k8s-sig-cluster-lifecycleawskubesprayhigh-availabilityansiblekubernetes-clustergcekubernetesbare-metal
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7943 lines
542 KiB
7943 lines
542 KiB
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
name: clusterissuers.cert-manager.io
|
|
spec:
|
|
conversion:
|
|
strategy: Webhook
|
|
webhook:
|
|
clientConfig:
|
|
service:
|
|
name: cert-manager-webhook
|
|
namespace: {{ cert_manager_namespace }}
|
|
path: /convert
|
|
conversionReviewVersions:
|
|
- v1
|
|
- v1beta1
|
|
group: cert-manager.io
|
|
names:
|
|
kind: ClusterIssuer
|
|
listKind: ClusterIssuerList
|
|
plural: clusterissuers
|
|
singular: clusterissuer
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before
|
|
order across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: A ClusterIssuer represents a certificate issuing authority which
|
|
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
|
however it is cluster-scoped and therefore can be referenced by resources
|
|
that exist in *any* namespace, not just the same namespace as the referent.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the ClusterIssuer resource.
|
|
properties:
|
|
acme:
|
|
description: ACME configures this issuer to communicate with a RFC8555
|
|
(ACME) server to obtain signed x509 certificates.
|
|
properties:
|
|
disableAccountKeyGeneration:
|
|
description: Enables or disables generating a new ACME account
|
|
key. If true, the Issuer resource will *not* request a new account
|
|
but will expect the account key to be supplied via an existing
|
|
secret. If false, the cert-manager system will generate a new
|
|
ACME account key for the Issuer. Defaults to false.
|
|
type: boolean
|
|
email:
|
|
description: Email is the email address to be associated with
|
|
the ACME account. This field is optional, but it is strongly
|
|
recommended to be set. It will be used to contact you in case
|
|
of issues with your account or certificates, including expiry
|
|
notification emails. This field may be updated after the account
|
|
is initially registered.
|
|
type: string
|
|
externalAccountBinding:
|
|
description: ExternalAccountBinding is a reference to a CA external
|
|
account of the ACME server. If set, upon registration cert-manager
|
|
will attempt to associate the given external account credentials
|
|
with the registered ACME account.
|
|
properties:
|
|
keyAlgorithm:
|
|
description: keyAlgorithm is the MAC key algorithm that the
|
|
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
|
enum:
|
|
- HS256
|
|
- HS384
|
|
- HS512
|
|
type: string
|
|
keyID:
|
|
description: keyID is the ID of the CA key that the External
|
|
Account is bound to.
|
|
type: string
|
|
keySecretRef:
|
|
description: keySecretRef is a Secret Key Selector referencing
|
|
a data item in a Kubernetes Secret which holds the symmetric
|
|
MAC key of the External Account Binding. The `key` is the
|
|
index string that is paired with the key data in the Secret
|
|
and should not be confused with the key data itself, or
|
|
indeed with the External Account Binding keyID above. The
|
|
secret key stored in the Secret **must** be un-padded, base64
|
|
URL encoded data.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- keyAlgorithm
|
|
- keyID
|
|
- keySecretRef
|
|
type: object
|
|
preferredChain:
|
|
description: 'PreferredChain is the chain to use if the ACME server
|
|
outputs multiple. PreferredChain is no guarantee that this one
|
|
gets delivered by the ACME endpoint. For example, for Let''s
|
|
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
|
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
|
picks the first certificate bundle in the ACME alternative chains
|
|
that has a certificate with this value as its issuer''s CN'
|
|
maxLength: 64
|
|
type: string
|
|
privateKeySecretRef:
|
|
description: PrivateKey is the name of a Kubernetes Secret resource
|
|
that will be used to store the automatically generated ACME
|
|
account private key. Optionally, a `key` may be specified to
|
|
select a specific entry within the named Secret resource. If
|
|
`key` is not specified, a default of `tls.key` will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field may
|
|
be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to. More
|
|
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
server:
|
|
description: 'Server is the URL used to access the ACME server''s
|
|
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
|
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
|
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
|
type: string
|
|
skipTLSVerify:
|
|
description: Enables or disables validation of the ACME server
|
|
TLS certificate. If true, requests to the ACME server will not
|
|
have their TLS certificate validated (i.e. insecure connections
|
|
will be allowed). Only enable this option in development environments.
