--- a/10-cert-manager.yaml Sat Nov 21 02:19:20 2020 -0600
+++ b/10-cert-manager.yaml Sat Nov 21 02:19:48 2020 -0600
@@ -1,4 +1,4 @@
-# This is the official 0.15.2 cert-manager.yaml manifest
+# This is the official 0.16.1 cert-manager.yaml manifest # from https://github.com/jetstack/cert-manager/releases. No changes, aside
# from this header have been made.
@@ -30,7 +30,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'
+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -77,157 +77,512 @@
+ description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a 'one-shot' resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the CertificateRequest resource. + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a + ClusterIssuer with the provided name will be used. The 'name' field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to 'cert-manager.io' + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the CertificateRequest. This is set and managed + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off.
- description: CertificateRequest is a type to represent a Certificate Signing
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- description: CertificateRequestSpec defines the desired state of CertificateRequest
- description: Byte slice containing the PEM encoded CertificateSigningRequest
- description: Requested certificate default Duration
- description: IsCA will mark the resulting certificate as valid for signing.
- This implies that the 'cert sign' usage is set
- description: IssuerRef is a reference to the issuer for this CertificateRequest. If
- the 'kind' field is not set, or set to 'Issuer', an Issuer resource
- with the given name in the same namespace as the CertificateRequest
- will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
- with the provided name will be used. The 'name' field in this stanza
- is required at all times. The group field refers to the API group
- of the issuer which defaults to 'cert-manager.io' if empty.
- description: Usages is the set of x509 actions that are enabled for
- a given key. Defaults are ('digital signature', 'key encipherment')
- description: 'KeyUsage specifies valid usage contexts for keys. See:
- https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
- Valid KeyUsage values are as follows: "signing", "digital signature",
- "content commitment", "key encipherment", "key agreement", "data
- encipherment", "cert sign", "crl sign", "encipher only", "decipher
- only", "any", "server auth", "client auth", "code signing", "email
- protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
- user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
- description: CertificateStatus defines the observed state of CertificateRequest
- and resulting signed certificate.
- description: Byte slice containing the PEM encoded certificate authority
- of the signed certificate.
- description: Byte slice containing a PEM encoded signed certificate
- resulting from the given certificate signing request.
- description: CertificateRequestCondition contains condition information
- for a CertificateRequest.
+ description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a 'one-shot' resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the CertificateRequest resource. + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a + ClusterIssuer with the provided name will be used. The 'name' field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to 'cert-manager.io'
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- description: Status of the condition, one of ('True', 'False',
- description: Type of the condition, currently ('Ready', 'InvalidRequest').
- description: FailureTime stores the time that this CertificateRequest
- failed. This is used to influence garbage collection and back-off.
+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the CertificateRequest. This is set and managed + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a 'one-shot' resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the CertificateRequest resource. + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a + ClusterIssuer with the provided name will be used. The 'name' field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to 'cert-manager.io' + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the CertificateRequest. This is set and managed + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. # Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
@@ -241,7 +596,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'
+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -293,7 +648,10 @@
- description: Certificate is a type to represent a Certificate from ACME
+ description: "A Certificate resource should be created to ensure an up to + date and signed x509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." @@ -309,9 +667,7 @@
- description: CertificateSpec defines the desired state of Certificate.
- A valid Certificate requires at least one of a CommonName, DNSName,
+ description: Desired state of the Certificate resource. @@ -324,29 +680,34 @@
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- description: DNSNames is a list of subject alt names to be used on
+ description: DNSNames is a list of DNS subjectAltNames to be set on - description: Certificate default Duration
+ description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If overridden + and `renewBefore` is greater than the actual certificate duration, + the certificate will be automatically renewed 2/3rds of the way + through the certificate's duration. - description: EmailSANs is a list of Email Subject Alternative Names
- to be set on this Certificate.
+ description: EmailSANs is a list of email subjectAltNames to be set - description: IPAddresses is a list of IP addresses to be used on the
+ description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. - description: IsCA will mark this Certificate as valid for signing.
- This implies that the 'cert sign' usage is set
+ description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the description: IssuerRef is a reference to the issuer for this certificate.
@@ -360,15 +721,18 @@
+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. description: KeyAlgorithm is the private key algorithm of the corresponding
private key for this certificate. If provided, allowed values are
- either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
+ either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for "ecdsa" key algorithm
and key size of 2048 will be used for "rsa" key algorithm.
@@ -387,10 +751,11 @@
description: KeySize is the key bit size of the corresponding private
- key for this certificate. If provided, value must be between 2048
- and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
- and value must be one of (256, 384, 521) when KeyAlgorithm is set
+ key for this certificate. If `keyAlgorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not specified. + No other values are allowed. @@ -423,12 +788,13 @@
- description: The key of the secret to select from. Must
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: PKCS12 configures options for storing a PKCS12 keystore
@@ -454,15 +820,17 @@
- description: The key of the secret to select from. Must
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - description: Organization is the organization to be used on the Certificate
+ description: Organization is a list of organizations to be used on @@ -482,11 +850,17 @@
- description: Certificate renew before expiration duration
+ description: The amount of time before the currently issued certificate's + `notAfter` time that cert-manager will begin to attempt to renew + the certificate. If this value is greater than the total duration + of the certificate (i.e. notAfter - notBefore), it will be automatically + renewed 2/3rds of the way through the certificate's duration. - description: SecretName is the name of the secret resource to store
+ description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
@@ -526,15 +900,15 @@
- description: URISANs is a list of URI Subject Alternative Names to
- be set on this Certificate.
+ description: URISANs is a list of URI subjectAltNames to be set on - description: Usages is the set of x509 actions that are enabled for
- a given key. Defaults are ('digital signature', 'key encipherment')
+ description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` description: 'KeyUsage specifies valid usage contexts for keys.
@@ -572,10 +946,12 @@
- description: CertificateStatus defines the observed state of Certificate
+ description: Status of the Certificate. This is set and managed automatically. + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. description: CertificateCondition contains condition information
@@ -607,9 +983,14 @@
- description: Type of the condition, currently ('Ready').
+ description: Type of the condition, known values are ('Ready', + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. nextPrivateKeySecretName:
@@ -621,7 +1002,17 @@
description: The expiration time of the certificate stored in the
- secret named by this resource in spec.secretName.
+ secret named by this resource in `spec.secretName`. + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. @@ -641,7 +1032,10 @@
- description: Certificate is a type to represent a Certificate from ACME
+ description: "A Certificate resource should be created to ensure an up to + date and signed x509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." @@ -657,9 +1051,7 @@
- description: CertificateSpec defines the desired state of Certificate.
- A valid Certificate requires at least one of a CommonName, DNSName,
+ description: Desired state of the Certificate resource. @@ -672,29 +1064,34 @@
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
- description: DNSNames is a list of subject alt names to be used on
+ description: DNSNames is a list of DNS subjectAltNames to be set on - description: Certificate default Duration
+ description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If overridden + and `renewBefore` is greater than the actual certificate duration, + the certificate will be automatically renewed 2/3rds of the way + through the certificate's duration. - description: EmailSANs is a list of Email Subject Alternative Names
- to be set on this Certificate.
+ description: EmailSANs is a list of email subjectAltNames to be set - description: IPAddresses is a list of IP addresses to be used on the
+ description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. - description: IsCA will mark this Certificate as valid for signing.
- This implies that the 'cert sign' usage is set
+ description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the description: IssuerRef is a reference to the issuer for this certificate.
@@ -708,15 +1105,18 @@
+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. description: KeyAlgorithm is the private key algorithm of the corresponding
private key for this certificate. If provided, allowed values are
- either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
+ either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` is not provided, key size of 256 will be used for "ecdsa" key algorithm
and key size of 2048 will be used for "rsa" key algorithm.
@@ -735,10 +1135,11 @@
description: KeySize is the key bit size of the corresponding private
- key for this certificate. If provided, value must be between 2048
- and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
- and value must be one of (256, 384, 521) when KeyAlgorithm is set
+ key for this certificate. If `keyAlgorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not specified. + No other values are allowed. @@ -771,12 +1172,13 @@
- description: The key of the secret to select from. Must
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: PKCS12 configures options for storing a PKCS12 keystore
@@ -802,12 +1204,13 @@
- description: The key of the secret to select from. Must
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' description: Options to control private keys used for the Certificate.
