--- a/10-cert-manager.yaml Mon Jan 27 08:34:18 2020 -0600
+++ b/10-cert-manager.yaml Mon Jan 27 10:08:05 2020 -0600
@@ -1,12 +1,482 @@
-# This is the official 0.11.0 manifest+# This is the official 0.13.0 cert-manager.yaml manifest # from https://github.com/jetstack/cert-manager/releases. No changes, aside
# from this header have been made.
+apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: certificaterequests.cert-manager.io + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + - JSONPath: .spec.issuerRef.name + - JSONPath: .status.conditions[?(@.type=="Ready")].message + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + preserveUnknownFields: false + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + description: CertificateRequest is a type to represent a Certificate Signing + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CertificateRequestSpec defines the desired state of CertificateRequest + description: Byte slice containing the PEM encoded CertificateSigningRequest + description: Requested certificate default Duration + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the details + of the last transition, complementing reason. + description: Reason is a brief machine readable explanation for + the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, currently ('Ready', 'InvalidRequest'). + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
- creationTimestamp: null+ name: certificates.cert-manager.io + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + - JSONPath: .spec.secretName + - JSONPath: .spec.issuerRef.name + - JSONPath: .status.conditions[?(@.type=="Ready")].message + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + preserveUnknownFields: false + listKind: CertificateList + description: Certificate is a type to represent a Certificate from ACME + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + description: DNSNames is a list of subject alt names to be used on the + description: Certificate default Duration + description: IPAddresses is a list of IP addresses to be used on the + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + description: Organization is the organization to be used on the Certificate + description: Certificate renew before expiration duration + description: SecretName is the name of the secret resource to store + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + description: Countries to be used on the Certificate. + description: Cities to be used on the Certificate. + description: Organizational Units to be used on the Certificate. + description: Postal codes to be used on the Certificate. + description: State/Provinces to be used on the Certificate. + description: Serial number to be used on the Certificate. + description: Street addresses to be used on the Certificate. + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + description: CertificateStatus defines the observed state of Certificate + description: CertificateCondition contains condition information for + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + description: Message is a human readable description of the details + of the last transition, complementing reason. + description: Reason is a brief machine readable explanation for + the condition's last transition. + description: Status of the condition, one of ('True', 'False', + description: Type of the condition, currently ('Ready'). + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition name: challenges.acme.cert-manager.io
additionalPrinterColumns:
@@ -28,6 +498,7 @@
group: acme.cert-manager.io
+ preserveUnknownFields: false @@ -40,6 +511,9 @@
description: Challenge is a type to represent a Challenge request with an ACME
description: 'APIVersion defines the versioned schema of this representation
@@ -54,6 +528,15 @@
description: AuthzURL is the URL to the ACME Authorization resource
@@ -69,6 +552,9 @@
not exist, processing will be retried. If the Issuer is not an 'ACME'
Issuer, an error will be returned and the Challenge will be marked
@@ -76,25 +562,29 @@
description: Key is the ACME challenge key for this challenge
description: Solver contains the domain solving configuration that should
- be used to solve this challenge resource. Only **one** of 'config'- or 'solver' may be specified, and if both are specified then no action- will be performed on the Challenge resource.+ be used to solve this challenge resource. description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
the configuration for ACME-DNS servers
description: The key of the secret to select from. Must
@@ -104,21 +594,23 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderAkamai is a structure containing
the DNS configuration for Akamai DNS—Zone Record Management
+ - clientSecretSecretRef + - serviceConsumerDomain description: The key of the secret to select from. Must
@@ -128,10 +620,10 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: The key of the secret to select from. Must
@@ -141,10 +633,10 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: The key of the secret to select from. Must
@@ -154,24 +646,62 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
- - clientSecretSecretRef- - serviceConsumerDomain description: ACMEIssuerDNS01ProviderAzureDNS is a structure
containing the configuration for Azure DNS
+ - clientSecretSecretRef + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + - AzureUSGovernmentCloud + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + serviceAccountSecretRef: description: The key of the secret to select from. Must
@@ -181,38 +711,30 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?'
- - AzureUSGovernmentCloud- - clientSecretSecretRef- description: ACMEIssuerDNS01ProviderCloudDNS is a structure- containing the DNS configuration for Google Cloud DNS- serviceAccountSecretRef: description: The key of the secret to select from. Must
@@ -222,18 +744,26 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
+ description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains
- - serviceAccountSecretRef- description: ACMEIssuerDNS01ProviderCloudflare is a structure- containing the DNS configuration for Cloudflare description: The key of the secret to select from. Must
@@ -243,45 +773,12 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
- description: CNAMEStrategy configures how the DNS01 provider- should handle CNAME records when found in DNS zones.- description: ACMEIssuerDNS01ProviderDigitalOcean is a structure- containing the DNS configuration for DigitalOcean Domains- description: The key of the secret to select from. Must- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, uid?' description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
the configuration for RFC2136 DNS
description: 'The IP address of the DNS supporting RFC2136.
@@ -301,6 +798,9 @@
description: The name of the secret containing the TSIG
value. If ``tsigKeyName`` is defined, this field is required.
description: The key of the secret to select from. Must
@@ -310,15 +810,12 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
the Route 53 configuration for AWS
description: 'The AccessKeyID is used for authentication.
@@ -344,6 +841,9 @@
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
description: The key of the secret to select from. Must
@@ -353,16 +853,14 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: ACMEIssuerDNS01ProviderWebhook specifies configuration
for a webhook DNS01 provider, including where to POST ChallengePayload
description: Additional configuration that should be passed
@@ -385,11 +883,6 @@
the webhook provider implementation. This will typically
be the name of the provider, e.g. 'cloudflare'.
description: ACMEChallengeSolverHTTP01 contains configuration detailing
how to solve HTTP01 challenges within a Kubernetes cluster. Typically
@@ -397,6 +890,7 @@
that configure ingress controllers to direct traffic to 'solver
pods', which are responsible for responding to the ACME server's
description: The ingress based HTTP01 challenge solver will
@@ -404,6 +898,7 @@
in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
description: The ingress class to use when creating Ingress
@@ -421,6 +916,7 @@
description: Optional pod template used to configure the
ACME challenge solver pods used for HTTP01 challenges
description: ObjectMeta overrides for the pod used to
@@ -429,19 +925,35 @@
with in-built values, the values here will override
+ description: Annotations that should be added to + the create ACME HTTP01 solver pods. + description: Labels that should be added to the + created ACME HTTP01 solver pods. description: PodSpec defines overrides for the HTTP01
challenge solver pod. Only the 'nodeSelector', 'affinity'
and 'tolerations' fields are supported currently.