|
|
The cert-manager system installed roots will be used to verify
|
|
connections to the ACME server if this is false. Defaults to
|
|
false.
|
|
type: boolean
|
|
solvers:
|
|
description: 'Solvers is a list of challenge solvers that will
|
|
be used to solve ACME challenges for the matching domains. Solver
|
|
configurations must be provided in order to obtain certificates
|
|
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
|
items:
|
|
description: Configures an issuer to solve challenges using
|
|
the specified options. Only one of HTTP01 or DNS01 may be
|
|
provided.
|
|
properties:
|
|
dns01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the DNS01 challenge flow.
|
|
properties:
|
|
acmedns:
|
|
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
|
API to manage DNS01 challenge records.
|
|
properties:
|
|
accountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
host:
|
|
type: string
|
|
required:
|
|
- accountSecretRef
|
|
- host
|
|
type: object
|
|
akamai:
|
|
description: Use the Akamai DNS zone management API
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
accessTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientSecretSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
serviceConsumerDomain:
|
|
type: string
|
|
required:
|
|
- accessTokenSecretRef
|
|
- clientSecretSecretRef
|
|
- clientTokenSecretRef
|
|
- serviceConsumerDomain
|
|
type: object
|
|
azuredns:
|
|
description: Use the Microsoft Azure DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
clientID:
|
|
description: if both this and ClientSecret are left
|
|
unset MSI will be used
|
|
type: string
|
|
clientSecretSecretRef:
|
|
description: if both this and ClientID are left
|
|
unset MSI will be used
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
environment:
|
|
enum:
|
|
- AzurePublicCloud
|
|
- AzureChinaCloud
|
|
- AzureGermanCloud
|
|
- AzureUSGovernmentCloud
|
|
type: string
|
|
hostedZoneName:
|
|
type: string
|
|
resourceGroupName:
|
|
type: string
|
|
subscriptionID:
|
|
type: string
|
|
tenantID:
|
|
description: when specifying ClientID and ClientSecret
|
|
then this field is also needed
|
|
type: string
|
|
required:
|
|
- resourceGroupName
|
|
- subscriptionID
|
|
type: object
|
|
clouddns:
|
|
description: Use the Google Cloud DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
hostedZoneName:
|
|
description: HostedZoneName is an optional field
|
|
that tells cert-manager in which Cloud DNS zone
|
|
the challenge record has to be created. If left
|
|
empty cert-manager will automatically choose a
|
|
zone.
|
|
type: string
|
|
project:
|
|
type: string
|
|
serviceAccountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- project
|
|
type: object
|
|
cloudflare:
|
|
description: Use the Cloudflare API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
apiKeySecretRef:
|
|
description: 'API key to use to authenticate with
|
|
Cloudflare. Note: using an API token to authenticate
|
|
is now the recommended method as it allows greater
|
|
control of permissions.'
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
apiTokenSecretRef:
|
|
description: API token used to authenticate with
|
|
Cloudflare.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
email:
|
|
description: Email of the account, only required
|
|
when using API key based authentication.
|
|
type: string
|
|
type: object
|
|
cnameStrategy:
|
|
description: CNAMEStrategy configures how the DNS01
|
|
provider should handle CNAME records when found in
|
|
DNS zones.
|
|
enum:
|
|
- None
|
|
- Follow
|
|
type: string
|
|
digitalocean:
|
|
description: Use the DigitalOcean DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
tokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- tokenSecretRef
|
|
type: object
|
|
rfc2136:
|
|
description: Use RFC2136 ("Dynamic Updates in the Domain
|
|
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
nameserver:
|
|
description: The IP address or hostname of an authoritative
|
|
DNS server supporting RFC2136 in the form host:port.
|
|
If the host is an IPv6 address it must be enclosed
|
|
in square brackets (e.g [2001:db8::1]) ; port
|
|
is optional. This field is required.
