affinity) or- not co-located (anti-affinity)- with the pods matching the- labelSelector in the specified- namespaces, where co-located- is defined as running on a- node whose value of the label- with key topologyKey matches- that of any node on which- any of the selected pods is- running. Empty topologyKey- description: 'NodeSelector is a selector which- must be true for the pod to fit on a node.- Selector which must match a node''s labels- for the pod to be scheduled on that node.- More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'- description: If specified, the pod's tolerations.- description: The pod this Toleration is- attached to tolerates any taint that matches- the triple <key,value,effect> using the- matching operator <operator>.+ description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the ClusterIssuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the ClusterIssuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling
- description: Effect indicates the taint- effect to match. Empty means match- all taint effects. When specified,- allowed values are NoSchedule, PreferNoSchedule- description: Key is the taint key that- the toleration applies to. Empty means- match all taint keys. If the key is- empty, operator must be Exists; this- combination means to match all values- description: Operator represents a key's- relationship to the value. Valid operators- are Exists and Equal. Defaults to- Equal. Exists is equivalent to wildcard- for value, so that a pod can tolerate- all taints of a particular category.- description: TolerationSeconds represents- the period of time the toleration- (which must be of effect NoExecute,- otherwise this field is ignored) tolerates- the taint. By default, it is not set,- which means tolerate the taint forever- (do not evict). Zero and negative- values will be treated as 0 (evict- immediately) by the system.- description: Value is the taint value- the toleration matches to. If the- operator is Exists, the value should- be empty, otherwise just a regular- description: Optional service type for Kubernetes- description: Selector selects a set of DNSNames on the Certificate- resource that should be solved using this challenge solver.- description: List of DNSNames that this solver will be- used to solve. If specified and a match is found, a- dnsNames selector will take precedence over a dnsZones- selector. If multiple solvers match with the same dnsNames- value, the solver with the most matching labels in matchLabels- will be selected. If neither has more matches, the solver- defined earlier in the list will be selected.- description: List of DNSZones that this solver will be- used to solve. The most specific DNS zone match specified- here will take precedence over other DNS zone matches,- so a solver specifying sys.example.com will be selected- over one specifying example.com for the domain www.sys.example.com.- If multiple solvers match with the same dnsZones value,- the solver with the most matching labels in matchLabels- will be selected. If neither has more matches, the solver- defined earlier in the list will be selected.- description: A label selector that is used to refine the- set of certificate's that this challenge solver will+ description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app
- description: The CRL distribution points is an X.509 v3 certificate- extension which identifies the location of the CRL from which- the revocation of this certificate can be checked. If not set- certificate will be issued without CDP. Values are strings.- description: SecretName is the name of the secret used to sign Certificates- description: The CRL distribution points is an X.509 v3 certificate- extension which identifies the location of the CRL from which- the revocation of this certificate can be checked. If not set- certificate will be issued without CDP. Values are strings.- description: Vault authentication- description: This Secret contains a AppRole and Secret- description: Where the authentication path is mounted in- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: This contains a Role and Secret with a ServiceAccount- token to authenticate with vault.- description: The Vault mountPath here is the mount path- to use when authenticating with Vault. For example, setting- a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`- to authenticate with Vault. If unspecified, the default- value "/v1/auth/kubernetes" will be used.- description: A required field containing the Vault Role- to assume. A Role binds a Kubernetes ServiceAccount with- a set of Vault policies.- description: The required Secret field containing a Kubernetes- ServiceAccount JWT used for authenticating with Vault.- Use of 'ambient credentials' is not supported.- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: This Secret contains the Vault token key- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: Base64 encoded CA bundle to validate Vault server certificate.- Only used if the Server URL is using HTTPS protocol. This parameter- is ignored for plain HTTP protocol connection. If not set the- system root certificates are used to validate the TLS connection.- description: Vault URL path to the certificate role- description: Server is the vault connection address- description: VenafiIssuer describes issuer configuration details for- description: Cloud specifies the Venafi cloud configuration settings.- Only one of TPP or Cloud may be specified.+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the ClusterIssuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for
- description: APITokenSecretRef is a secret key selector for- the Venafi Cloud API token.+ description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the ClusterIssuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be
- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: URL is the base URL for Venafi Cloud- description: TPP specifies Trust Protection Platform configuration- settings. Only one of TPP or Cloud may be specified.+ description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the ClusterIssuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for
- description: CABundle is a PEM encoded TLS certificate to use- to verify connections to the TPP instance. If specified, system- roots will not be used and the issuing CA for the TPP instance- must be verifiable using the provided root. If not specified,- the connection will be verified using the cert-manager system- description: CredentialsRef is a reference to a Secret containing- the username and password for the TPP server. The secret must- contain two keys, 'username' and 'password'.- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: URL is the base URL for the Venafi TPP instance- description: Zone is the Venafi Policy Zone to use for this issuer.- All requests made to the Venafi platform will be restricted by- the named zone policy. This field is required.- description: IssuerStatus contains status information about an Issuer- description: LastRegisteredEmail is the email associated with the- latest registered ACME account, in order to track changes made- to registered account associated with the Issuer- description: URI is the unique account identifier, which can also- be used to retrieve account details from the CA- description: IssuerCondition contains condition information for an- description: LastTransitionTime is the timestamp corresponding- to the last status change of this condition.- description: Message is a human readable description of the details- of the last transition, complementing reason.- description: Reason is a brief machine readable explanation for- the condition's last transition.- description: Status of the condition, one of ('True', 'False',- description: Type of the condition, currently ('Ready').+ description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). # Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
@@ -4257,7 +12095,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -4297,1760 +12135,5774 @@
+ description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Issuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the Issuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready').
- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: IssuerSpec is the specification of an Issuer. This includes- any configuration required for the issuer.- description: ACMEIssuer contains the specification for an ACME issuer- description: Email is the email for this account- externalAccountBinding:- description: ExternalAccountBinding is a reference to a CA external- account of the ACME server.- description: keyAlgorithm is the MAC key algorithm that the- key is used for. Valid values are "HS256", "HS384" and "HS512".- description: keyID is the ID of the CA key that the External- description: keySecretRef is a Secret Key Selector referencing- a data item in a Kubernetes Secret which holds the symmetric- MAC key of the External Account Binding. The `key` is the- index string that is paired with the key data in the Secret- and should not be confused with the key data itself, or indeed- with the External Account Binding keyID above. The secret- key stored in the Secret **must** be un-padded, base64 URL- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: PrivateKey is the name of a secret containing the private- key for this user account.- description: The key of the secret to select from. Must be a- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: Server is the ACME server URL- description: If true, skip verifying the ACME server TLS certificate- description: Solvers is a list of challenge solvers that will be- used to solve ACME challenges for the matching domains.+ description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Issuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used.
- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure- containing the configuration for ACME-DNS servers- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderAkamai is a structure- containing the DNS configuration for Akamai DNS—Zone- - clientSecretSecretRef- - serviceConsumerDomain- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderAzureDNS is a structure- containing the configuration for Azure DNS- description: if both this and ClientSecret are left- description: if both this and ClientID are left unset- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- - AzureUSGovernmentCloud- description: when specifying ClientID and ClientSecret- then this field is also needed- description: ACMEIssuerDNS01ProviderCloudDNS is a structure- containing the DNS configuration for Google Cloud DNS- serviceAccountSecretRef:- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderCloudflare is a structure- containing the DNS configuration for Cloudflare- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: CNAMEStrategy configures how the DNS01 provider- should handle CNAME records when found in DNS zones.- description: ACMEIssuerDNS01ProviderDigitalOcean is a- structure containing the DNS configuration for DigitalOcean- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderRFC2136 is a structure- containing the configuration for RFC2136 DNS- description: The IP address or hostname of an authoritative- DNS server supporting RFC2136 in the form host:port.- If the host is an IPv6 address it must be enclosed- in square brackets (e.g [2001:db8::1]) ; port is- optional. This field is required.- description: 'The TSIG Algorithm configured in the- DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``- and ``tsigKeyName`` are defined. Supported values- are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,- ``HMACSHA256`` or ``HMACSHA512``.'- description: The TSIG Key name configured in the DNS.