All other fields will be ignored.
description: If specified, the pod's scheduling
description: Describes node affinity scheduling
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
@@ -459,74 +971,38 @@
sum if the node matches the corresponding
matchExpressions; the node(s) with the
highest sum are the most preferred.
description: An empty preferred scheduling
term matches all objects with implicit
weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches no
objects (i.e. is also a no-op).
description: A node selector term,
associated with the corresponding
description: A list of node selector
requirements by node's labels.
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
- description: The label key- that the selector applies- description: Represents- a key's relationship to- operators are In, NotIn,- description: An array of- operator is In or NotIn,- be non-empty. If the operator- is Exists or DoesNotExist,- be empty. If the operator- is Gt or Lt, the values- array must have a single- interpreted as an integer.- during a strategic merge- description: A list of node selector- requirements by node's fields.- description: A node selector- requirement is a selector- that contains values, a key,- and an operator that relates description: The label key
@@ -557,56 +1033,23 @@
+ description: A list of node selector + requirements by node's fields.
- description: Weight associated with- matching the corresponding nodeSelectorTerm,- requiredDuringSchedulingIgnoredDuringExecution:- description: If the affinity requirements- specified by this field are not met at- scheduling time, the pod will not be scheduled- onto the node. If the affinity requirements- specified by this field cease to be met- at some point during pod execution (e.g.- due to an update), the system may or may- not try to eventually evict the pod from- description: Required. A list of node- selector terms. The terms are ORed.- description: A null or empty node- selector term matches no objects.- The requirements of them are ANDed.- The TopologySelectorTerm type implements- a subset of the NodeSelectorTerm.- description: A list of node selector- requirements by node's labels. description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
description: The label key
@@ -637,23 +1080,55 @@
+ description: Weight associated with + matching the corresponding nodeSelectorTerm, + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + description: Required. A list of node + selector terms. The terms are ORed. + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + description: A list of node selector + requirements by node's labels.
- description: A list of node selector- requirements by node's fields. description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
description: The label key
@@ -684,24 +1159,61 @@
+ description: A list of node selector + requirements by node's fields. + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates
+ description: The label key + that the selector applies + description: Represents + a key's relationship to + operators are In, NotIn, + description: An array of + operator is In or NotIn, + be non-empty. If the operator + is Exists or DoesNotExist, + be empty. If the operator + is Gt or Lt, the values + array must have a single + interpreted as an integer. + during a strategic merge description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the same
node, zone, etc. as some other pod(s)).
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
@@ -720,27 +1232,37 @@
the corresponding podAffinityTerm; the
node(s) with the highest sum are the most
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
description: Required. A pod affinity
term, associated with the corresponding
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -748,6 +1270,10 @@
@@ -778,17 +1304,10 @@
description: matchLabels is
a map of {key,value} pairs.
@@ -800,16 +1319,17 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should be
co-located (affinity) or not
@@ -824,20 +1344,12 @@
is running. Empty topologyKey
description: weight associated with
matching the corresponding podAffinityTerm,
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met at
@@ -852,6 +1364,7 @@
corresponding to each podAffinityTerm
are intersected, i.e. all terms must be
description: Defines a set of pods (namely
those matching the labelSelector relative
@@ -863,22 +1376,31 @@
key <topologyKey> matches that of any
node on which a pod of the set of pods
description: A label query over a
set of resources, in this case pods.
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
that contains values, a key,
and an operator that relates
@@ -903,17 +1425,10 @@
array must be empty. This
description: matchLabels is a
map of {key,value} pairs. A
single {key,value} in the matchLabels
@@ -924,16 +1439,17 @@
contains only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against); null
or empty list means "this pod's
description: This pod should be co-located
(affinity) or not co-located (anti-affinity)
@@ -946,15 +1462,11 @@
selected pods is running. Empty
topologyKey is not allowed.
description: Describes pod anti-affinity scheduling
rules (e.g. avoid putting this pod in the
same node, zone, etc. as some other pod(s)).
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
@@ -973,27 +1485,37 @@
has pods which matches the corresponding
podAffinityTerm; the node(s) with the
highest sum are the most preferred.
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
description: Required. A pod affinity
term, associated with the corresponding
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -1001,6 +1523,10 @@
@@ -1031,17 +1557,10 @@
description: matchLabels is
a map of {key,value} pairs.
@@ -1053,16 +1572,17 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should be
co-located (affinity) or not
@@ -1077,20 +1597,12 @@
is running. Empty topologyKey
description: weight associated with
matching the corresponding podAffinityTerm,
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements
specified by this field are not met at
@@ -1105,6 +1617,7 @@
corresponding to each podAffinityTerm
are intersected, i.e. all terms must be
description: Defines a set of pods (namely
those matching the labelSelector relative
@@ -1116,22 +1629,31 @@
key <topologyKey> matches that of any
node on which a pod of the set of pods
description: A label query over a
set of resources, in this case pods.
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
that contains values, a key,
and an operator that relates
@@ -1156,17 +1678,10 @@
array must be empty. This
description: matchLabels is a
map of {key,value} pairs. A
single {key,value} in the matchLabels
@@ -1177,16 +1692,17 @@
contains only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against); null
or empty list means "this pod's
description: This pod should be co-located
(affinity) or not co-located (anti-affinity)
@@ -1199,27 +1715,23 @@
selected pods is running. Empty
topologyKey is not allowed.
description: 'NodeSelector is a selector which must
be true for the pod to fit on a node. Selector
which must match a node''s labels for the pod
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
description: If specified, the pod's tolerations.
description: The pod this Toleration is attached
to tolerates any taint that matches the triple
<key,value,effect> using the matching operator
description: Effect indicates the taint effect
@@ -1251,27 +1763,22 @@
the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict
immediately) by the system.
description: Value is the taint value the
toleration matches to. If the operator is
Exists, the value should be empty, otherwise
description: Optional service type for Kubernetes solver
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
description: List of DNSNames that this solver will be used
@@ -1281,9 +1788,9 @@
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier in
the list will be selected.
description: List of DNSZones that this solver will be used
to solve. The most specific DNS zone match specified here
@@ -1294,17 +1801,15 @@
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier in
the list will be selected.
description: A label selector that is used to refine the set
of certificate's that this challenge solver will apply to.
description: Token is the ACME challenge token for this challenge.