|
|
type: string
|
|
tsigAlgorithm:
|
|
description: 'The TSIG Algorithm configured in the
|
|
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
|
and ``tsigKeyName`` are defined. Supported values
|
|
are (case-insensitive): ``HMACMD5`` (default),
|
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
type: string
|
|
tsigKeyName:
|
|
description: The TSIG Key name configured in the
|
|
DNS. If ``tsigSecretSecretRef`` is defined, this
|
|
field is required.
|
|
type: string
|
|
tsigSecretSecretRef:
|
|
description: The name of the secret containing the
|
|
TSIG value. If ``tsigKeyName`` is defined, this
|
|
field is required.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- nameserver
|
|
type: object
|
|
route53:
|
|
description: Use the AWS Route53 API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
accessKeyID:
|
|
description: 'The AccessKeyID is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata see:
|
|
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
type: string
|
|
hostedZoneID:
|
|
description: If set, the provider will manage only
|
|
this zone in Route53 and will not do an lookup
|
|
using the route53:ListHostedZonesByName api call.
|
|
type: string
|
|
region:
|
|
description: Always set the region when using AccessKeyID
|
|
and SecretAccessKey
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the Route53
|
|
provider will assume using either the explicit
|
|
credentials AccessKeyID/SecretAccessKey or the
|
|
inferred credentials from environment variables,
|
|
shared credentials file or AWS Instance metadata
|
|
type: string
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- region
|
|
type: object
|
|
webhook:
|
|
description: Configure an external webhook based DNS01
|
|
challenge solver to manage DNS01 challenge records.
|
|
properties:
|
|
config:
|
|
description: Additional configuration that should
|
|
be passed to the webhook apiserver when challenges
|
|
are processed. This can contain arbitrary JSON
|
|
data. Secret values should not be specified in
|
|
this stanza. If secret values are needed (e.g.
|
|
credentials for a DNS service), you should use
|
|
a SecretKeySelector to reference a Secret resource.
|
|
For details on the schema of this field, consult
|
|
the webhook provider implementation's documentation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
groupName:
|
|
description: The API group name that should be used
|
|
when POSTing ChallengePayload resources to the
|
|
webhook apiserver. This should be the same as
|
|
the GroupName specified in the webhook provider
|
|
implementation.
|
|
type: string
|
|
solverName:
|
|
description: The name of the solver to use, as defined
|
|
in the webhook provider implementation. This will
|
|
typically be the name of the provider, e.g. 'cloudflare'.
|
|
type: string
|
|
required:
|
|
- groupName
|
|
- solverName
|
|
type: object
|
|
type: object
|
|
http01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the HTTP01 challenge flow.
|
|
It is not possible to obtain certificates for wildcard
|
|
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
|
mechanism.
|
|
properties:
|
|
ingress:
|
|
description: The ingress based HTTP01 challenge solver
|
|
will solve challenges by creating or modifying Ingress
|
|
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
|
to 'challenge solver' pods that are provisioned by
|
|
cert-manager for each Challenge to be completed.
|
|
properties:
|
|
class:
|
|
description: The ingress class to use when creating
|
|
Ingress resources to solve ACME challenges that
|
|
use this challenge solver. Only one of 'class'
|
|
or 'name' may be specified.
|
|
type: string
|
|
ingressTemplate:
|
|
description: Optional ingress template used to configure
|
|
the ACME challenge solver ingress used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the ingress
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the created ACME HTTP01 solver
|
|
ingress.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver ingress.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: The name of the ingress resource that
|
|
should have ACME challenge solving routes inserted
|
|
into it in order to solve HTTP01 challenges. This
|
|
is typically used in conjunction with ingress
|
|
controllers like ingress-gce, which maintains
|
|
a 1:1 mapping between external IPs and ingress
|
|
resources.
|
|
type: string
|
|
podTemplate:
|
|
description: Optional pod template used to configure
|
|
the ACME challenge solver pods used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the pod
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the create ACME HTTP01 solver
|
|
pods.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver pods.
|
|
type: object
|
|
type: object
|
|
spec:
|
|
description: PodSpec defines overrides for the
|
|
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
|
'nodeSelector', 'affinity', 'serviceAccountName'
|
|
and 'tolerations' fields are supported currently.
|
|
All other fields will be ignored.
|
|
properties:
|
|
affinity:
|
|
description: If specified, the pod's scheduling
|
|
constraints
|
|
properties:
|
|
nodeAffinity:
|
|
description: Describes node affinity
|
|
scheduling rules for the pod.