- If ``tsigSecretSecretRef`` is defined, this field- description: The name of the secret containing the- TSIG value. If ``tsigKeyName`` is defined, this- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderRoute53 is a structure- containing the Route 53 configuration for AWS- description: 'The AccessKeyID is used for authentication.- If not set we fall-back to using env vars, shared- credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'- description: If set, the provider will manage only- this zone in Route53 and will not do an lookup using- the route53:ListHostedZonesByName api call.- description: Always set the region when using AccessKeyID- description: Role is a Role ARN which the Route53- provider will assume using either the explicit credentials- AccessKeyID/SecretAccessKey or the inferred credentials- from environment variables, shared credentials file- or AWS Instance metadata- secretAccessKeySecretRef:- description: The SecretAccessKey is used for authentication.- If not set we fall-back to using env vars, shared- credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind,- description: ACMEIssuerDNS01ProviderWebhook specifies- configuration for a webhook DNS01 provider, including- where to POST ChallengePayload resources.- description: Additional configuration that should- be passed to the webhook apiserver when challenges- are processed. This can contain arbitrary JSON data.- Secret values should not be specified in this stanza.- If secret values are needed (e.g. credentials for- a DNS service), you should use a SecretKeySelector- to reference a Secret resource. For details on the- schema of this field, consult the webhook provider- implementation's documentation.- x-kubernetes-preserve-unknown-fields: true- description: The API group name that should be used- when POSTing ChallengePayload resources to the webhook- apiserver. This should be the same as the GroupName- specified in the webhook provider implementation.- description: The name of the solver to use, as defined- in the webhook provider implementation. This will- typically be the name of the provider, e.g. 'cloudflare'.- description: ACMEChallengeSolverHTTP01 contains configuration- detailing how to solve HTTP01 challenges within a Kubernetes- cluster. Typically this is accomplished through creating- 'routes' of some description that configure ingress controllers- to direct traffic to 'solver pods', which are responsible- for responding to the ACME server's HTTP requests.- description: The ingress based HTTP01 challenge solver- will solve challenges by creating or modifying Ingress- resources in order to route requests for '/.well-known/acme-challenge/XYZ'- to 'challenge solver' pods that are provisioned by cert-manager- for each Challenge to be completed.- description: The ingress class to use when creating- Ingress resources to solve ACME challenges that- use this challenge solver. Only one of 'class' or- 'name' may be specified.- description: Optional ingress template used to configure- the ACME challenge solver ingress used for HTTP01- description: ObjectMeta overrides for the ingress- used to solve HTTP01 challenges. Only the 'labels'- and 'annotations' fields may be set. If labels- or annotations overlap with in-built values,- the values here will override the in-built values.- description: Annotations that should be added- to the created ACME HTTP01 solver ingress.- description: Labels that should be added to- the created ACME HTTP01 solver ingress.- description: The name of the ingress resource that- should have ACME challenge solving routes inserted- into it in order to solve HTTP01 challenges. This- is typically used in conjunction with ingress controllers- like ingress-gce, which maintains a 1:1 mapping- between external IPs and ingress resources.- description: Optional pod template used to configure- the ACME challenge solver pods used for HTTP01 challenges- description: ObjectMeta overrides for the pod- used to solve HTTP01 challenges. Only the 'labels'- and 'annotations' fields may be set. If labels- or annotations overlap with in-built values,- the values here will override the in-built values.- description: Annotations that should be added- to the create ACME HTTP01 solver pods.- description: Labels that should be added to- the created ACME HTTP01 solver pods.- description: PodSpec defines overrides for the- HTTP01 challenge solver pod. Only the 'nodeSelector',- 'affinity' and 'tolerations' fields are supported- currently. All other fields will be ignored.- description: If specified, the pod's scheduling- description: Describes node affinity scheduling- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer- to schedule pods to nodes that satisfy- the affinity expressions specified- by this field, but it may choose- a node that violates one or more- of the expressions. The node that- is most preferred is the one with- the greatest sum of weights, i.e.- for each node that meets all of- the scheduling requirements (resource- request, requiredDuringScheduling- affinity expressions, etc.), compute- a sum by iterating through the elements- of this field and adding "weight"- to the sum if the node matches the- corresponding matchExpressions;- the node(s) with the highest sum- are the most preferred.- description: An empty preferred- scheduling term matches all objects- with implicit weight 0 (i.e. it's- a no-op). A null preferred scheduling- term matches no objects (i.e.- description: A node selector- term, associated with the- description: A list of node- description: A node selector- requirement is a selector- description: Represents- is Exists or DoesNotExist,- which will be interpreted- description: A list of node- description: A node selector- requirement is a selector- description: Represents- is Exists or DoesNotExist,- which will be interpreted- description: Weight associated- with matching the corresponding- nodeSelectorTerm, in the range- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not- met at scheduling time, the pod- will not be scheduled onto the node.