@@ -825,11 +1228,402 @@
- description: Certificate renew before expiration duration
+ description: The amount of time before the currently issued certificate's + `notAfter` time that cert-manager will begin to attempt to renew + the certificate. If this value is greater than the total duration + of the certificate (i.e. notAfter - notBefore), it will be automatically + renewed 2/3rds of the way through the certificate's duration. - description: SecretName is the name of the secret resource to store
+ description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + description: Countries to be used on the Certificate. + description: Cities to be used on the Certificate. + description: Organizational Units to be used on the Certificate. + description: Organizations to be used on the Certificate. + description: Postal codes to be used on the Certificate. + description: State/Provinces to be used on the Certificate. + description: Serial number to be used on the Certificate. + description: Street addresses to be used on the Certificate. + description: URISANs is a list of URI subjectAltNames to be set on + description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: Status of the Certificate. This is set and managed automatically. + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + description: CertificateCondition contains condition information + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready', + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + description: "A Certificate resource should be created to ensure an up to + date and signed x509 certificate is stored in the Kubernetes Secret resource + named in `spec.secretName`. \n The stored certificate will be renewed before + it expires (as configured by `spec.renewBefore`)." + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Certificate resource. + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + description: DNSNames is a list of DNS subjectAltNames to be set on + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If overridden + and `renewBefore` is greater than the actual certificate duration, + the certificate will be automatically renewed 2/3rds of the way + through the certificate's duration. + description: EmailSANs is a list of email subjectAltNames to be set + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Options to control private keys used for the Certificate. + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either "rsa" or "ecdsa" If `algorithm` is specified and + `size` is not provided, key size of 256 will be used for "ecdsa" + key algorithm and key size of 2048 will be used for "rsa" key + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and + PKCS#8, respectively. Defaults to PKCS#1 if not specified. + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. No other values are allowed. + description: The amount of time before the currently issued certificate's + `notAfter` time that cert-manager will begin to attempt to renew + the certificate. If this value is greater than the total duration + of the certificate (i.e. notAfter - notBefore), it will be automatically + renewed 2/3rds of the way through the certificate's duration. + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
@@ -874,15 +1668,15 @@
- description: URISANs is a list of URI Subject Alternative Names to
- be set on this Certificate.
+ description: URISANs is a list of URI subjectAltNames to be set on - description: Usages is the set of x509 actions that are enabled for
- a given key. Defaults are ('digital signature', 'key encipherment')
+ description: Usages is the set of x509 usages that are requested for + the certificate. Defaults to `digital signature` and `key encipherment` description: 'KeyUsage specifies valid usage contexts for keys.
@@ -920,10 +1714,12 @@
- description: CertificateStatus defines the observed state of Certificate
+ description: Status of the Certificate. This is set and managed automatically. + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. description: CertificateCondition contains condition information
@@ -955,9 +1751,14 @@
- description: Type of the condition, currently ('Ready').
+ description: Type of the condition, known values are ('Ready', + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. nextPrivateKeySecretName:
@@ -969,7 +1770,17 @@
description: The expiration time of the certificate stored in the
- secret named by this resource in spec.secretName.
+ secret named by this resource in `spec.secretName`. + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. @@ -997,7 +1808,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'
+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.state
@@ -1040,2050 +1851,1116 @@
- description: Challenge is a type to represent a Challenge request with an ACME
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- description: AuthzURL is the URL to the ACME Authorization resource
- that this challenge is a part of.
- description: DNSName is the identifier that this challenge is for, e.g.
- example.com. If the requested DNSName is a 'wildcard', this field
- MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
- it must be `example.com`.
- description: IssuerRef references a properly configured ACME-type Issuer
- which should be used to create this Challenge. If the Issuer does
- not exist, processing will be retried. If the Issuer is not an 'ACME'
- Issuer, an error will be returned and the Challenge will be marked
- description: 'Key is the ACME challenge key for this challenge For HTTP01
- challenges, this is the value that must be responded with to complete
- the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
- from acme server for challenge>`. For DNS01 challenges, this is the
- base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
- from acme server for challenge>` text that must be set as the TXT
- description: Solver contains the domain solving configuration that should
- be used to solve this challenge resource.
- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
- the configuration for ACME-DNS servers
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderAkamai is a structure containing
- the DNS configuration for Akamai DNS—Zone Record Management
- - clientSecretSecretRef
- - serviceConsumerDomain
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderAzureDNS is a structure
- containing the configuration for Azure DNS
- description: if both this and ClientSecret are left unset
- description: if both this and ClientID are left unset MSI
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- - AzureUSGovernmentCloud
- description: when specifying ClientID and ClientSecret then
- this field is also needed
- description: ACMEIssuerDNS01ProviderCloudDNS is a structure
- containing the DNS configuration for Google Cloud DNS
- serviceAccountSecretRef:
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderCloudflare is a structure
- containing the DNS configuration for Cloudflare
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
- description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
- containing the DNS configuration for DigitalOcean Domains
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
- the configuration for RFC2136 DNS
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port. If
- the host is an IPv6 address it must be enclosed in square
- brackets (e.g [2001:db8::1])Â ; port is optional. This
- description: 'The TSIG Algorithm configured in the DNS supporting
- RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``
- are defined. Supported values are (case-insensitive):
- ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or
- description: The TSIG Key name configured in the DNS. If
- ``tsigSecretSecretRef`` is defined, this field is required.
- description: The name of the secret containing the TSIG
- value. If ``tsigKeyName`` is defined, this field is required.
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
- the Route 53 configuration for AWS
- description: 'The AccessKeyID is used for authentication.
- If not set we fall-back to using env vars, shared credentials
- file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- description: If set, the provider will manage only this
- zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName
- description: Always set the region when using AccessKeyID
- description: Role is a Role ARN which the Route53 provider
- will assume using either the explicit credentials AccessKeyID/SecretAccessKey
- or the inferred credentials from environment variables,
- shared credentials file or AWS Instance metadata
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication.
- If not set we fall-back to using env vars, shared credentials
- file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: ACMEIssuerDNS01ProviderWebhook specifies configuration
- for a webhook DNS01 provider, including where to POST ChallengePayload
- description: Additional configuration that should be passed
- to the webhook apiserver when challenges are processed.
- This can contain arbitrary JSON data. Secret values should
- not be specified in this stanza. If secret values are
- needed (e.g. credentials for a DNS service), you should
- use a SecretKeySelector to reference a Secret resource.
- For details on the schema of this field, consult the webhook
- provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- description: The API group name that should be used when
- POSTing ChallengePayload resources to the webhook apiserver.
- This should be the same as the GroupName specified in
- the webhook provider implementation.
- description: The name of the solver to use, as defined in
- the webhook provider implementation. This will typically
- be the name of the provider, e.g. 'cloudflare'.
- description: ACMEChallengeSolverHTTP01 contains configuration detailing
- how to solve HTTP01 challenges within a Kubernetes cluster. Typically
- this is accomplished through creating 'routes' of some description
- that configure ingress controllers to direct traffic to 'solver
- pods', which are responsible for responding to the ACME server's
- description: The ingress based HTTP01 challenge solver will
- solve challenges by creating or modifying Ingress resources
- in order to route requests for '/.well-known/acme-challenge/XYZ'
- to 'challenge solver' pods that are provisioned by cert-manager
- for each Challenge to be completed.
- description: The ingress class to use when creating Ingress
- resources to solve ACME challenges that use this challenge
- solver. Only one of 'class' or 'name' may be specified.
- description: Optional ingress template used to configure
- the ACME challenge solver ingress used for HTTP01 challenges
- description: ObjectMeta overrides for the ingress used
- to solve HTTP01 challenges. Only the 'labels' and
- 'annotations' fields may be set. If labels or annotations
- overlap with in-built values, the values here will
- override the in-built values.
- description: Annotations that should be added to
- the created ACME HTTP01 solver ingress.
- description: Labels that should be added to the
- created ACME HTTP01 solver ingress.
- description: The name of the ingress resource that should
- have ACME challenge solving routes inserted into it in
- order to solve HTTP01 challenges. This is typically used
- in conjunction with ingress controllers like ingress-gce,
- which maintains a 1:1 mapping between external IPs and
- description: Optional pod template used to configure the
- ACME challenge solver pods used for HTTP01 challenges
- description: ObjectMeta overrides for the pod used to
- solve HTTP01 challenges. Only the 'labels' and 'annotations'
- fields may be set. If labels or annotations overlap
- with in-built values, the values here will override
- description: Annotations that should be added to
- the create ACME HTTP01 solver pods.
- description: Labels that should be added to the
- created ACME HTTP01 solver pods.
- description: PodSpec defines overrides for the HTTP01
- challenge solver pod. Only the 'nodeSelector', 'affinity'
- and 'tolerations' fields are supported currently.
- All other fields will be ignored.
- description: If specified, the pod's scheduling
- description: Describes node affinity scheduling
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- affinity expressions specified by this
- field, but it may choose a node that violates
- one or more of the expressions. The node
- that is most preferred is the one with
- the greatest sum of weights, i.e. for
- each node that meets all of the scheduling
- requirements (resource request, requiredDuringScheduling
- affinity expressions, etc.), compute a
- sum by iterating through the elements
- of this field and adding "weight" to the
- sum if the node matches the corresponding
- matchExpressions; the node(s) with the
- highest sum are the most preferred.
- description: An empty preferred scheduling
- term matches all objects with implicit
- weight 0 (i.e. it's a no-op). A null
- preferred scheduling term matches no
- objects (i.e. is also a no-op).