@@ -1321,16 +1826,8 @@
description: Wildcard will be true if this challenge is for a wildcard
identifier, for example '*.example.com'
description: Presented will be set to true if the challenge values for
@@ -1354,6 +1851,7 @@
description: State contains the current 'state' of the challenge. If
not set, the state of the challenge is unknown.
@@ -1362,249 +1860,21 @@
----
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
- creationTimestamp: null- name: orders.acme.cert-manager.io- additionalPrinterColumns:- - JSONPath: .status.state- - JSONPath: .spec.issuerRef.name- - JSONPath: .status.reason- - JSONPath: .metadata.creationTimestamp- description: CreationTimestamp is a timestamp representing the server time when- this object was created. It is not guaranteed to be set in happens-before order- across separate operations. Clients may not set this value. It is represented- in RFC3339 form and is in UTC.- group: acme.cert-manager.io- description: Order is a type to represent an Order with an ACME server- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: CommonName is the common name as specified on the DER encoded- CSR. If CommonName is not specified, the first DNSName specified will- be used as the CommonName. At least one of CommonName or a DNSNames- must be set. This field must match the corresponding field on the- description: Certificate signing request bytes in DER encoding. This- will be used when finalizing the order. This field must be set on- description: DNSNames is a list of DNS names that should be included- as part of the Order validation process. If CommonName is not specified,- the first DNSName specified will be used as the CommonName. At least- one of CommonName or a DNSNames must be set. This field must match- the corresponding field on the DER encoded CSR.- description: IssuerRef references a properly configured ACME-type Issuer- which should be used to create this Order. If the Issuer does not- exist, processing will be retried. If the Issuer is not an 'ACME'- Issuer, an error will be returned and the Order will be marked as- description: Authorizations contains data returned from the ACME server- on what authoriations must be completed in order to validate the DNS- names specified on the Order.- description: ACMEAuthorization contains data returned from the ACME- server on an authorization that must be completed in order validate- a DNS name on an ACME Order resource.- description: Challenges specifies the challenge types offered- by the ACME server. One of these challenge types will be selected- when validating the DNS name and an appropriate Challenge resource- will be created to perform the ACME challenge process.- description: Challenge specifies a challenge offered by the- ACME server for an Order. An appropriate Challenge resource- can be created to perform the ACME challenge process.- description: Token is the token that must be presented for- this challenge. This is used to compute the 'key' that- must also be presented.- description: Type is the type of challenge being offered,- description: URL is the URL of this challenge. It can be- used to retrieve additional metadata about the Challenge- description: Identifier is the DNS name to be validated as part- description: URL is the URL of the Authorization that must be- description: Wildcard will be true if this authorization is for- a wildcard DNS name. If this is true, the identifier will be- the *non-wildcard* version of the DNS name. For example, if- '*.example.com' is the DNS name being validated, this field- will be 'true' and the 'identifier' field will be 'example.com'.- description: Certificate is a copy of the PEM encoded certificate for- this Order. This field will be populated after the order has been- successfully finalized with the ACME server, and the order has transitioned- description: FailureTime stores the time that this order failed. This- is used to influence garbage collection and back-off.- description: FinalizeURL of the Order. This is used to obtain certificates- for this order once it has been completed.- description: Reason optionally provides more information about a why- the order is in the current state.- description: State contains the current state of this Order resource.- States 'success' and 'expired' are 'final'- description: URL of the Order. This will initially be empty when the- resource is first created. The Order controller will populate this- field when the Order is first processed. This field will be immutable- after it is initially set.----
----
-apiVersion: apiextensions.k8s.io/v1beta1-kind: CustomResourceDefinition- creationTimestamp: null- name: certificaterequests.cert-manager.io+ name: clusterissuers.cert-manager.io additionalPrinterColumns:
- JSONPath: .status.conditions[?(@.type=="Ready")].status
- - JSONPath: .spec.issuerRef.name - JSONPath: .status.conditions[?(@.type=="Ready")].message
@@ -1617,423 +1887,7 @@
- kind: CertificateRequest- listKind: CertificateRequestList- plural: certificaterequests- singular: certificaterequest- description: CertificateRequest is a type to represent a Certificate Signing- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: CertificateRequestSpec defines the desired state of CertificateRequest- description: Byte slice containing the PEM encoded CertificateSigningRequest- description: Requested certificate default Duration- description: IsCA will mark the resulting certificate as valid for signing.- This implies that the 'cert sign' usage is set- description: IssuerRef is a reference to the issuer for this CertificateRequest. If- the 'kind' field is not set, or set to 'Issuer', an Issuer resource- with the given name in the same namespace as the CertificateRequest- will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer- with the provided name will be used. The 'name' field in this stanza- is required at all times. The group field refers to the API group- of the issuer which defaults to 'cert-manager.io' if empty.- description: Usages is the set of x509 actions that are enabled for- a given key. Defaults are ('digital signature', 'key encipherment')- description: 'KeyUsage specifies valid usage contexts for keys. See:- https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'- description: CertificateStatus defines the observed state of CertificateRequest- and resulting signed certificate.- description: Byte slice containing the PEM encoded certificate authority- of the signed certificate.- description: Byte slice containing a PEM encoded signed certificate- resulting from the given certificate signing request.- description: CertificateRequestCondition contains condition information- for a CertificateRequest.- description: LastTransitionTime is the timestamp corresponding- to the last status change of this condition.- description: Message is a human readable description of the details- of the last transition, complementing reason.- description: Reason is a brief machine readable explanation for- the condition's last transition.- description: Status of the condition, one of ('True', 'False',- description: Type of the condition, currently ('Ready').- description: FailureTime stores the time that this CertificateRequest- failed. This is used to influence garbage collection and back-off.----
----