- If the affinity requirements specified- by this field cease to be met at- some point during pod execution- (e.g. due to an update), the system- may or may not try to eventually- evict the pod from its node.- description: Required. A list- of node selector terms. The- description: A null or empty- node selector term matches- no objects. The requirements- of them are ANDed. The TopologySelectorTerm- type implements a subset of- description: A list of node- description: A node selector- requirement is a selector- description: Represents- is Exists or DoesNotExist,- which will be interpreted- description: A list of node- description: A node selector- requirement is a selector- description: Represents- is Exists or DoesNotExist,- which will be interpreted- description: Describes pod affinity scheduling- rules (e.g. co-locate this pod in the- same node, zone, etc. as some other- preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer- to schedule pods to nodes that satisfy- the affinity expressions specified- by this field, but it may choose- a node that violates one or more- of the expressions. The node that- is most preferred is the one with- the greatest sum of weights, i.e.- for each node that meets all of- the scheduling requirements (resource- request, requiredDuringScheduling- affinity expressions, etc.), compute- a sum by iterating through the elements- of this field and adding "weight"- to the sum if the node has pods- which matches the corresponding- podAffinityTerm; the node(s) with- the highest sum are the most preferred.- description: The weights of all- of the matched WeightedPodAffinityTerm- fields are added per-node to find- the most preferred node(s)+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the
- description: Required. A pod- affinity term, associated- with the corresponding weight.- description: A label query- over a set of resources,- description: matchExpressions+ description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist,
- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- to an element of matchExpressions,- is "In", and the values- "value". The requirements+ node selector requirements
- description: namespaces- specifies which namespaces- the labelSelector applies- null or empty list means- description: This pod should- be co-located (affinity)- or not co-located (anti-affinity)- the labelSelector in the- where co-located is defined- as running on a node whose- value of the label with- key topologyKey matches- that of any node on which- any of the selected pods- is running. Empty topologyKey+ description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means
- description: weight associated- with matching the corresponding- podAffinityTerm, in the range- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not- met at scheduling time, the pod- will not be scheduled onto the node.- If the affinity requirements specified- by this field cease to be met at- some point during pod execution- (e.g. due to a pod label update),- the system may or may not try to- eventually evict the pod from its- node. When there are multiple elements,- the lists of nodes corresponding- to each podAffinityTerm are intersected,- i.e. all terms must be satisfied.- description: Defines a set of pods- (namely those matching the labelSelector- relative to the given namespace(s))- that this pod should be co-located- (affinity) or not co-located (anti-affinity)- with, where co-located is defined- as running on a node whose value- of the label with key <topologyKey>- matches that of any node on which- a pod of the set of pods is running- description: A label query over- a set of resources, in this- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector+ description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources,
- values. If the operator- is Exists or DoesNotExist,+ description: matchExpressions
- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- is equivalent to an element- of matchExpressions, whose- key field is "key", the- the values array contains- only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against);- null or empty list means "this+ description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey
- description: This pod should- be co-located (affinity) or- not co-located (anti-affinity)- with the pods matching the- labelSelector in the specified- namespaces, where co-located- is defined as running on a- node whose value of the label- with key topologyKey matches- that of any node on which- any of the selected pods is- running. Empty topologyKey- description: Describes pod anti-affinity- scheduling rules (e.g. avoid putting- this pod in the same node, zone, etc.+ description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. - preferredDuringSchedulingIgnoredDuringExecution:- description: The scheduler will prefer- to schedule pods to nodes that satisfy- the anti-affinity expressions specified- by this field, but it may choose- a node that violates one or more- of the expressions. The node that- is most preferred is the one with- the greatest sum of weights, i.e.- for each node that meets all of- the scheduling requirements (resource- request, requiredDuringScheduling- anti-affinity expressions, etc.),- compute a sum by iterating through- the elements of this field and adding- "weight" to the sum if the node- has pods which matches the corresponding- podAffinityTerm; the node(s) with- the highest sum are the most preferred.- description: The weights of all- of the matched WeightedPodAffinityTerm- fields are added per-node to find- the most preferred node(s)- description: Required. A pod- affinity term, associated- with the corresponding weight.- description: A label query- over a set of resources,- description: matchExpressions+ description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the Issuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Issuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist,
- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- to an element of matchExpressions,- is "In", and the values- "value". The requirements+ node selector requirements
- description: namespaces- specifies which namespaces- the labelSelector applies- null or empty list means- description: This pod should- be co-located (affinity)- or not co-located (anti-affinity)- the labelSelector in the- where co-located is defined- as running on a node whose- value of the label with- key topologyKey matches- that of any node on which- any of the selected pods- is running. Empty topologyKey- description: weight associated- with matching the corresponding- podAffinityTerm, in the range- requiredDuringSchedulingIgnoredDuringExecution:- description: If the anti-affinity- requirements specified by this field- are not met at scheduling time,- the pod will not be scheduled onto- the node. If the anti-affinity requirements- specified by this field cease to- be met at some point during pod- execution (e.g. due to a pod label- update), the system may or may not- try to eventually evict the pod- from its node. When there are multiple- elements, the lists of nodes corresponding- to each podAffinityTerm are intersected,- i.e. all terms must be satisfied.- description: Defines a set of pods- (namely those matching the labelSelector- relative to the given namespace(s))- that this pod should be co-located- (affinity) or not co-located (anti-affinity)- with, where co-located is defined- as running on a node whose value- of the label with key <topologyKey>- matches that of any node on which- a pod of the set of pods is running+ description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the
- description: A label query over- a set of resources, in this- description: matchExpressions- is a list of label selector- requirements. The requirements- description: A label selector- requirement is a selector- values. If the operator- is Exists or DoesNotExist,- description: matchLabels- is a map of {key,value}- pairs. A single {key,value}- is equivalent to an element- of matchExpressions, whose- key field is "key", the- the values array contains- only "value". The requirements- description: namespaces specifies- which namespaces the labelSelector- applies to (matches against);- null or empty list means "this+ description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey
- description: This pod should- be co-located (affinity) or- not co-located (anti-affinity)- with the pods matching the- labelSelector in the specified- namespaces, where co-located- is defined as running on a- node whose value of the label- with key topologyKey matches- that of any node on which- any of the selected pods is- running. Empty topologyKey- description: 'NodeSelector is a selector which- must be true for the pod to fit on a node.- Selector which must match a node''s labels- for the pod to be scheduled on that node.- More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'- description: If specified, the pod's tolerations.- description: The pod this Toleration is- attached to tolerates any taint that matches- the triple <key,value,effect> using the- matching operator <operator>.+ description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- description: Effect indicates the taint- effect to match. Empty means match- all taint effects. When specified,- allowed values are NoSchedule, PreferNoSchedule- description: Key is the taint key that- the toleration applies to. Empty means- match all taint keys. If the key is- empty, operator must be Exists; this- combination means to match all values- description: Operator represents a key's- relationship to the value. Valid operators- are Exists and Equal. Defaults to- Equal. Exists is equivalent to wildcard- for value, so that a pod can tolerate- all taints of a particular category.- description: TolerationSeconds represents- the period of time the toleration- (which must be of effect NoExecute,- otherwise this field is ignored) tolerates- the taint. By default, it is not set,- which means tolerate the taint forever- (do not evict). Zero and negative- values will be treated as 0 (evict- immediately) by the system.- description: Value is the taint value- the toleration matches to. If the- operator is Exists, the value should- be empty, otherwise just a regular- description: Optional service type for Kubernetes- description: Selector selects a set of DNSNames on the Certificate- resource that should be solved using this challenge solver.- description: List of DNSNames that this solver will be- used to solve. If specified and a match is found, a- dnsNames selector will take precedence over a dnsZones- selector. If multiple solvers match with the same dnsNames- value, the solver with the most matching labels in matchLabels- will be selected. If neither has more matches, the solver- defined earlier in the list will be selected.- description: List of DNSZones that this solver will be- used to solve. The most specific DNS zone match specified- here will take precedence over other DNS zone matches,- so a solver specifying sys.example.com will be selected- over one specifying example.com for the domain www.sys.example.com.- If multiple solvers match with the same dnsZones value,- the solver with the most matching labels in matchLabels- will be selected. If neither has more matches, the solver- defined earlier in the list will be selected.- description: A label selector that is used to refine the- set of certificate's that this challenge solver will+ description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app