+ description: Challenge is a type to represent a Challenge request with an + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + description: DNSName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Challenge. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Challenge will + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: 'Key is the ACME challenge key for this challenge For + HTTP01 challenges, this is the value that must be responded with + to complete the HTTP01 challenge in the format: `<private key JWK + thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, + this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key + from acme server for challenge>` text that must be set as the TXT + description: Solver contains the domain solving configuration that + should be used to solve this challenge resource. + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage DNS01 + description: if both this and ClientSecret are left unset + description: if both this and ClientID are left unset + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage DNS01 + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 challenge + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with Cloudflare. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required when + using API key based authentication. + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: Use the DigitalOcean DNS API to manage DNS01 + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1])Â ; port is optional. + This field is required. + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 challenge + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node.
- description: A node selector term,
- associated with the corresponding
- description: A list of node selector
- requirements by node's labels.
- description: A node selector
- requirement is a selector
- that contains values, a key,
- and an operator that relates
- description: The label key
- that the selector applies
- description: Represents
- a key's relationship to
- operators are In, NotIn,
- description: An array of
- operator is In or NotIn,
- be non-empty. If the operator
- is Exists or DoesNotExist,
- be empty. If the operator
- is Gt or Lt, the values
- array must have a single
- interpreted as an integer.
- during a strategic merge
- description: A list of node selector
- requirements by node's fields.
- description: A node selector
- requirement is a selector
- that contains values, a key,
- and an operator that relates
- description: The label key
- that the selector applies
- description: Represents
- a key's relationship to
- operators are In, NotIn,
- description: An array of
- operator is In or NotIn,
- be non-empty. If the operator
- is Exists or DoesNotExist,
- be empty. If the operator
- is Gt or Lt, the values
- array must have a single
- interpreted as an integer.
- during a strategic merge
- description: Weight associated with
- matching the corresponding nodeSelectorTerm,
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not met at
- scheduling time, the pod will not be scheduled
- onto the node. If the affinity requirements
- specified by this field cease to be met
- at some point during pod execution (e.g.
- due to an update), the system may or may
- not try to eventually evict the pod from
- description: Required. A list of node
- selector terms. The terms are ORed.
- description: A null or empty node
- selector term matches no objects.
- The requirements of them are ANDed.
- The TopologySelectorTerm type implements
- a subset of the NodeSelectorTerm.
- description: A list of node selector
- requirements by node's labels.
- description: A node selector
- requirement is a selector
- that contains values, a key,
- and an operator that relates
- description: The label key
- that the selector applies
- description: Represents
- a key's relationship to
- operators are In, NotIn,
- description: An array of
- operator is In or NotIn,
- be non-empty. If the operator
- is Exists or DoesNotExist,
- be empty. If the operator
- is Gt or Lt, the values
- array must have a single
- interpreted as an integer.
- during a strategic merge
- description: A list of node selector
- requirements by node's fields.
- description: A node selector
- requirement is a selector
- that contains values, a key,
- and an operator that relates
- description: The label key
- that the selector applies
- description: Represents
- a key's relationship to
- operators are In, NotIn,
- description: An array of
- operator is In or NotIn,
- be non-empty. If the operator
- is Exists or DoesNotExist,
- be empty. If the operator
- is Gt or Lt, the values
- array must have a single
- interpreted as an integer.
- during a strategic merge
- description: Describes pod affinity scheduling
- rules (e.g. co-locate this pod in the same
- node, zone, etc. as some other pod(s)).
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- affinity expressions specified by this
- field, but it may choose a node that violates
- one or more of the expressions. The node
- that is most preferred is the one with
- the greatest sum of weights, i.e. for
- each node that meets all of the scheduling
- requirements (resource request, requiredDuringScheduling
- affinity expressions, etc.), compute a
- sum by iterating through the elements
- of this field and adding "weight" to the
- sum if the node has pods which matches
- the corresponding podAffinityTerm; the
- node(s) with the highest sum are the most
- description: The weights of all of the
- matched WeightedPodAffinityTerm fields
- are added per-node to find the most
- description: Required. A pod affinity
- term, associated with the corresponding
- description: A label query over
- a set of resources, in this
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
- that relates the key and
- values. If the operator
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in
- the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- description: This pod should be
- co-located (affinity) or not
- co-located (anti-affinity) with
- the pods matching the labelSelector
- in the specified namespaces,
- where co-located is defined
- as running on a node whose value
- of the label with key topologyKey
- matches that of any node on
- which any of the selected pods
- is running. Empty topologyKey
- description: weight associated with
- matching the corresponding podAffinityTerm,
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not met at
- scheduling time, the pod will not be scheduled
- onto the node. If the affinity requirements
- specified by this field cease to be met
- at some point during pod execution (e.g.
- due to a pod label update), the system
- may or may not try to eventually evict
- the pod from its node. When there are
- multiple elements, the lists of nodes
- corresponding to each podAffinityTerm
- are intersected, i.e. all terms must be
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this
- pod should be co-located (affinity)
- or not co-located (anti-affinity) with,
- where co-located is defined as running
- on a node whose value of the label with
- key <topologyKey> matches that of any
- node on which a pod of the set of pods
- description: A label query over a
- set of resources, in this case pods.
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
- that contains values, a key,
- and an operator that relates
- description: key is the
- label key that the selector
- description: operator represents
- a key's relationship to
- operators are In, NotIn,
- Exists and DoesNotExist.
- description: values is an
- array of string values.
- or NotIn, the values array
- or DoesNotExist, the values
- array must be empty. This
- array is replaced during
- a strategic merge patch.
- description: matchLabels is a
- map of {key,value} pairs. A
- single {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator
- is "In", and the values array
- contains only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against); null
- or empty list means "this pod's
+ description: Required. A list of node + selector terms. The terms are ORed.
- description: This pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with the pods matching the labelSelector
- in the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
- description: Describes pod anti-affinity scheduling
- rules (e.g. avoid putting this pod in the
- same node, zone, etc. as some other pod(s)).
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- anti-affinity expressions specified by
- this field, but it may choose a node that
- violates one or more of the expressions.
- The node that is most preferred is the
- one with the greatest sum of weights,
- i.e. for each node that meets all of the
- scheduling requirements (resource request,
- requiredDuringScheduling anti-affinity
- expressions, etc.), compute a sum by iterating
- through the elements of this field and
- adding "weight" to the sum if the node
- has pods which matches the corresponding
- podAffinityTerm; the node(s) with the
- highest sum are the most preferred.
- description: The weights of all of the
- matched WeightedPodAffinityTerm fields
- are added per-node to find the most
- description: Required. A pod affinity
- term, associated with the corresponding
- description: A label query over
- a set of resources, in this
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
- that relates the key and
+ description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single
- values. If the operator
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in
- the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- description: This pod should be
- co-located (affinity) or not
- co-located (anti-affinity) with
- the pods matching the labelSelector
- in the specified namespaces,
- where co-located is defined
- as running on a node whose value
- of the label with key topologyKey
- matches that of any node on
- which any of the selected pods
- is running. Empty topologyKey
- description: weight associated with
- matching the corresponding podAffinityTerm,
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements
- specified by this field are not met at
- scheduling time, the pod will not be scheduled
- onto the node. If the anti-affinity requirements
- specified by this field cease to be met
- at some point during pod execution (e.g.
- due to a pod label update), the system
- may or may not try to eventually evict
- the pod from its node. When there are
- multiple elements, the lists of nodes
- corresponding to each podAffinityTerm
- are intersected, i.e. all terms must be
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this
- pod should be co-located (affinity)
- or not co-located (anti-affinity) with,
- where co-located is defined as running
- on a node whose value of the label with
- key <topologyKey> matches that of any
- node on which a pod of the set of pods
- description: A label query over a
- set of resources, in this case pods.
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
- that contains values, a key,
- and an operator that relates
- description: key is the
- label key that the selector
- description: operator represents
- a key's relationship to
- operators are In, NotIn,
- Exists and DoesNotExist.
- description: values is an
- array of string values.
- or NotIn, the values array
- or DoesNotExist, the values
- array must be empty. This
- array is replaced during
- a strategic merge patch.
- description: matchLabels is a
- map of {key,value} pairs. A
- single {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator
- is "In", and the values array
- contains only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against); null
- or empty list means "this pod's
- description: This pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with the pods matching the labelSelector
- in the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
- description: 'NodeSelector is a selector which must
- be true for the pod to fit on a node. Selector
- which must match a node''s labels for the pod
- to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- description: If specified, the pod's tolerations.
- description: The pod this Toleration is attached
- to tolerates any taint that matches the triple
- <key,value,effect> using the matching operator
- description: Effect indicates the taint effect
- to match. Empty means match all taint effects.
- When specified, allowed values are NoSchedule,
- PreferNoSchedule and NoExecute.