-apiVersion: apiextensions.k8s.io/v1beta1-kind: CustomResourceDefinition- creationTimestamp: null- name: certificates.cert-manager.io- additionalPrinterColumns:- - JSONPath: .status.conditions[?(@.type=="Ready")].status- - JSONPath: .spec.secretName- - JSONPath: .spec.issuerRef.name- - JSONPath: .status.conditions[?(@.type=="Ready")].message- - JSONPath: .metadata.creationTimestamp- description: CreationTimestamp is a timestamp representing the server time when- this object was created. It is not guaranteed to be set in happens-before order- across separate operations. Clients may not set this value. It is represented- in RFC3339 form and is in UTC.- listKind: CertificateList- description: Certificate is a type to represent a Certificate from ACME- description: 'APIVersion defines the versioned schema of this representation- of an object. Servers should convert recognized schemas to the latest- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'- description: 'Kind is a string value representing the REST resource this- object represents. Servers may infer this from the endpoint the client- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'- description: CertificateSpec defines the desired state of Certificate. A- valid Certificate requires at least one of a CommonName, DNSName, or URISAN- description: CommonName is a common name to be used on the Certificate.- The CommonName should have a length of 64 characters or fewer to avoid- generating invalid CSRs.- description: DNSNames is a list of subject alt names to be used on the- description: Certificate default Duration- description: IPAddresses is a list of IP addresses to be used on the- description: IsCA will mark this Certificate as valid for signing. This- implies that the 'cert sign' usage is set- description: IssuerRef is a reference to the issuer for this certificate.- If the 'kind' field is not set, or set to 'Issuer', an Issuer resource- with the given name in the same namespace as the Certificate will- be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer- with the provided name will be used. The 'name' field in this stanza- is required at all times.- description: KeyAlgorithm is the private key algorithm of the corresponding- private key for this certificate. If provided, allowed values are- either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is- not provided, key size of 256 will be used for "ecdsa" key algorithm- and key size of 2048 will be used for "rsa" key algorithm.- description: KeyEncoding is the private key cryptography standards (PKCS)- for this certificate's private key to be encoded in. If provided,- allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,- respectively. If KeyEncoding is not specified, then PKCS#1 will be- description: KeySize is the key bit size of the corresponding private- key for this certificate. If provided, value must be between 2048- and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",- and value must be one of (256, 384, 521) when KeyAlgorithm is set- description: Organization is the organization to be used on the Certificate- description: Certificate renew before expiration duration- description: SecretName is the name of the secret resource to store- description: URISANs is a list of URI Subject Alternative Names to be- set on this Certificate.- description: Usages is the set of x509 actions that are enabled for- a given key. Defaults are ('digital signature', 'key encipherment')- description: 'KeyUsage specifies valid usage contexts for keys. See:- https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12'- description: CertificateStatus defines the observed state of Certificate- description: CertificateCondition contains condition information for- description: LastTransitionTime is the timestamp corresponding- to the last status change of this condition.- description: Message is a human readable description of the details- of the last transition, complementing reason.- description: Reason is a brief machine readable explanation for- the condition's last transition.- description: Status of the condition, one of ('True', 'False',- description: Type of the condition, currently ('Ready').- description: The expiration time of the certificate stored in the secret- named by this resource in spec.secretName.----
----
-apiVersion: apiextensions.k8s.io/v1beta1-kind: CustomResourceDefinition- creationTimestamp: null- name: clusterissuers.cert-manager.io+ preserveUnknownFields: false listKind: ClusterIssuerList
@@ -2044,6 +1898,7 @@
description: 'APIVersion defines the versioned schema of this representation
@@ -2060,16 +1915,66 @@
description: IssuerSpec is the specification of an Issuer. This includes
any configuration required for the issuer.
description: ACMEIssuer contains the specification for an ACME issuer
description: Email is the email for this account
+ externalAccountBinding: + description: ExternalAcccountBinding is a reference to a CA external + account of the ACME server. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' description: PrivateKey is the name of a secret containing the private
key for this user account.
description: The key of the secret to select from. Must be a
@@ -2079,9 +1984,6 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Server is the ACME server URL
@@ -2091,15 +1993,25 @@
description: Solvers is a list of challenge solvers that will be
used to solve ACME challenges for the matching domains.
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
containing the configuration for ACME-DNS servers
description: The key of the secret to select from.
@@ -2111,21 +2023,23 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderAkamai is a structure
containing the DNS configuration for Akamai DNS—Zone
+ - clientSecretSecretRef + - serviceConsumerDomain description: The key of the secret to select from.
@@ -2137,25 +2051,10 @@
TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, description: The key of the secret to select from.
@@ -2167,24 +2066,40 @@
TODO: Add other useful fields. apiVersion, kind,
+ description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind,
- - clientSecretSecretRef- - serviceConsumerDomain description: ACMEIssuerDNS01ProviderAzureDNS is a structure
containing the configuration for Azure DNS
+ - clientSecretSecretRef description: The key of the secret to select from.
@@ -2196,16 +2111,13 @@
TODO: Add other useful fields. apiVersion, kind,
@@ -2214,20 +2126,19 @@
- - clientSecretSecretRef description: ACMEIssuerDNS01ProviderCloudDNS is a structure
containing the DNS configuration for Google Cloud DNS
description: The key of the secret to select from.
@@ -2239,18 +2150,32 @@
TODO: Add other useful fields. apiVersion, kind,
- - serviceAccountSecretRef description: ACMEIssuerDNS01ProviderCloudflare is a structure
containing the DNS configuration for Cloudflare
+ description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, description: The key of the secret to select from.
@@ -2262,28 +2187,27 @@
TODO: Add other useful fields. apiVersion, kind,
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
description: ACMEIssuerDNS01ProviderDigitalOcean is a
structure containing the DNS configuration for DigitalOcean
description: The key of the secret to select from.
@@ -2295,15 +2219,12 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRFC2136 is a structure
containing the configuration for RFC2136 DNS
description: 'The IP address of the DNS supporting
@@ -2326,6 +2247,9 @@
description: The name of the secret containing the
TSIG value. If ``tsigKeyName`` is defined, this
description: The key of the secret to select from.
@@ -2337,15 +2261,12 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRoute53 is a structure
containing the Route 53 configuration for AWS
description: 'The AccessKeyID is used for authentication.
@@ -2372,6 +2293,9 @@
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
description: The key of the secret to select from.