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node matches
|
|
the corresponding matchExpressions;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: An empty preferred
|
|
scheduling term matches all
|
|
objects with implicit weight
|
|
0 (i.e. it's a no-op). A null
|
|
preferred scheduling term matches
|
|
no objects (i.e. is also a no-op).
|
|
properties:
|
|
preference:
|
|
description: A node selector
|
|
term, associated with the
|
|
corresponding weight.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
weight:
|
|
description: Weight associated
|
|
with matching the corresponding
|
|
nodeSelectorTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- preference
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to an
|
|
update), the system may or may
|
|
not try to eventually evict the
|
|
pod from its node.
|
|
properties:
|
|
nodeSelectorTerms:
|
|
description: Required. A list
|
|
of node selector terms. The
|
|
terms are ORed.
|
|
items:
|
|
description: A null or empty
|
|
node selector term matches
|
|
no objects. The requirements
|
|
of them are ANDed. The TopologySelectorTerm
|
|
type implements a subset
|
|
of the NodeSelectorTerm.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
required:
|
|
- nodeSelectorTerms
|
|
type: object
|
|
type: object
|
|
podAffinity:
|
|
description: Describes pod affinity
|
|
scheduling rules (e.g. co-locate this
|
|
pod in the same node, zone, etc. as
|
|
some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node has pods
|
|
which matches the corresponding
|
|
podAffinityTerm; the node(s) with
|
|
the highest sum are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to a pod
|
|
label update), the system may
|
|
or may not try to eventually evict
|
|
the pod from its node. When there
|
|
are multiple elements, the lists
|
|
of nodes corresponding to each
|
|
podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
podAntiAffinity:
|
|
description: Describes pod anti-affinity
|
|
scheduling rules (e.g. avoid putting
|
|
this pod in the same node, zone, etc.
|
|
as some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the anti-affinity
|
|
expressions specified by this
|
|
field, but it may choose a node
|
|
that violates one or more of the
|
|
expressions. The node that is
|
|
most preferred is the one with
|
|
the greatest sum of weights, i.e.
|
|
for each node that meets all of
|
|
the scheduling requirements (resource
|
|
request, requiredDuringScheduling
|
|
anti-affinity expressions, etc.),
|
|
compute a sum by iterating through
|
|
the elements of this field and
|
|
adding "weight" to the sum if
|
|
the node has pods which matches
|
|
the corresponding podAffinityTerm;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the anti-affinity
|
|
requirements specified by this
|
|
field are not met at scheduling
|
|
time, the pod will not be scheduled
|
|
onto the node. If the anti-affinity
|
|
requirements specified by this
|
|
field cease to be met at some
|
|
point during pod execution (e.g.
|
|
due to a pod label update), the
|
|
system may or may not try to eventually
|
|
evict the pod from its node. When
|
|
there are multiple elements, the
|
|
lists of nodes corresponding to
|
|
each podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
nodeSelector:
|
|
additionalProperties:
|
|
type: string
|
|
description: 'NodeSelector is a selector
|
|
which must be true for the pod to fit
|
|
on a node. Selector which must match a
|
|
node''s labels for the pod to be scheduled
|
|
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
type: object
|
|
priorityClassName:
|
|
description: If specified, the pod's priorityClassName.
|
|
type: string
|
|
serviceAccountName:
|
|
description: If specified, the pod's service
|
|
account
|
|
type: string
|
|
tolerations:
|
|
description: If specified, the pod's tolerations.
|
|
items:
|
|
description: The pod this Toleration is
|
|
attached to tolerates any taint that
|
|
matches the triple <key,value,effect>
|
|
using the matching operator <operator>.