- description: Key is the taint key that the
- toleration applies to. Empty means match
- all taint keys. If the key is empty, operator
- must be Exists; this combination means to
- match all values and all keys.
- description: Operator represents a key's relationship
- to the value. Valid operators are Exists
- and Equal. Defaults to Equal. Exists is
- equivalent to wildcard for value, so that
- a pod can tolerate all taints of a particular
- description: TolerationSeconds represents
- the period of time the toleration (which
- must be of effect NoExecute, otherwise this
- field is ignored) tolerates the taint. By
- default, it is not set, which means tolerate
- the taint forever (do not evict). Zero and
- negative values will be treated as 0 (evict
- immediately) by the system.
- description: Value is the taint value the
- toleration matches to. If the operator is
- Exists, the value should be empty, otherwise
- description: Optional service type for Kubernetes solver
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- description: List of DNSNames that this solver will be used
- to solve. If specified and a match is found, a dnsNames selector
- will take precedence over a dnsZones selector. If multiple
- solvers match with the same dnsNames value, the solver with
- the most matching labels in matchLabels will be selected.
- If neither has more matches, the solver defined earlier in
- the list will be selected.
- description: List of DNSZones that this solver will be used
- to solve. The most specific DNS zone match specified here
- will take precedence over other DNS zone matches, so a solver
- specifying sys.example.com will be selected over one specifying
- example.com for the domain www.sys.example.com. If multiple
- solvers match with the same dnsZones value, the solver with
- the most matching labels in matchLabels will be selected.
- If neither has more matches, the solver defined earlier in
- the list will be selected.
- description: A label selector that is used to refine the set
- of certificate's that this challenge solver will apply to.
- description: Token is the ACME challenge token for this challenge. This
- is the raw value returned from the ACME server.
- description: Type is the type of ACME challenge this resource represents,
- e.g. "dns01" or "http01".
- description: URL is the URL of the ACME Challenge resource for this
- challenge. This can be used to lookup details about the status of
- description: Wildcard will be true if this challenge is for a wildcard
- identifier, for example '*.example.com'.
- description: Presented will be set to true if the challenge values for
- this challenge are currently 'presented'. This *does not* imply the
- self check is passing. Only that the values have been 'submitted'
- for the appropriate challenge mechanism (i.e. the DNS01 TXT record
- has been presented, or the HTTP01 configuration has been configured).
- description: Processing is used to denote whether this challenge should
- be processed or not. This field will only be set to true by the 'scheduling'
- component. It will only be set to false by the 'challenges' controller,
- after the challenge has reached a final state or timed out. If this
- field is set to false, the challenge controller will not take any
- description: Reason contains human readable information on why the Challenge
- is in the current state.
- description: State contains the current 'state' of the challenge. If
- not set, the state of the challenge is unknown.
----
-# Source: cert-manager/templates/templates.regular.out
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
- name: clusterissuers.cert-manager.io
- cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'
- additionalPrinterColumns:
- - JSONPath: .status.conditions[?(@.type=="Ready")].status
- - JSONPath: .status.conditions[?(@.type=="Ready")].message
- - JSONPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when
- this object was created. It is not guaranteed to be set in happens-before order
- across separate operations. Clients may not set this value. It is represented
- in RFC3339 form and is in UTC.
- preserveUnknownFields: false
- # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
- # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
- namespace: 'cert-manager'
- name: 'cert-manager-webhook'
- listKind: ClusterIssuerList
- singular: clusterissuer
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- description: IssuerSpec is the specification of an Issuer. This includes
- any configuration required for the issuer.
- description: ACMEIssuer contains the specification for an ACME issuer
- description: Email is the email for this account
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server.
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- description: keyID is the ID of the CA key that the External
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or indeed
- with the External Account Binding keyID above. The secret
- key stored in the Secret **must** be un-padded, base64 URL
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: PrivateKey is the name of a secret containing the private
- key for this user account.
- description: The key of the secret to select from. Must be a
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: Server is the ACME server URL
- description: If true, skip verifying the ACME server TLS certificate
- description: Solvers is a list of challenge solvers that will be
- used to solve ACME challenges for the matching domains.
- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
- containing the configuration for ACME-DNS servers
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderAkamai is a structure
- containing the DNS configuration for Akamai DNS—Zone
- - clientSecretSecretRef
- - serviceConsumerDomain
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderAzureDNS is a structure
- containing the configuration for Azure DNS
- description: if both this and ClientSecret are left
- description: if both this and ClientID are left unset
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- - AzureUSGovernmentCloud
- description: when specifying ClientID and ClientSecret
- then this field is also needed
- description: ACMEIssuerDNS01ProviderCloudDNS is a structure
- containing the DNS configuration for Google Cloud DNS
- serviceAccountSecretRef:
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderCloudflare is a structure
- containing the DNS configuration for Cloudflare
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
- description: ACMEIssuerDNS01ProviderDigitalOcean is a
- structure containing the DNS configuration for DigitalOcean
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderRFC2136 is a structure
- containing the configuration for RFC2136 DNS
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed
- in square brackets (e.g [2001:db8::1])Â ; port is
- optional. This field is required.
- description: 'The TSIG Algorithm configured in the
- DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values
- are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
- ``HMACSHA256`` or ``HMACSHA512``.'
- description: The TSIG Key name configured in the DNS.
- If ``tsigSecretSecretRef`` is defined, this field
- description: The name of the secret containing the
- TSIG value. If ``tsigKeyName`` is defined, this
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderRoute53 is a structure
- containing the Route 53 configuration for AWS
- description: 'The AccessKeyID is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- description: If set, the provider will manage only
- this zone in Route53 and will not do an lookup using
- the route53:ListHostedZonesByName api call.
- description: Always set the region when using AccessKeyID
- description: Role is a Role ARN which the Route53
- provider will assume using either the explicit credentials
- AccessKeyID/SecretAccessKey or the inferred credentials
- from environment variables, shared credentials file
- or AWS Instance metadata
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderWebhook specifies
- configuration for a webhook DNS01 provider, including
- where to POST ChallengePayload resources.
- description: Additional configuration that should
- be passed to the webhook apiserver when challenges
- are processed. This can contain arbitrary JSON data.
- Secret values should not be specified in this stanza.
- If secret values are needed (e.g. credentials for
- a DNS service), you should use a SecretKeySelector
- to reference a Secret resource. For details on the
- schema of this field, consult the webhook provider
- implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- description: The API group name that should be used
- when POSTing ChallengePayload resources to the webhook
- apiserver. This should be the same as the GroupName
- specified in the webhook provider implementation.
- description: The name of the solver to use, as defined
- in the webhook provider implementation. This will
- typically be the name of the provider, e.g. 'cloudflare'.
- description: ACMEChallengeSolverHTTP01 contains configuration
- detailing how to solve HTTP01 challenges within a Kubernetes
- cluster. Typically this is accomplished through creating
- 'routes' of some description that configure ingress controllers
- to direct traffic to 'solver pods', which are responsible
- for responding to the ACME server's HTTP requests.
- description: The ingress based HTTP01 challenge solver
- will solve challenges by creating or modifying Ingress
- resources in order to route requests for '/.well-known/acme-challenge/XYZ'
- to 'challenge solver' pods that are provisioned by cert-manager
- for each Challenge to be completed.
- description: The ingress class to use when creating
- Ingress resources to solve ACME challenges that
- use this challenge solver. Only one of 'class' or
- 'name' may be specified.
- description: Optional ingress template used to configure
- the ACME challenge solver ingress used for HTTP01
- description: ObjectMeta overrides for the ingress
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
- description: Annotations that should be added
- to the created ACME HTTP01 solver ingress.
- description: Labels that should be added to
- the created ACME HTTP01 solver ingress.
- description: The name of the ingress resource that
- should have ACME challenge solving routes inserted
- into it in order to solve HTTP01 challenges. This
- is typically used in conjunction with ingress controllers
- like ingress-gce, which maintains a 1:1 mapping
- between external IPs and ingress resources.
- description: Optional pod template used to configure
- the ACME challenge solver pods used for HTTP01 challenges
- description: ObjectMeta overrides for the pod
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
- description: Annotations that should be added
- to the create ACME HTTP01 solver pods.
- description: Labels that should be added to
- the created ACME HTTP01 solver pods.
- description: PodSpec defines overrides for the
- HTTP01 challenge solver pod. Only the 'nodeSelector',
- 'affinity' and 'tolerations' fields are supported
- currently. All other fields will be ignored.
- description: If specified, the pod's scheduling
+ description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)).
- description: Describes node affinity scheduling
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node matches the
- corresponding matchExpressions;
- the node(s) with the highest sum
- are the most preferred.
- description: An empty preferred
- scheduling term matches all objects
- with implicit weight 0 (i.e. it's
- a no-op). A null preferred scheduling
- term matches no objects (i.e.
+ preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding
- description: A node selector
- term, associated with the
+ description: A label query over + a set of resources, in this - description: A list of node
+ description: matchExpressions + is a list of label selector + requirements. The requirements - description: A node selector
+ description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector requirement is a selector
@@ -3095,193 +2972,1205 @@
- description: Represents
- is Exists or DoesNotExist,
- which will be interpreted
- description: A list of node
- description: A node selector
- requirement is a selector
- description: Represents
+ values. If the operator is Exists or DoesNotExist,
- which will be interpreted
- description: Weight associated
- with matching the corresponding
- nodeSelectorTerm, in the range
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to an update), the system
- may or may not try to eventually
- evict the pod from its node.
- description: Required. A list
- of node selector terms. The
- description: A null or empty
- node selector term matches
- no objects. The requirements
- of them are ANDed. The TopologySelectorTerm
- type implements a subset of
+ description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: Token is the ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + description: Type is the type of ACME challenge this resource represents. + One of "http-01" or "dns-01". + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + description: Presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the + 'scheduling' component. It will only be set to false by the 'challenges' + controller, after the challenge has reached a final state or timed + out. If this field is set to false, the challenge controller will + not take any more action. + description: Reason contains human readable information on why the + Challenge is in the current state. + description: State contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + description: Challenge is a type to represent a Challenge request with an + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + description: DNSName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Challenge. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Challenge will + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: 'Key is the ACME challenge key for this challenge For + HTTP01 challenges, this is the value that must be responded with + to complete the HTTP01 challenge in the format: `<private key JWK + thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, + this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key + from acme server for challenge>` text that must be set as the TXT + description: Solver contains the domain solving configuration that + should be used to solve this challenge resource. + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage DNS01 + description: if both this and ClientSecret are left unset + description: if both this and ClientID are left unset + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage DNS01 + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 challenge + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with Cloudflare. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required when + using API key based authentication. + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: Use the DigitalOcean DNS API to manage DNS01 + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1])Â ; port is optional. + This field is required. + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 challenge + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + description: Required. A list of node + selector terms. The terms are ORed. + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this - description: A list of node
+ description: matchExpressions + is a list of label selector + requirements. The requirements - description: A node selector
- requirement is a selector
- description: Represents
- is Exists or DoesNotExist,
- which will be interpreted
- description: A list of node
- description: A node selector
+ description: A label selector requirement is a selector
@@ -3293,226 +4182,1708 @@
- description: Represents
+ values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding + description: A label query over + a set of resources, in this + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + values. If the operator is Exists or DoesNotExist,
- which will be interpreted
- description: Describes pod affinity scheduling
- rules (e.g. co-locate this pod in the
- same node, zone, etc. as some other
+ description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: Token is the ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + description: Type is the type of ACME challenge this resource represents. + One of "http-01" or "dns-01". + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + description: Presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the + 'scheduling' component. It will only be set to false by the 'challenges' + controller, after the challenge has reached a final state or timed + out. If this field is set to false, the challenge controller will + not take any more action. + description: Reason contains human readable information on why the + Challenge is in the current state. + description: State contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + description: Challenge is a type to represent a Challenge request with an + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: The URL to the ACME Authorization resource that this + challenge is a part of. + description: dnsName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + description: References a properly configured ACME-type Issuer which + should be used to create this Challenge. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: 'The ACME challenge key for this challenge For HTTP01 + challenges, this is the value that must be responded with to complete + the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key + from acme server for challenge>`. For DNS01 challenges, this is + the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key + from acme server for challenge>` text that must be set as the TXT + description: Contains the domain solving configuration that should + be used to solve this challenge resource. + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage DNS01 + description: if both this and ClientSecret are left unset + description: if both this and ClientID are left unset + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage DNS01 + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 challenge + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with Cloudflare. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required when + using API key based authentication. + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: Use the DigitalOcean DNS API to manage DNS01 + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1])Â ; port is optional. + This field is required. + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 challenge + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity scheduling + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector term, + associated with the corresponding + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. - preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node has pods
- which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
+ description: Required. A list of node + selector terms. The terms are ORed. - description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: A list of node + selector requirements by node's + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: Represents + In, NotIn, Exists, DoesNotExist. + NotIn, the values array + is Gt or Lt, the values + array must have a single + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
+ description: A label query over + a set of resources, in this
- description: A label query
- over a set of resources,
- description: matchExpressions
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- to an element of matchExpressions,
- is "In", and the values
- "value". The requirements
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- null or empty list means
+ description: matchExpressions + is a list of label selector + requirements. The requirements
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- the labelSelector in the
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to a pod label update),
- the system may or may not try to
- eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
+ description: A label selector + requirement is a selector + values. If the operator + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + is equivalent to an element + of matchExpressions, whose + key field is "key", the + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + description: Required. A pod affinity + term, associated with the corresponding @@ -3612,638 +5983,6105 @@
running. Empty topologyKey
- description: Describes pod anti-affinity
- scheduling rules (e.g. avoid putting
- this pod in the same node, zone, etc.
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the anti-affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- anti-affinity expressions, etc.),
- compute a sum by iterating through
- the elements of this field and adding
- "weight" to the sum if the node
- has pods which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ description: weight associated with + matching the corresponding podAffinityTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key <topologyKey> matches + that of any node on which a pod of + the set of pods is running + description: A label query over + a set of resources, in this case + description: matchExpressions + is a list of label selector + requirements. The requirements + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + description: key is the + label key that the selector + represents a key's relationship + an array of string values. + array must be non-empty. + If the operator is Exists + replaced during a strategic + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + <key,value,effect> using the matching operator + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + description: Optional service type for Kubernetes solver + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + description: The ACME challenge token for this challenge. This is + the raw value returned from the ACME server. + description: The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + description: The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + description: wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + description: presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + description: Used to denote whether this challenge should be processed + or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + description: Contains human readable information on why the Challenge + is in the current state. + description: Contains the current 'state' of the challenge. If not + set, the state of the challenge is unknown. +# Source: cert-manager/templates/templates.regular.out +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: clusterissuers.cert-manager.io + cert-manager.io/inject-ca-from-secret: 'cert-manager/cert-manager-webhook-ca' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + app.kubernetes.io/managed-by: 'Helm' + helm.sh/chart: 'cert-manager-v0.16.1' + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + - JSONPath: .status.conditions[?(@.type=="Ready")].message + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + preserveUnknownFields: false + # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + namespace: 'cert-manager' + name: 'cert-manager-webhook' + listKind: ClusterIssuerList + singular: clusterissuer + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the ClusterIssuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- description: A label query
- over a set of resources,
- description: matchExpressions
+ description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist,
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- to an element of matchExpressions,
- is "In", and the values
- "value". The requirements
+ node selector requirements
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- null or empty list means
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- the labelSelector in the
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
+ description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity
- requirements specified by this field
- are not met at scheduling time,
- the pod will not be scheduled onto
- the node. If the anti-affinity requirements
- specified by this field cease to
- be met at some point during pod
- execution (e.g. due to a pod label
- update), the system may or may not
- try to eventually evict the pod
- from its node. When there are multiple
- elements, the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
- description: A label query over
- a set of resources, in this
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
+ description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources,
- values. If the operator
- is Exists or DoesNotExist,
+ description: matchExpressions
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- the values array contains
- only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
+ description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey
- description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
- that of any node on which
- any of the selected pods is
- running. Empty topologyKey
- description: 'NodeSelector is a selector which
- must be true for the pod to fit on a node.
- Selector which must match a node''s labels
- for the pod to be scheduled on that node.
- More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- description: If specified, the pod's tolerations.
- description: The pod this Toleration is
- attached to tolerates any taint that matches
- the triple <key,value,effect> using the
- matching operator <operator>.
+ description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the ClusterIssuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the ClusterIssuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling
- description: Effect indicates the taint
- effect to match. Empty means match
- all taint effects. When specified,
- allowed values are NoSchedule, PreferNoSchedule
- description: Key is the taint key that
- the toleration applies to. Empty means
- match all taint keys. If the key is
- empty, operator must be Exists; this
- combination means to match all values
- description: Operator represents a key's
- relationship to the value. Valid operators
- are Exists and Equal. Defaults to
- Equal. Exists is equivalent to wildcard
- for value, so that a pod can tolerate
- all taints of a particular category.
- description: TolerationSeconds represents
- the period of time the toleration
- (which must be of effect NoExecute,
- otherwise this field is ignored) tolerates
- the taint. By default, it is not set,
- which means tolerate the taint forever
- (do not evict). Zero and negative
- values will be treated as 0 (evict
- immediately) by the system.