@@ -2383,16 +2307,14 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderWebhook specifies
configuration for a webhook DNS01 provider, including
where to POST ChallengePayload resources.
description: Additional configuration that should
@@ -2416,11 +2338,6 @@
in the webhook provider implementation. This will
typically be the name of the provider, e.g. 'cloudflare'.
description: ACMEChallengeSolverHTTP01 contains configuration
detailing how to solve HTTP01 challenges within a Kubernetes
@@ -2428,6 +2345,7 @@
'routes' of some description that configure ingress controllers
to direct traffic to 'solver pods', which are responsible
for responding to the ACME server's HTTP requests.
description: The ingress based HTTP01 challenge solver
@@ -2435,6 +2353,7 @@
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
description: The ingress class to use when creating
@@ -2453,6 +2372,7 @@
description: Optional pod template used to configure
the ACME challenge solver pods used for HTTP01 challenges
description: ObjectMeta overrides for the pod
@@ -2461,19 +2381,35 @@
or annotations overlap with in-built values,
the values here will override the in-built values.
+ description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to + the created ACME HTTP01 solver pods. description: PodSpec defines overrides for the
HTTP01 challenge solver pod. Only the 'nodeSelector',
'affinity' and 'tolerations' fields are supported
currently. All other fields will be ignored.
description: If specified, the pod's scheduling
description: Describes node affinity scheduling
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -2494,6 +2430,7 @@
corresponding matchExpressions;
the node(s) with the highest sum
description: An empty preferred
scheduling term matches all objects
@@ -2501,16 +2438,22 @@
a no-op). A null preferred scheduling
term matches no objects (i.e.
description: A node selector
term, associated with the
description: A list of node
description: A node selector
requirement is a selector
@@ -2518,6 +2461,10 @@
@@ -2553,18 +2500,14 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -2572,6 +2515,10 @@
@@ -2607,27 +2554,16 @@
description: Weight associated
with matching the corresponding
nodeSelectorTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -2639,11 +2575,15 @@
(e.g. due to an update), the system
may or may not try to eventually
evict the pod from its node.
description: Required. A list
of node selector terms. The
description: A null or empty
node selector term matches
@@ -2651,11 +2591,13 @@
of them are ANDed. The TopologySelectorTerm
type implements a subset of
description: A list of node
description: A node selector
requirement is a selector
@@ -2663,6 +2605,10 @@
@@ -2698,18 +2644,14 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -2717,6 +2659,10 @@
@@ -2752,25 +2698,15 @@
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the
same node, zone, etc. as some other
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -2791,21 +2727,30 @@
which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -2813,6 +2758,7 @@
@@ -2821,6 +2767,10 @@
@@ -2856,17 +2806,10 @@
pairs. A single {key,value}
@@ -2880,7 +2823,8 @@
"value". The requirements
specifies which namespaces
@@ -2888,9 +2832,9 @@
description: This pod should
@@ -2907,21 +2851,13 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -2937,6 +2873,7 @@
the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -2948,17 +2885,22 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -2966,6 +2908,10 @@
@@ -2996,17 +2942,10 @@
pairs. A single {key,value}
@@ -3019,16 +2958,17 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -3044,16 +2984,12 @@
running. Empty topologyKey
description: Describes pod anti-affinity
scheduling rules (e.g. avoid putting
this pod in the same node, zone, etc.
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -3074,21 +3010,30 @@
has pods which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -3096,6 +3041,7 @@
@@ -3104,6 +3050,10 @@
@@ -3139,17 +3089,10 @@
pairs. A single {key,value}
@@ -3163,7 +3106,8 @@
"value". The requirements
specifies which namespaces
@@ -3171,9 +3115,9 @@
description: This pod should
@@ -3190,21 +3134,13 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity
requirements specified by this field
@@ -3220,6 +3156,7 @@
elements, the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -3231,17 +3168,22 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -3249,6 +3191,10 @@
@@ -3279,17 +3225,10 @@
pairs. A single {key,value}
@@ -3302,16 +3241,17 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -3327,28 +3267,24 @@
running. Empty topologyKey
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node.
Selector which must match a node''s labels
for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
description: If specified, the pod's tolerations.
description: The pod this Toleration is
attached to tolerates any taint that matches
the triple <key,value,effect> using the
matching operator <operator>.
description: Effect indicates the taint
@@ -3383,8 +3319,8 @@
(do not evict). Zero and negative
values will be treated as 0 (evict
immediately) by the system.
description: Value is the taint value
the toleration matches to. If the
@@ -3392,19 +3328,14 @@
be empty, otherwise just a regular
description: Optional service type for Kubernetes
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
description: List of DNSNames that this solver will be
@@ -3414,9 +3345,9 @@
value, the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: List of DNSZones that this solver will be
used to solve. The most specific DNS zone match specified
@@ -3427,41 +3358,45 @@
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: A label selector that is used to refine the
set of certificate's that this challenge solver will
description: SecretName is the name of the secret used to sign Certificates
description: Vault authentication
description: This Secret contains a AppRole and Secret
description: Where the authentication path is mounted in
@@ -3470,6 +3405,9 @@
description: The key of the secret to select from. Must
@@ -3479,24 +3417,20 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This contains a Role and Secret with a ServiceAccount
token to authenticate with vault.
- description: The value here will be used as part of the- path used when authenticating with vault, for example- if you set a value of "foo", the path used will be `/v1/auth/foo/login`.- If unspecified, the default value "kubernetes" will be+ description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. description: A required field containing the Vault Role
@@ -3507,6 +3441,9 @@
description: The required Secret field containing a Kubernetes
ServiceAccount JWT used for authenticating with Vault.
Use of 'ambient credentials' is not supported.
description: The key of the secret to select from. Must
@@ -3516,15 +3453,11 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This Secret contains the Vault token key
description: The key of the secret to select from. Must
@@ -3534,39 +3467,40 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Base64 encoded CA bundle to validate Vault server certificate.
Only used if the Server URL is using HTTPS protocol. This parameter
is ignored for plain HTTP protocol connection. If not set the
system root certificates are used to validate the TLS connection.
description: Vault URL path to the certificate role
description: Server is the vault connection address
description: VenafiIssuer describes issuer configuration details for
description: Cloud specifies the Venafi cloud configuration settings.
Only one of TPP or Cloud may be specified.
description: APITokenSecretRef is a secret key selector for
the Venafi Cloud API token.
description: The key of the secret to select from. Must
@@ -3576,19 +3510,16 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for Venafi Cloud
description: TPP specifies Trust Protection Platform configuration
settings. Only one of TPP or Cloud may be specified.
description: CABundle is a PEM encoded TLS certifiate to use
@@ -3597,40 +3528,34 @@
must be verifiable using the provided root. If not specified,
the connection will be verified using the cert-manager system
description: CredentialsRef is a reference to a Secret containing
the username and password for the TPP server. The secret must
contain two keys, 'username' and 'password'.