- description: The CRL distribution points is an X.509 v3 certificate- extension which identifies the location of the CRL from which- the revocation of this certificate can be checked. If not set- certificate will be issued without CDP. Values are strings.- description: SecretName is the name of the secret used to sign Certificates- description: The CRL distribution points is an X.509 v3 certificate- extension which identifies the location of the CRL from which- the revocation of this certificate can be checked. If not set- certificate will be issued without CDP. Values are strings.- description: Vault authentication- description: This Secret contains a AppRole and Secret- description: Where the authentication path is mounted in- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: This contains a Role and Secret with a ServiceAccount- token to authenticate with vault.- description: The Vault mountPath here is the mount path- to use when authenticating with Vault. For example, setting- a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`- to authenticate with Vault. If unspecified, the default- value "/v1/auth/kubernetes" will be used.- description: A required field containing the Vault Role- to assume. A Role binds a Kubernetes ServiceAccount with- a set of Vault policies.- description: The required Secret field containing a Kubernetes- ServiceAccount JWT used for authenticating with Vault.- Use of 'ambient credentials' is not supported.- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: This Secret contains the Vault token key- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: Base64 encoded CA bundle to validate Vault server certificate.- Only used if the Server URL is using HTTPS protocol. This parameter- is ignored for plain HTTP protocol connection. If not set the- system root certificates are used to validate the TLS connection.- description: Vault URL path to the certificate role- description: Server is the vault connection address- description: VenafiIssuer describes issuer configuration details for- description: Cloud specifies the Venafi cloud configuration settings.- Only one of TPP or Cloud may be specified.+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the Issuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for
- description: APITokenSecretRef is a secret key selector for- the Venafi Cloud API token.- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: URL is the base URL for Venafi Cloud- description: TPP specifies Trust Protection Platform configuration- settings. Only one of TPP or Cloud may be specified.- description: CABundle is a PEM encoded TLS certificate to use- to verify connections to the TPP instance. If specified, system- roots will not be used and the issuing CA for the TPP instance- must be verifiable using the provided root. If not specified,- the connection will be verified using the cert-manager system- description: CredentialsRef is a reference to a Secret containing- the username and password for the TPP server. The secret must- contain two keys, 'username' and 'password'.- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?'- description: URL is the base URL for the Venafi TPP instance- description: Zone is the Venafi Policy Zone to use for this issuer.- All requests made to the Venafi platform will be restricted by- the named zone policy. This field is required.- description: IssuerStatus contains status information about an Issuer- description: LastRegisteredEmail is the email associated with the- latest registered ACME account, in order to track changes made- to registered account associated with the Issuer- description: URI is the unique account identifier, which can also- be used to retrieve account details from the CA- description: IssuerCondition contains condition information for an- description: LastTransitionTime is the timestamp corresponding- to the last status change of this condition.- description: Message is a human readable description of the details- of the last transition, complementing reason.- description: Reason is a brief machine readable explanation for- the condition's last transition.- description: Status of the condition, one of ('True', 'False',- description: Type of the condition, currently ('Ready').+ description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). # Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
@@ -6064,7 +17916,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.state
@@ -6108,189 +17960,565 @@
+ description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames`. + This field must match the corresponding field on the DER encoded + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set.
- description: Order is a type to represent an Order with an ACME server- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: CommonName is the common name as specified on the DER encoded- CSR. If CommonName is not specified, the first DNSName specified will- be used as the CommonName. At least one of CommonName or a DNSNames- must be set. This field must match the corresponding field on the- description: Certificate signing request bytes in DER encoding. This- will be used when finalizing the order. This field must be set on- description: DNSNames is a list of DNS names that should be included- as part of the Order validation process. If CommonName is not specified,- the first DNSName specified will be used as the CommonName. At least- one of CommonName or a DNSNames must be set. This field must match- the corresponding field on the DER encoded CSR.- description: IssuerRef references a properly configured ACME-type Issuer- which should be used to create this Order. If the Issuer does not- exist, processing will be retried. If the Issuer is not an 'ACME'- Issuer, an error will be returned and the Order will be marked as+ description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames`. + This field must match the corresponding field on the DER encoded + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR.