- description: Value is the taint value
- the toleration matches to. If the
- operator is Exists, the value should
- be empty, otherwise just a regular
- description: Optional service type for Kubernetes
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- description: List of DNSNames that this solver will be
- used to solve. If specified and a match is found, a
- dnsNames selector will take precedence over a dnsZones
- selector. If multiple solvers match with the same dnsNames
- value, the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- description: List of DNSZones that this solver will be
- used to solve. The most specific DNS zone match specified
- here will take precedence over other DNS zone matches,
- so a solver specifying sys.example.com will be selected
- over one specifying example.com for the domain www.sys.example.com.
- If multiple solvers match with the same dnsZones value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- description: A label selector that is used to refine the
- set of certificate's that this challenge solver will
+ description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- description: SecretName is the name of the secret used to sign Certificates
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- description: Vault authentication
- description: This Secret contains a AppRole and Secret
- description: Where the authentication path is mounted in
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: This contains a Role and Secret with a ServiceAccount
- token to authenticate with vault.
- description: The Vault mountPath here is the mount path
- to use when authenticating with Vault. For example, setting
- a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
- to authenticate with Vault. If unspecified, the default
- value "/v1/auth/kubernetes" will be used.
- description: A required field containing the Vault Role
- to assume. A Role binds a Kubernetes ServiceAccount with
- a set of Vault policies.
- description: The required Secret field containing a Kubernetes
- ServiceAccount JWT used for authenticating with Vault.
- Use of 'ambient credentials' is not supported.
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: This Secret contains the Vault token key
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: Base64 encoded CA bundle to validate Vault server certificate.
- Only used if the Server URL is using HTTPS protocol. This parameter
- is ignored for plain HTTP protocol connection. If not set the
- system root certificates are used to validate the TLS connection.
- description: Vault URL path to the certificate role
- description: Server is the vault connection address
- description: VenafiIssuer describes issuer configuration details for
- description: Cloud specifies the Venafi cloud configuration settings.
- Only one of TPP or Cloud may be specified.
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the ClusterIssuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for
- description: APITokenSecretRef is a secret key selector for
- the Venafi Cloud API token.
+ description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the ClusterIssuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: URL is the base URL for Venafi Cloud
- description: TPP specifies Trust Protection Platform configuration
- settings. Only one of TPP or Cloud may be specified.
+ description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the ClusterIssuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for
- description: CABundle is a PEM encoded TLS certificate to use
- to verify connections to the TPP instance. If specified, system
- roots will not be used and the issuing CA for the TPP instance
- must be verifiable using the provided root. If not specified,
- the connection will be verified using the cert-manager system
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret must
- contain two keys, 'username' and 'password'.
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: URL is the base URL for the Venafi TPP instance
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted by
- the named zone policy. This field is required.
- description: IssuerStatus contains status information about an Issuer
- description: LastRegisteredEmail is the email associated with the
- latest registered ACME account, in order to track changes made
- to registered account associated with the Issuer
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- description: IssuerCondition contains condition information for an
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- description: Status of the condition, one of ('True', 'False',
- description: Type of the condition, currently ('Ready').
+ description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). # Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
@@ -4257,7 +12095,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'
+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
@@ -4297,1760 +12135,5774 @@
+ description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Issuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the Issuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready').
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- description: IssuerSpec is the specification of an Issuer. This includes
- any configuration required for the issuer.
- description: ACMEIssuer contains the specification for an ACME issuer
- description: Email is the email for this account
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server.
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- description: keyID is the ID of the CA key that the External
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or indeed
- with the External Account Binding keyID above. The secret
- key stored in the Secret **must** be un-padded, base64 URL
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: PrivateKey is the name of a secret containing the private
- key for this user account.
- description: The key of the secret to select from. Must be a
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: Server is the ACME server URL
- description: If true, skip verifying the ACME server TLS certificate
- description: Solvers is a list of challenge solvers that will be
- used to solve ACME challenges for the matching domains.
+ description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Issuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used.
- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
- containing the configuration for ACME-DNS servers
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderAkamai is a structure
- containing the DNS configuration for Akamai DNS—Zone
- - clientSecretSecretRef
- - serviceConsumerDomain
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderAzureDNS is a structure
- containing the configuration for Azure DNS
- description: if both this and ClientSecret are left
- description: if both this and ClientID are left unset
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- - AzureUSGovernmentCloud
- description: when specifying ClientID and ClientSecret
- then this field is also needed
- description: ACMEIssuerDNS01ProviderCloudDNS is a structure
- containing the DNS configuration for Google Cloud DNS
- serviceAccountSecretRef:
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderCloudflare is a structure
- containing the DNS configuration for Cloudflare
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
- description: ACMEIssuerDNS01ProviderDigitalOcean is a
- structure containing the DNS configuration for DigitalOcean
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderRFC2136 is a structure
- containing the configuration for RFC2136 DNS
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed
- in square brackets (e.g [2001:db8::1])Â ; port is
- optional. This field is required.
- description: 'The TSIG Algorithm configured in the
- DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values
- are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
- ``HMACSHA256`` or ``HMACSHA512``.'
- description: The TSIG Key name configured in the DNS.
- If ``tsigSecretSecretRef`` is defined, this field
- description: The name of the secret containing the
- TSIG value. If ``tsigKeyName`` is defined, this
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderRoute53 is a structure
- containing the Route 53 configuration for AWS
- description: 'The AccessKeyID is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- description: If set, the provider will manage only
- this zone in Route53 and will not do an lookup using
- the route53:ListHostedZonesByName api call.
- description: Always set the region when using AccessKeyID
- description: Role is a Role ARN which the Route53
- provider will assume using either the explicit credentials
- AccessKeyID/SecretAccessKey or the inferred credentials
- from environment variables, shared credentials file
- or AWS Instance metadata
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- description: The key of the secret to select from.
- Must be a valid secret key.
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- description: ACMEIssuerDNS01ProviderWebhook specifies
- configuration for a webhook DNS01 provider, including
- where to POST ChallengePayload resources.
- description: Additional configuration that should
- be passed to the webhook apiserver when challenges
- are processed. This can contain arbitrary JSON data.
- Secret values should not be specified in this stanza.
- If secret values are needed (e.g. credentials for
- a DNS service), you should use a SecretKeySelector
- to reference a Secret resource. For details on the
- schema of this field, consult the webhook provider
- implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- description: The API group name that should be used
- when POSTing ChallengePayload resources to the webhook
- apiserver. This should be the same as the GroupName
- specified in the webhook provider implementation.
- description: The name of the solver to use, as defined
- in the webhook provider implementation. This will
- typically be the name of the provider, e.g. 'cloudflare'.
- description: ACMEChallengeSolverHTTP01 contains configuration
- detailing how to solve HTTP01 challenges within a Kubernetes
- cluster. Typically this is accomplished through creating
- 'routes' of some description that configure ingress controllers
- to direct traffic to 'solver pods', which are responsible
- for responding to the ACME server's HTTP requests.
- description: The ingress based HTTP01 challenge solver
- will solve challenges by creating or modifying Ingress
- resources in order to route requests for '/.well-known/acme-challenge/XYZ'
- to 'challenge solver' pods that are provisioned by cert-manager
- for each Challenge to be completed.
- description: The ingress class to use when creating
- Ingress resources to solve ACME challenges that
- use this challenge solver. Only one of 'class' or
- 'name' may be specified.
- description: Optional ingress template used to configure
- the ACME challenge solver ingress used for HTTP01
- description: ObjectMeta overrides for the ingress
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
- description: Annotations that should be added
- to the created ACME HTTP01 solver ingress.
- description: Labels that should be added to
- the created ACME HTTP01 solver ingress.
- description: The name of the ingress resource that
- should have ACME challenge solving routes inserted
- into it in order to solve HTTP01 challenges. This
- is typically used in conjunction with ingress controllers
- like ingress-gce, which maintains a 1:1 mapping
- between external IPs and ingress resources.
- description: Optional pod template used to configure
- the ACME challenge solver pods used for HTTP01 challenges
- description: ObjectMeta overrides for the pod
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
- description: Annotations that should be added
- to the create ACME HTTP01 solver pods.
- description: Labels that should be added to
- the created ACME HTTP01 solver pods.
- description: PodSpec defines overrides for the
- HTTP01 challenge solver pod. Only the 'nodeSelector',
- 'affinity' and 'tolerations' fields are supported
- currently. All other fields will be ignored.
- description: If specified, the pod's scheduling
- description: Describes node affinity scheduling
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node matches the
- corresponding matchExpressions;
- the node(s) with the highest sum
- are the most preferred.
- description: An empty preferred
- scheduling term matches all objects
- with implicit weight 0 (i.e. it's
- a no-op). A null preferred scheduling
- term matches no objects (i.e.
- description: A node selector
- term, associated with the
- description: A list of node
- description: A node selector
- requirement is a selector
- description: Represents
- is Exists or DoesNotExist,
- which will be interpreted
- description: A list of node
- description: A node selector
- requirement is a selector
- description: Represents
- is Exists or DoesNotExist,
- which will be interpreted
- description: Weight associated
- with matching the corresponding
- nodeSelectorTerm, in the range
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to an update), the system
- may or may not try to eventually
- evict the pod from its node.