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for the Venafi TPP instance
description: Zone is the Venafi Policy Zone to use for this issuer.
All requests made to the Venafi platform will be restricted by
the named zone policy. This field is required.
description: IssuerStatus contains status information about an Issuer
description: LastRegisteredEmail is the email associated with the
@@ -3641,17 +3566,21 @@
description: URI is the unique account identifier, which can also
be used to retrieve account details from the CA
description: IssuerCondition contains condition information for an
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
description: Message is a human readable description of the details
of the last transition, complementing reason.
@@ -3663,42 +3592,42 @@
description: Status of the condition, one of ('True', 'False',
description: Type of the condition, currently ('Ready').
----
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
- creationTimestamp: null name: issuers.cert-manager.io
+ additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + - JSONPath: .status.conditions[?(@.type=="Ready")].message + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + preserveUnknownFields: false @@ -3709,6 +3638,7 @@
description: 'APIVersion defines the versioned schema of this representation
@@ -3725,16 +3655,66 @@
description: IssuerSpec is the specification of an Issuer. This includes
any configuration required for the issuer.
description: ACMEIssuer contains the specification for an ACME issuer
description: Email is the email for this account
+ externalAccountBinding: + description: ExternalAcccountBinding is a reference to a CA external + account of the ACME server. + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + description: keyID is the ID of the CA key that the External + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + description: The key of the secret to select from. Must + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' description: PrivateKey is the name of a secret containing the private
key for this user account.
description: The key of the secret to select from. Must be a
@@ -3744,9 +3724,6 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Server is the ACME server URL
@@ -3756,15 +3733,25 @@
description: Solvers is a list of challenge solvers that will be
used to solve ACME challenges for the matching domains.
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
containing the configuration for ACME-DNS servers
description: The key of the secret to select from.
@@ -3776,21 +3763,23 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderAkamai is a structure
containing the DNS configuration for Akamai DNS—Zone
+ - clientSecretSecretRef + - serviceConsumerDomain description: The key of the secret to select from.
@@ -3802,25 +3791,10 @@
TODO: Add other useful fields. apiVersion, kind,
- description: The key of the secret to select from.- Must be a valid secret key.- description: 'Name of the referent. More info:- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names- TODO: Add other useful fields. apiVersion, kind, description: The key of the secret to select from.
@@ -3832,24 +3806,40 @@
TODO: Add other useful fields. apiVersion, kind,
+ description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind,
- - clientSecretSecretRef- - serviceConsumerDomain description: ACMEIssuerDNS01ProviderAzureDNS is a structure
containing the configuration for Azure DNS
+ - clientSecretSecretRef description: The key of the secret to select from.
@@ -3861,16 +3851,13 @@
TODO: Add other useful fields. apiVersion, kind,
@@ -3879,20 +3866,19 @@
- - clientSecretSecretRef description: ACMEIssuerDNS01ProviderCloudDNS is a structure
containing the DNS configuration for Google Cloud DNS
description: The key of the secret to select from.
@@ -3904,18 +3890,32 @@
TODO: Add other useful fields. apiVersion, kind,
- - serviceAccountSecretRef description: ACMEIssuerDNS01ProviderCloudflare is a structure
containing the DNS configuration for Cloudflare
+ description: The key of the secret to select from. + Must be a valid secret key. + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, description: The key of the secret to select from.
@@ -3927,28 +3927,27 @@
TODO: Add other useful fields. apiVersion, kind,
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
description: ACMEIssuerDNS01ProviderDigitalOcean is a
structure containing the DNS configuration for DigitalOcean
description: The key of the secret to select from.
@@ -3960,15 +3959,12 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRFC2136 is a structure
containing the configuration for RFC2136 DNS
description: 'The IP address of the DNS supporting
@@ -3991,6 +3987,9 @@
description: The name of the secret containing the
TSIG value. If ``tsigKeyName`` is defined, this
description: The key of the secret to select from.
@@ -4002,15 +4001,12 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderRoute53 is a structure
containing the Route 53 configuration for AWS
description: 'The AccessKeyID is used for authentication.
@@ -4037,6 +4033,9 @@
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
description: The key of the secret to select from.
@@ -4048,16 +4047,14 @@
TODO: Add other useful fields. apiVersion, kind,
description: ACMEIssuerDNS01ProviderWebhook specifies
configuration for a webhook DNS01 provider, including
where to POST ChallengePayload resources.
description: Additional configuration that should
@@ -4081,11 +4078,6 @@
in the webhook provider implementation. This will
typically be the name of the provider, e.g. 'cloudflare'.
description: ACMEChallengeSolverHTTP01 contains configuration
detailing how to solve HTTP01 challenges within a Kubernetes
@@ -4093,6 +4085,7 @@
'routes' of some description that configure ingress controllers
to direct traffic to 'solver pods', which are responsible
for responding to the ACME server's HTTP requests.
description: The ingress based HTTP01 challenge solver
@@ -4100,6 +4093,7 @@
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
description: The ingress class to use when creating
@@ -4118,6 +4112,7 @@
description: Optional pod template used to configure
the ACME challenge solver pods used for HTTP01 challenges
description: ObjectMeta overrides for the pod
@@ -4126,19 +4121,35 @@
or annotations overlap with in-built values,
the values here will override the in-built values.
+ description: Annotations that should be added + to the create ACME HTTP01 solver pods. + description: Labels that should be added to + the created ACME HTTP01 solver pods. description: PodSpec defines overrides for the
HTTP01 challenge solver pod. Only the 'nodeSelector',
'affinity' and 'tolerations' fields are supported
currently. All other fields will be ignored.
description: If specified, the pod's scheduling
description: Describes node affinity scheduling
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -4159,6 +4170,7 @@
corresponding matchExpressions;
the node(s) with the highest sum
description: An empty preferred
scheduling term matches all objects
@@ -4166,16 +4178,22 @@
a no-op). A null preferred scheduling
term matches no objects (i.e.
description: A node selector
term, associated with the
description: A list of node
description: A node selector
requirement is a selector
@@ -4183,6 +4201,10 @@
@@ -4218,18 +4240,14 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -4237,6 +4255,10 @@
@@ -4272,27 +4294,16 @@
description: Weight associated
with matching the corresponding
nodeSelectorTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -4304,11 +4315,15 @@
(e.g. due to an update), the system
may or may not try to eventually
evict the pod from its node.