- description: Authorizations contains data returned from the ACME server- on what authorizations must be completed in order to validate the- DNS names specified on the Order.- description: ACMEAuthorization contains data returned from the ACME- server on an authorization that must be completed in order validate- a DNS name on an ACME Order resource.+ description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be
- description: Challenges specifies the challenge types offered- by the ACME server. One of these challenge types will be selected- when validating the DNS name and an appropriate Challenge resource- will be created to perform the ACME challenge process.- description: Challenge specifies a challenge offered by the- ACME server for an Order. An appropriate Challenge resource- can be created to perform the ACME challenge process.- description: Token is the token that must be presented for- this challenge. This is used to compute the 'key' that- must also be presented.- description: Type is the type of challenge being offered,- description: URL is the URL of this challenge. It can be- used to retrieve additional metadata about the Challenge- description: Identifier is the DNS name to be validated as part- description: InitialState is the initial state of the ACME authorization- when first fetched from the ACME server. If an Authorization- is already 'valid', the Order controller will not create a Challenge- resource for the authorization. This will occur when working- with an ACME server that enables 'authz reuse' (such as Let's- Encrypt's production endpoint). If not set and 'identifier'- is set, the state is assumed to be pending and a Challenge will- description: URL is the URL of the Authorization that must be- description: Wildcard will be true if this authorization is for- a wildcard DNS name. If this is true, the identifier will be- the *non-wildcard* version of the DNS name. For example, if- '*.example.com' is the DNS name being validated, this field- will be 'true' and the 'identifier' field will be 'example.com'.- description: Certificate is a copy of the PEM encoded certificate for- this Order. This field will be populated after the order has been- successfully finalized with the ACME server, and the order has transitioned- description: FailureTime stores the time that this order failed. This- is used to influence garbage collection and back-off.- description: FinalizeURL of the Order. This is used to obtain certificates- for this order once it has been completed.- description: Reason optionally provides more information about a why- the order is in the current state.- description: State contains the current state of this Order resource.- States 'success' and 'expired' are 'final'- description: URL of the Order. This will initially be empty when the- resource is first created. The Order controller will populate this- field when the Order is first processed. This field will be immutable- after it is initially set.+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames`. + This field must match the corresponding field on the DER encoded + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. @@ -6309,7 +18537,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 # Source: cert-manager/templates/serviceaccount.yaml
@@ -6323,7 +18551,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 # Source: cert-manager/templates/webhook-serviceaccount.yaml
@@ -6337,7 +18565,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 # Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6350,7 +18578,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 - apiGroups: ["cert-manager.io"]
resources: ["certificates"]
@@ -6375,6 +18603,96 @@
verbs: ["get", "list", "watch", "update"]
# Source: cert-manager/templates/rbac.yaml
+# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-issuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + - apiGroups: ["cert-manager.io"] + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-clusterissuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-certificates + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + - apiGroups: ["acme.cert-manager.io"] + verbs: ["create", "delete", "get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6386,7 +18704,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 - apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
@@ -6414,59 +18732,6 @@
verbs: ["create", "patch"]
# Source: cert-manager/templates/rbac.yaml
-# ingress-shim controller role-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-controller-ingress-shim- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Helm- app.kubernetes.io/component: "controller"- helm.sh/chart: cert-manager-v0.15.2- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificaterequests"]- verbs: ["create", "update", "delete"]- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]- verbs: ["get", "list", "watch"]- - apiGroups: ["extensions"]- resources: ["ingresses"]- verbs: ["get", "list", "watch"]- # We require these rules to support users with the OwnerReferencesPermissionEnforcement- # admission controller enabled:- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement- - apiGroups: ["extensions"]- resources: ["ingresses/finalizers"]- verbs: ["create", "patch"]----
-# Source: cert-manager/templates/rbac.yaml-apiVersion: rbac.authorization.k8s.io/v1- name: cert-manager-view- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Helm- app.kubernetes.io/component: "controller"- helm.sh/chart: cert-manager-v0.15.2- rbac.authorization.k8s.io/aggregate-to-view: "true"- rbac.authorization.k8s.io/aggregate-to-edit: "true"- rbac.authorization.k8s.io/aggregate-to-admin: "true"- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificaterequests", "issuers"]- verbs: ["get", "list", "watch"]----
-# Source: cert-manager/templates/rbac.yaml # Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6478,7 +18743,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 # Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