- description: Required. A list
- of node selector terms. The
- description: A null or empty
- node selector term matches
- no objects. The requirements
- of them are ANDed. The TopologySelectorTerm
- type implements a subset of
- description: A list of node
- description: A node selector
- requirement is a selector
- description: Represents
- is Exists or DoesNotExist,
- which will be interpreted
- description: A list of node
- description: A node selector
- requirement is a selector
- description: Represents
- is Exists or DoesNotExist,
- which will be interpreted
- description: Describes pod affinity scheduling
- rules (e.g. co-locate this pod in the
- same node, zone, etc. as some other
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node has pods
- which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- description: A label query
- over a set of resources,
- description: matchExpressions
+ description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist,
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- to an element of matchExpressions,
- is "In", and the values
- "value". The requirements
+ node selector requirements
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- null or empty list means
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- the labelSelector in the
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
+ description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to a pod label update),
- the system may or may not try to
- eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
- description: A label query over
- a set of resources, in this
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
+ description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources,
- values. If the operator
- is Exists or DoesNotExist,
+ description: matchExpressions
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- the values array contains
- only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
+ description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey
- description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
- that of any node on which
- any of the selected pods is
- running. Empty topologyKey
- description: Describes pod anti-affinity
- scheduling rules (e.g. avoid putting
- this pod in the same node, zone, etc.
+ description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. - preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the anti-affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- anti-affinity expressions, etc.),
- compute a sum by iterating through
- the elements of this field and adding
- "weight" to the sum if the node
- has pods which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- description: A label query
- over a set of resources,
- description: matchExpressions
+ description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the Issuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: Desired state of the Issuer resource. + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + - clientSecretSecretRef + - serviceConsumerDomain + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + description: if both this and ClientSecret are left + description: if both this and ClientID are left + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + - AzureUSGovernmentCloud + description: when specifying ClientID and ClientSecret + then this field is also needed + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the Cloudflare API to manage DNS01 + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: API token used to authenticate with + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Email of the account, only required + when using API key based authentication. + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1])Â ; port + is optional. This field is required. + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Use the AWS Route53 API to manage DNS01 + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + description: Always set the region when using AccessKeyID + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the created ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + description: Annotations that should be + added to the create ACME HTTP01 solver + description: Labels that should be added + to the created ACME HTTP01 solver pods. + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + description: If specified, the pod's scheduling + description: Describes node affinity + scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + description: A node selector + term, associated with the + node selector requirements + description: Represents + is Exists or DoesNotExist,
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- to an element of matchExpressions,
- is "In", and the values
- "value". The requirements
+ node selector requirements
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- null or empty list means
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- the labelSelector in the
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity
- requirements specified by this field
- are not met at scheduling time,
- the pod will not be scheduled onto
- the node. If the anti-affinity requirements
- specified by this field cease to
- be met at some point during pod
- execution (e.g. due to a pod label
- update), the system may or may not
- try to eventually evict the pod
- from its node. When there are multiple
- elements, the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
+ description: Represents + is Exists or DoesNotExist, + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the
- description: A label query over
- a set of resources, in this
- description: matchExpressions
- is a list of label selector
- requirements. The requirements
- description: A label selector
- requirement is a selector
- values. If the operator
- is Exists or DoesNotExist,
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- the values array contains
- only "value". The requirements
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
+ description: Required. A list + of node selector terms. The + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + node selector requirements + description: Represents + is Exists or DoesNotExist, + node selector requirements + description: Represents + is Exists or DoesNotExist, + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey
- description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
- that of any node on which
- any of the selected pods is
- running. Empty topologyKey
- description: 'NodeSelector is a selector which
- must be true for the pod to fit on a node.
- Selector which must match a node''s labels
- for the pod to be scheduled on that node.
- More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- description: If specified, the pod's tolerations.
- description: The pod this Toleration is
- attached to tolerates any taint that matches
- the triple <key,value,effect> using the
- matching operator <operator>.
+ description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + description: Required. A pod + affinity term, associated + with the corresponding weight. + description: A label query + over a set of resources, + description: matchExpressions + description: matchLabels + is a map of {key,value} + an element of matchExpressions, + description: namespaces + specifies which namespaces + the labelSelector applies + null or empty list means + (affinity) or not co-located + the label with key topologyKey + running. Empty topologyKey + description: weight associated + with matching the corresponding + podAffinityTerm, in the + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key <topologyKey> + matches that of any node on + which a pod of the set of pods + description: A label query + over a set of resources, + description: matchExpressions + is a list of label selector + requirements. The requirements + Exists and DoesNotExist. + is Exists or DoesNotExist, + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + element of matchExpressions, + whose key field is "key", + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- description: Effect indicates the taint
- effect to match. Empty means match
- all taint effects. When specified,
- allowed values are NoSchedule, PreferNoSchedule
- description: Key is the taint key that
- the toleration applies to. Empty means
- match all taint keys. If the key is
- empty, operator must be Exists; this
- combination means to match all values
- description: Operator represents a key's
- relationship to the value. Valid operators
- are Exists and Equal. Defaults to
- Equal. Exists is equivalent to wildcard
- for value, so that a pod can tolerate
- all taints of a particular category.
- description: TolerationSeconds represents
- the period of time the toleration
- (which must be of effect NoExecute,
- otherwise this field is ignored) tolerates
- the taint. By default, it is not set,
- which means tolerate the taint forever
- (do not evict). Zero and negative
- values will be treated as 0 (evict
- immediately) by the system.
- description: Value is the taint value
- the toleration matches to. If the
- operator is Exists, the value should
- be empty, otherwise just a regular
- description: Optional service type for Kubernetes
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
- description: List of DNSNames that this solver will be
- used to solve. If specified and a match is found, a
- dnsNames selector will take precedence over a dnsZones
- selector. If multiple solvers match with the same dnsNames
- value, the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- description: List of DNSZones that this solver will be
- used to solve. The most specific DNS zone match specified
- here will take precedence over other DNS zone matches,
- so a solver specifying sys.example.com will be selected
- over one specifying example.com for the domain www.sys.example.com.
- If multiple solvers match with the same dnsZones value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- description: A label selector that is used to refine the
- set of certificate's that this challenge solver will
+ description: If specified, the pod's tolerations. + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple <key,value,effect> + using the matching operator <operator>. + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + description: Optional service type for Kubernetes + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + description: A label selector that is used to refine + the set of certificate's that this challenge solver + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + description: Auth configures how cert-manager authenticates with + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- description: SecretName is the name of the secret used to sign Certificates
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- description: Vault authentication
- description: This Secret contains a AppRole and Secret
- description: Where the authentication path is mounted in
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: This contains a Role and Secret with a ServiceAccount
- token to authenticate with vault.
- description: The Vault mountPath here is the mount path
- to use when authenticating with Vault. For example, setting
- a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
- to authenticate with Vault. If unspecified, the default
- value "/v1/auth/kubernetes" will be used.
- description: A required field containing the Vault Role
- to assume. A Role binds a Kubernetes ServiceAccount with
- a set of Vault policies.
- description: The required Secret field containing a Kubernetes
- ServiceAccount JWT used for authenticating with Vault.
- Use of 'ambient credentials' is not supported.
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: This Secret contains the Vault token key
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: Base64 encoded CA bundle to validate Vault server certificate.
- Only used if the Server URL is using HTTPS protocol. This parameter
- is ignored for plain HTTP protocol connection. If not set the
- system root certificates are used to validate the TLS connection.
- description: Vault URL path to the certificate role
- description: Server is the vault connection address
- description: VenafiIssuer describes issuer configuration details for
- description: Cloud specifies the Venafi cloud configuration settings.
- Only one of TPP or Cloud may be specified.
+ description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: TokenSecretRef authenticates with Vault by presenting + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + description: Status of the Issuer. This is set and managed automatically. + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + description: IssuerCondition contains condition information for
- description: APITokenSecretRef is a secret key selector for
- the Venafi Cloud API token.
- description: The key of the secret to select from. Must
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: URL is the base URL for Venafi Cloud
- description: TPP specifies Trust Protection Platform configuration
- settings. Only one of TPP or Cloud may be specified.
- description: CABundle is a PEM encoded TLS certificate to use
- to verify connections to the TPP instance. If specified, system
- roots will not be used and the issuing CA for the TPP instance
- must be verifiable using the provided root. If not specified,
- the connection will be verified using the cert-manager system
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret must
- contain two keys, 'username' and 'password'.
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- description: URL is the base URL for the Venafi TPP instance
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted by
- the named zone policy. This field is required.
- description: IssuerStatus contains status information about an Issuer
- description: LastRegisteredEmail is the email associated with the
- latest registered ACME account, in order to track changes made
- to registered account associated with the Issuer
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
- description: IssuerCondition contains condition information for an
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- description: Status of the condition, one of ('True', 'False',
- description: Type of the condition, currently ('Ready').