description: Required. A list
of node selector terms. The
description: A null or empty
node selector term matches
@@ -4316,11 +4331,13 @@
of them are ANDed. The TopologySelectorTerm
type implements a subset of
description: A list of node
description: A node selector
requirement is a selector
@@ -4328,6 +4345,10 @@
@@ -4363,18 +4384,14 @@
description: A list of node
description: A node selector
requirement is a selector
@@ -4382,6 +4399,10 @@
@@ -4417,25 +4438,15 @@
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the
same node, zone, etc. as some other
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -4456,21 +4467,30 @@
which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -4478,6 +4498,7 @@
@@ -4486,6 +4507,10 @@
@@ -4521,17 +4546,10 @@
pairs. A single {key,value}
@@ -4545,7 +4563,8 @@
"value". The requirements
specifies which namespaces
@@ -4553,9 +4572,9 @@
description: This pod should
@@ -4572,21 +4591,13 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not
@@ -4602,6 +4613,7 @@
the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -4613,17 +4625,22 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -4631,6 +4648,10 @@
@@ -4661,17 +4682,10 @@
pairs. A single {key,value}
@@ -4684,16 +4698,17 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -4709,16 +4724,12 @@
running. Empty topologyKey
description: Describes pod anti-affinity
scheduling rules (e.g. avoid putting
this pod in the same node, zone, etc.
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
@@ -4739,21 +4750,30 @@
has pods which matches the corresponding
podAffinityTerm; the node(s) with
the highest sum are the most preferred.
description: The weights of all
of the matched WeightedPodAffinityTerm
fields are added per-node to find
the most preferred node(s)
description: Required. A pod
affinity term, associated
with the corresponding weight.
description: A label query
description: matchExpressions
@@ -4761,6 +4781,7 @@
@@ -4769,6 +4790,10 @@
@@ -4804,17 +4829,10 @@
pairs. A single {key,value}
@@ -4828,7 +4846,8 @@
"value". The requirements
specifies which namespaces
@@ -4836,9 +4855,9 @@
description: This pod should
@@ -4855,21 +4874,13 @@
is running. Empty topologyKey
description: weight associated
with matching the corresponding
podAffinityTerm, in the range
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity
requirements specified by this field
@@ -4885,6 +4896,7 @@
elements, the lists of nodes corresponding
to each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
description: Defines a set of pods
(namely those matching the labelSelector
@@ -4896,17 +4908,22 @@
of the label with key <topologyKey>
matches that of any node on which
a pod of the set of pods is running
description: A label query over
a set of resources, in this
description: matchExpressions
is a list of label selector
requirements. The requirements
description: A label selector
requirement is a selector
@@ -4914,6 +4931,10 @@
@@ -4944,17 +4965,10 @@
pairs. A single {key,value}
@@ -4967,16 +4981,17 @@
only "value". The requirements
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
description: This pod should
be co-located (affinity) or
@@ -4992,28 +5007,24 @@
running. Empty topologyKey
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node.
Selector which must match a node''s labels
for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
description: If specified, the pod's tolerations.
description: The pod this Toleration is
attached to tolerates any taint that matches
the triple <key,value,effect> using the
matching operator <operator>.
description: Effect indicates the taint
@@ -5048,8 +5059,8 @@
(do not evict). Zero and negative
values will be treated as 0 (evict
immediately) by the system.
description: Value is the taint value
the toleration matches to. If the
@@ -5057,19 +5068,14 @@
be empty, otherwise just a regular
description: Optional service type for Kubernetes
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
description: List of DNSNames that this solver will be
@@ -5079,9 +5085,9 @@
value, the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: List of DNSZones that this solver will be
used to solve. The most specific DNS zone match specified
@@ -5092,41 +5098,45 @@
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
description: A label selector that is used to refine the
set of certificate's that this challenge solver will
description: SecretName is the name of the secret used to sign Certificates
description: Vault authentication
description: This Secret contains a AppRole and Secret
description: Where the authentication path is mounted in
@@ -5135,6 +5145,9 @@
description: The key of the secret to select from. Must
@@ -5144,24 +5157,20 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This contains a Role and Secret with a ServiceAccount
token to authenticate with vault.
- description: The value here will be used as part of the- path used when authenticating with vault, for example- if you set a value of "foo", the path used will be `/v1/auth/foo/login`.- If unspecified, the default value "kubernetes" will be+ description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. description: A required field containing the Vault Role
@@ -5172,6 +5181,9 @@
description: The required Secret field containing a Kubernetes
ServiceAccount JWT used for authenticating with Vault.
Use of 'ambient credentials' is not supported.
description: The key of the secret to select from. Must
@@ -5181,15 +5193,11 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: This Secret contains the Vault token key
description: The key of the secret to select from. Must
@@ -5199,39 +5207,40 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: Base64 encoded CA bundle to validate Vault server certificate.
Only used if the Server URL is using HTTPS protocol. This parameter
is ignored for plain HTTP protocol connection. If not set the
system root certificates are used to validate the TLS connection.
description: Vault URL path to the certificate role
description: Server is the vault connection address
description: VenafiIssuer describes issuer configuration details for
description: Cloud specifies the Venafi cloud configuration settings.
Only one of TPP or Cloud may be specified.
description: APITokenSecretRef is a secret key selector for
the Venafi Cloud API token.
description: The key of the secret to select from. Must
@@ -5241,19 +5250,16 @@
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for Venafi Cloud
description: TPP specifies Trust Protection Platform configuration
settings. Only one of TPP or Cloud may be specified.
description: CABundle is a PEM encoded TLS certifiate to use
@@ -5262,40 +5268,34 @@
must be verifiable using the provided root. If not specified,
the connection will be verified using the cert-manager system
description: CredentialsRef is a reference to a Secret containing
the username and password for the TPP server. The secret must
contain two keys, 'username' and 'password'.
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: URL is the base URL for the Venafi TPP instance
description: Zone is the Venafi Policy Zone to use for this issuer.
All requests made to the Venafi platform will be restricted by
the named zone policy. This field is required.
description: IssuerStatus contains status information about an Issuer
description: LastRegisteredEmail is the email associated with the
@@ -5306,17 +5306,21 @@
description: URI is the unique account identifier, which can also
be used to retrieve account details from the CA
description: IssuerCondition contains condition information for an
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
description: Message is a human readable description of the details
of the last transition, complementing reason.