@@ -6525,58 +18790,57 @@
verbs: ["get", "list", "watch"]
# Source: cert-manager/templates/rbac.yaml
-# Issuer controller role+# ingress-shim controller role apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-issuers+ name: cert-manager-controller-ingress-shim app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "issuers/status"]+ resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] verbs: ["create", "patch"]
# Source: cert-manager/templates/rbac.yaml
-# ClusterIssuer controller role-apiVersion: rbac.authorization.k8s.io/v1beta1+apiVersion: rbac.authorization.k8s.io/v1 - name: cert-manager-controller-clusterissuers+ name: cert-manager-view app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "clusterissuers/status"]- - apiGroups: ["cert-manager.io"]- resources: ["clusterissuers"]+ resources: ["certificates", "certificaterequests", "issuers"] verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]- verbs: ["create", "patch"] # Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -6589,7 +18853,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -6597,42 +18861,6 @@
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
-# Source: cert-manager/templates/rbac.yaml-# Certificates controller role-apiVersion: rbac.authorization.k8s.io/v1beta1- name: cert-manager-controller-certificates- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Helm- app.kubernetes.io/component: "controller"- helm.sh/chart: cert-manager-v0.15.2- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]- - apiGroups: ["cert-manager.io"]- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]- verbs: ["get", "list", "watch"]- # We require these rules to support users with the OwnerReferencesPermissionEnforcement- # admission controller enabled:- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement- - apiGroups: ["cert-manager.io"]- resources: ["certificates/finalizers", "certificaterequests/finalizers"]- - apiGroups: ["acme.cert-manager.io"]- verbs: ["create", "delete", "get", "list", "watch"]- verbs: ["get", "list", "watch", "create", "update", "delete"]- verbs: ["create", "patch"]----
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6644,7 +18872,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6658,18 +18886,18 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-certificates+ name: cert-manager-controller-issuers app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-certificates+ name: cert-manager-controller-issuers namespace: "cert-manager"
@@ -6686,7 +18914,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6700,6 +18928,48 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
+ name: cert-manager-controller-certificates + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-certificates + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-orders + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-orders + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding name: cert-manager-controller-challenges
@@ -6707,7 +18977,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6728,7 +18998,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6738,48 +19008,6 @@
namespace: "cert-manager"
-# Source: cert-manager/templates/rbac.yaml-apiVersion: rbac.authorization.k8s.io/v1beta1-kind: ClusterRoleBinding- name: cert-manager-controller-orders- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Helm- app.kubernetes.io/component: "controller"- helm.sh/chart: cert-manager-v0.15.2- apiGroup: rbac.authorization.k8s.io- name: cert-manager-controller-orders- namespace: "cert-manager"----
-# Source: cert-manager/templates/rbac.yaml-apiVersion: rbac.authorization.k8s.io/v1beta1-kind: ClusterRoleBinding- name: cert-manager-controller-issuers- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Helm- app.kubernetes.io/component: "controller"- helm.sh/chart: cert-manager-v0.15.2- apiGroup: rbac.authorization.k8s.io- name: cert-manager-controller-issuers- namespace: "cert-manager"----
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6793,7 +19021,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 # Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
@@ -6820,7 +19048,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 # Used for leader election by the controller
@@ -6843,7 +19071,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 @@ -6869,7 +19097,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6893,7 +19121,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6916,7 +19144,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6939,7 +19167,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 @@ -6963,7 +19191,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 @@ -6987,7 +19215,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 @@ -7003,12 +19231,12 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 serviceAccountName: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v0.15.2"+ image: "quay.io/jetstack/cert-manager-cainjector:v0.16.1" imagePullPolicy: IfNotPresent
@@ -7033,7 +19261,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 @@ -7049,7 +19277,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
@@ -7058,7 +19286,7 @@
serviceAccountName: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v0.15.2"+ image: "quay.io/jetstack/cert-manager-controller:v0.16.1" imagePullPolicy: IfNotPresent
@@ -7087,7 +19315,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 @@ -7103,17 +19331,17 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 serviceAccountName: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v0.15.2"+ image: "quay.io/jetstack/cert-manager-webhook:v0.16.1" imagePullPolicy: IfNotPresent
- - --dynamic-serving-ca-secret-namespace=cert-manager+ - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
@@ -7152,7 +19380,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
@@ -7162,8 +19390,7 @@
@@ -7189,7 +19416,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2+ helm.sh/chart: cert-manager-v0.16.1 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
@@ -7209,8 +19436,7 @@