+ description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the + details of the last transition, complementing reason. + description: Reason is a brief machine readable explanation + for the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, known values are ('Ready'). # Source: cert-manager/templates/templates.regular.out
apiVersion: apiextensions.k8s.io/v1beta1
@@ -6064,7 +17916,7 @@
app.kubernetes.io/name: 'cert-manager'
app.kubernetes.io/instance: 'cert-manager'
app.kubernetes.io/managed-by: 'Helm'
- helm.sh/chart: 'cert-manager-v0.15.2'
+ helm.sh/chart: 'cert-manager-v0.16.1' additionalPrinterColumns:
- JSONPath: .status.state
@@ -6108,189 +17960,565 @@
+ description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames`. + This field must match the corresponding field on the DER encoded + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set.
- description: Order is a type to represent an Order with an ACME server
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- description: CommonName is the common name as specified on the DER encoded
- CSR. If CommonName is not specified, the first DNSName specified will
- be used as the CommonName. At least one of CommonName or a DNSNames
- must be set. This field must match the corresponding field on the
- description: Certificate signing request bytes in DER encoding. This
- will be used when finalizing the order. This field must be set on
- description: DNSNames is a list of DNS names that should be included
- as part of the Order validation process. If CommonName is not specified,
- the first DNSName specified will be used as the CommonName. At least
- one of CommonName or a DNSNames must be set. This field must match
- the corresponding field on the DER encoded CSR.
- description: IssuerRef references a properly configured ACME-type Issuer
- which should be used to create this Order. If the Issuer does not
- exist, processing will be retried. If the Issuer is not an 'ACME'
- Issuer, an error will be returned and the Order will be marked as
+ description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames`. + This field must match the corresponding field on the DER encoded + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR.
- description: Authorizations contains data returned from the ACME server
- on what authorizations must be completed in order to validate the
- DNS names specified on the Order.
- description: ACMEAuthorization contains data returned from the ACME
- server on an authorization that must be completed in order validate
- a DNS name on an ACME Order resource.
+ description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be
- description: Challenges specifies the challenge types offered
- by the ACME server. One of these challenge types will be selected
- when validating the DNS name and an appropriate Challenge resource
- will be created to perform the ACME challenge process.
- description: Challenge specifies a challenge offered by the
- ACME server for an Order. An appropriate Challenge resource
- can be created to perform the ACME challenge process.
- description: Token is the token that must be presented for
- this challenge. This is used to compute the 'key' that
- must also be presented.
- description: Type is the type of challenge being offered,
- description: URL is the URL of this challenge. It can be
- used to retrieve additional metadata about the Challenge
- description: Identifier is the DNS name to be validated as part
- description: InitialState is the initial state of the ACME authorization
- when first fetched from the ACME server. If an Authorization
- is already 'valid', the Order controller will not create a Challenge
- resource for the authorization. This will occur when working
- with an ACME server that enables 'authz reuse' (such as Let's
- Encrypt's production endpoint). If not set and 'identifier'
- is set, the state is assumed to be pending and a Challenge will
- description: URL is the URL of the Authorization that must be
- description: Wildcard will be true if this authorization is for
- a wildcard DNS name. If this is true, the identifier will be
- the *non-wildcard* version of the DNS name. For example, if
- '*.example.com' is the DNS name being validated, this field
- will be 'true' and the 'identifier' field will be 'example.com'.
- description: Certificate is a copy of the PEM encoded certificate for
- this Order. This field will be populated after the order has been
- successfully finalized with the ACME server, and the order has transitioned
- description: FailureTime stores the time that this order failed. This
- is used to influence garbage collection and back-off.
- description: FinalizeURL of the Order. This is used to obtain certificates
- for this order once it has been completed.
- description: Reason optionally provides more information about a why
- the order is in the current state.
- description: State contains the current state of this Order resource.
- States 'success' and 'expired' are 'final'
- description: URL of the Order. This will initially be empty when the
- resource is first created. The Order controller will populate this
- field when the Order is first processed. This field will be immutable
- after it is initially set.
+ description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames`. + This field must match the corresponding field on the DER encoded + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + description: Group of the resource being referred to. + description: Kind of the resource being referred to. + description: Name of the resource being referred to. + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. @@ -6309,7 +18537,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 # Source: cert-manager/templates/serviceaccount.yaml
@@ -6323,7 +18551,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 # Source: cert-manager/templates/webhook-serviceaccount.yaml
@@ -6337,7 +18565,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 # Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6350,7 +18578,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 - apiGroups: ["cert-manager.io"]
resources: ["certificates"]
@@ -6375,6 +18603,96 @@
verbs: ["get", "list", "watch", "update"]
# Source: cert-manager/templates/rbac.yaml
+# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-issuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + - apiGroups: ["cert-manager.io"] + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-clusterissuers + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: cert-manager-controller-certificates + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + - apiGroups: ["acme.cert-manager.io"] + verbs: ["create", "delete", "get", "list", "watch"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + verbs: ["create", "patch"] +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6386,7 +18704,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 - apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
@@ -6414,59 +18732,6 @@
verbs: ["create", "patch"]
# Source: cert-manager/templates/rbac.yaml
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-ingress-shim
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests"]
- verbs: ["create", "update", "delete"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["extensions"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["extensions"]
- resources: ["ingresses/finalizers"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
- name: cert-manager-view
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6478,7 +18743,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 # Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
@@ -6525,58 +18790,57 @@
verbs: ["get", "list", "watch"]
# Source: cert-manager/templates/rbac.yaml
-# Issuer controller role
+# ingress-shim controller role apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-issuers
+ name: cert-manager-controller-ingress-shim app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "issuers/status"]
+ resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] verbs: ["create", "patch"]
# Source: cert-manager/templates/rbac.yaml
-# ClusterIssuer controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1 - name: cert-manager-controller-clusterissuers
+ name: cert-manager-view app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "clusterissuers/status"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers"]
+ resources: ["certificates", "certificaterequests", "issuers"] verbs: ["get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- verbs: ["create", "patch"]
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -6589,7 +18853,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -6597,42 +18861,6 @@
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
-# Source: cert-manager/templates/rbac.yaml
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-certificates
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates/finalizers", "certificaterequests/finalizers"]
- - apiGroups: ["acme.cert-manager.io"]
- verbs: ["create", "delete", "get", "list", "watch"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- verbs: ["create", "patch"]
----
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6644,7 +18872,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6658,18 +18886,18 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-controller-certificates
+ name: cert-manager-controller-issuers app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-certificates
+ name: cert-manager-controller-issuers namespace: "cert-manager"
@@ -6686,7 +18914,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6700,6 +18928,48 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
+ name: cert-manager-controller-certificates + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-certificates + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: cert-manager-controller-orders + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v0.16.1 + apiGroup: rbac.authorization.k8s.io + name: cert-manager-controller-orders + namespace: "cert-manager" +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding name: cert-manager-controller-challenges
@@ -6707,7 +18977,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6728,7 +18998,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6738,48 +19008,6 @@
namespace: "cert-manager"
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-orders
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-orders
- namespace: "cert-manager"
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
- name: cert-manager-controller-issuers
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
- apiGroup: rbac.authorization.k8s.io
- name: cert-manager-controller-issuers
- namespace: "cert-manager"
----
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -6793,7 +19021,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 # Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
@@ -6820,7 +19048,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 # Used for leader election by the controller
@@ -6843,7 +19071,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 @@ -6869,7 +19097,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6893,7 +19121,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6916,7 +19144,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 apiGroup: rbac.authorization.k8s.io
@@ -6939,7 +19167,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 @@ -6963,7 +19191,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 @@ -6987,7 +19215,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 @@ -7003,12 +19231,12 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "cainjector"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 serviceAccountName: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v0.15.2"
+ image: "quay.io/jetstack/cert-manager-cainjector:v0.16.1" imagePullPolicy: IfNotPresent
@@ -7033,7 +19261,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "controller"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 @@ -7049,7 +19277,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/managed-by: Helm
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
@@ -7058,7 +19286,7 @@
serviceAccountName: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v0.15.2"
+ image: "quay.io/jetstack/cert-manager-controller:v0.16.1" imagePullPolicy: IfNotPresent
@@ -7087,7 +19315,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 @@ -7103,17 +19331,17 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 serviceAccountName: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v0.15.2"
+ image: "quay.io/jetstack/cert-manager-webhook:v0.16.1" imagePullPolicy: IfNotPresent
- - --dynamic-serving-ca-secret-namespace=cert-manager
+ - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
@@ -7152,7 +19380,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
@@ -7162,8 +19390,7 @@
@@ -7189,7 +19416,7 @@
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: "webhook"
- helm.sh/chart: cert-manager-v0.15.2
+ helm.sh/chart: cert-manager-v0.16.1 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
@@ -7209,8 +19436,7 @@