@@ -5328,41 +5332,229 @@
description: Status of the condition, one of ('True', 'False',
description: Type of the condition, currently ('Ready').
+apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: orders.acme.cert-manager.io + additionalPrinterColumns: + - JSONPath: .status.state + - JSONPath: .spec.issuerRef.name + - JSONPath: .status.reason + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + group: acme.cert-manager.io + preserveUnknownFields: false + description: Order is a type to represent an Order with an ACME server + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + description: Type is the type of challenge being offered, + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + description: Identifier is the DNS name to be validated as part + description: URL is the URL of the Authorization that must be + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + description: Reason optionally provides more information about a why + the order is in the current state. + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set.
----
-# Source: cert-manager/charts/cainjector/templates/serviceaccount.yaml+# Source: cert-manager/templates/cainjector-serviceaccount.yaml @@ -5371,9 +5563,9 @@
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 # Source: cert-manager/templates/serviceaccount.yaml
@@ -5386,9 +5578,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 # Source: cert-manager/templates/webhook-serviceaccount.yaml
@@ -5400,11 +5592,11 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 -# Source: cert-manager/charts/cainjector/templates/rbac.yaml+# Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -5412,9 +5604,9 @@
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - apiGroups: ["cert-manager.io"]
resources: ["certificates"]
@@ -5442,9 +5634,9 @@
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5464,9 +5656,9 @@
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 # Used for leader election by the controller
# TODO: refine the permission to *just* the leader election configmap
@@ -5486,16 +5678,15 @@
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
name: cert-manager-cainjector:leaderelection
name: cert-manager-cainjector
@@ -5511,9 +5702,9 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5537,9 +5728,9 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5559,9 +5750,9 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - admission.cert-manager.io
@@ -5582,9 +5773,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 # Used for leader election by the controller
# TODO: refine the permission to *just* the leader election configmap
@@ -5604,9 +5795,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5627,9 +5818,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
@@ -5654,9 +5845,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
@@ -5681,9 +5872,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
@@ -5695,7 +5886,7 @@
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
- resources: ["certificates/finalizers"]+ resources: ["certificates/finalizers", "certificaterequests/finalizers"] - apiGroups: ["acme.cert-manager.io"]
@@ -5717,9 +5908,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
@@ -5756,9 +5947,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 # Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
@@ -5808,9 +5999,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
@@ -5836,34 +6027,13 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
- name: cert-manager-leaderelection- app.kubernetes.io/name: cert-manager- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.11.0- apiGroup: rbac.authorization.k8s.io- name: cert-manager-leaderelection- namespace: "cert-manager"----
-apiVersion: rbac.authorization.k8s.io/v1beta1-kind: ClusterRoleBinding name: cert-manager-controller-issuers
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5882,9 +6052,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5903,9 +6073,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5924,9 +6094,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5945,9 +6115,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5966,9 +6136,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 apiGroup: rbac.authorization.k8s.io
@@ -5987,9 +6157,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -6007,9 +6177,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -6028,9 +6198,9 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 @@ -6039,7 +6209,7 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager # Source: cert-manager/templates/webhook-service.yaml
@@ -6051,22 +6221,22 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
-# Source: cert-manager/charts/cainjector/templates/deployment.yaml+# Source: cert-manager/templates/cainjector-deployment.yaml @@ -6075,31 +6245,31 @@
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cainjector-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 serviceAccountName: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0"+ image: "quay.io/jetstack/cert-manager-cainjector:v0.13.0" imagePullPolicy: IfNotPresent
@@ -6123,25 +6293,25 @@
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
@@ -6150,7 +6320,7 @@
serviceAccountName: cert-manager
- image: "quay.io/jetstack/cert-manager-controller:v0.11.0"+ image: "quay.io/jetstack/cert-manager-controller:v0.13.0" imagePullPolicy: IfNotPresent
@@ -6162,6 +6332,7 @@
- --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
@@ -6183,37 +6354,47 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 serviceAccountName: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v0.11.0"+ image: "quay.io/jetstack/cert-manager-webhook:v0.13.0" imagePullPolicy: IfNotPresent
- --tls-cert-file=/certs/tls.crt
- --tls-private-key-file=/certs/tls.key
@@ -6230,28 +6411,6 @@
secretName: cert-manager-webhook-tls
-# Source: cert-manager/templates/webhook-apiservice.yaml-apiVersion: apiregistration.k8s.io/v1beta1- name: v1beta1.webhook.cert-manager.io- app.kubernetes.io/name: webhook- app.kubernetes.io/instance: cert-manager- app.kubernetes.io/managed-by: Tiller- helm.sh/chart: cert-manager-v0.11.0- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls"- group: webhook.cert-manager.io- groupPriorityMinimum: 1000- name: cert-manager-webhook- namespace: "cert-manager"----
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
@@ -6260,44 +6419,41 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - cert-manager.io/inject-apiserver-ca: "true"+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls" - name: webhook.cert-manager.io
+ - "acme.cert-manager.io"
- path: /apis/webhook.cert-manager.io/v1beta1/mutations+ name: cert-manager-webhook + namespace: "cert-manager" -# Source: cert-manager/charts/cainjector/templates/psp-clusterrole.yaml+# Source: cert-manager/templates/cainjector-psp-clusterrole.yaml -# Source: cert-manager/charts/cainjector/templates/psp-clusterrolebinding.yaml+# Source: cert-manager/templates/cainjector-psp-clusterrolebinding.yaml -# Source: cert-manager/charts/cainjector/templates/psp.yaml+# Source: cert-manager/templates/cainjector-psp.yaml @@ -6317,6 +6473,18 @@
+# Source: cert-manager/templates/webhook-psp-clusterrole.yaml +# Source: cert-manager/templates/webhook-psp-clusterrolebinding.yaml +# Source: cert-manager/templates/webhook-psp.yaml # Source: cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
@@ -6325,11 +6493,11 @@
app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager+ app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Tiller
- helm.sh/chart: cert-manager-v0.11.0+ helm.sh/chart: cert-manager-v0.13.0 - cert-manager.io/inject-apiserver-ca: "true"+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls" - name: webhook.cert-manager.io
@@ -6345,20 +6513,18 @@
+ - "acme.cert-manager.io"
- path: /apis/webhook.cert-manager.io/v1beta1/validations+ name: cert-manager-webhook + namespace: "cert-manager" 