|
|
properties:
|
|
effect:
|
|
description: Effect indicates the
|
|
taint effect to match. Empty means
|
|
match all taint effects. When specified,
|
|
allowed values are NoSchedule, PreferNoSchedule
|
|
and NoExecute.
|
|
type: string
|
|
key:
|
|
description: Key is the taint key
|
|
that the toleration applies to.
|
|
Empty means match all taint keys.
|
|
If the key is empty, operator must
|
|
be Exists; this combination means
|
|
to match all values and all keys.
|
|
type: string
|
|
operator:
|
|
description: Operator represents a
|
|
key's relationship to the value.
|
|
Valid operators are Exists and Equal.
|
|
Defaults to Equal. Exists is equivalent
|
|
to wildcard for value, so that a
|
|
pod can tolerate all taints of a
|
|
particular category.
|
|
type: string
|
|
tolerationSeconds:
|
|
description: TolerationSeconds represents
|
|
the period of time the toleration
|
|
(which must be of effect NoExecute,
|
|
otherwise this field is ignored)
|
|
tolerates the taint. By default,
|
|
it is not set, which means tolerate
|
|
the taint forever (do not evict).
|
|
Zero and negative values will be
|
|
treated as 0 (evict immediately)
|
|
by the system.
|
|
format: int64
|
|
type: integer
|
|
value:
|
|
description: Value is the taint value
|
|
the toleration matches to. If the
|
|
operator is Exists, the value should
|
|
be empty, otherwise just a regular
|
|
string.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
serviceType:
|
|
description: Optional service type for Kubernetes
|
|
solver service
|
|
type: string
|
|
type: object
|
|
type: object
|
|
selector:
|
|
description: Selector selects a set of DNSNames on the Certificate
|
|
resource that should be solved using this challenge solver.
|
|
If not specified, the solver will be treated as the 'default'
|
|
solver with the lowest priority, i.e. if any other solver
|
|
has a more specific match, it will be used instead.
|
|
properties:
|
|
dnsNames:
|
|
description: List of DNSNames that this solver will
|
|
be used to solve. If specified and a match is found,
|
|
a dnsNames selector will take precedence over a dnsZones
|
|
selector. If multiple solvers match with the same
|
|
dnsNames value, the solver with the most matching
|
|
labels in matchLabels will be selected. If neither
|
|
has more matches, the solver defined earlier in the
|
|
list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
dnsZones:
|
|
description: List of DNSZones that this solver will
|
|
be used to solve. The most specific DNS zone match
|
|
specified here will take precedence over other DNS
|
|
zone matches, so a solver specifying sys.example.com
|
|
will be selected over one specifying example.com for
|
|
the domain www.sys.example.com. If multiple solvers
|
|
match with the same dnsZones value, the solver with
|
|
the most matching labels in matchLabels will be selected.
|
|
If neither has more matches, the solver defined earlier
|
|
in the list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: A label selector that is used to refine
|
|
the set of certificate's that this challenge solver
|
|
will apply to.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
required:
|
|
- privateKeySecretRef
|
|
- server
|
|
type: object
|
|
ca:
|
|
description: CA configures this issuer to sign certificates using
|
|
a signing CA keypair stored in a Secret resource. This is used to
|
|
build internal PKIs that are managed by cert-manager.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set,
|
|
certificates will be issued without distribution points set.
|
|
items:
|
|
type: string
|
|
type: array
|
|
secretName:
|
|
description: SecretName is the name of the secret used to sign
|
|
Certificates issued by this Issuer.
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
selfSigned:
|
|
description: SelfSigned configures this issuer to 'self sign' certificates
|
|
using the private key used to create the CertificateRequest object.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set
|
|
certificate will be issued without CDP. Values are strings.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
vault:
|
|
description: Vault configures this issuer to sign certificates using
|
|
a HashiCorp Vault PKI backend.
|
|
properties:
|
|
auth:
|
|
description: Auth configures how cert-manager authenticates with
|
|
the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the App
|
|
Role auth mechanism, with the role and secret stored in
|
|
a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
description: 'Path where the App Role authentication backend
|
|
is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend in
|
|
Vault.
|
|
type: string
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the app
|
|
role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret resource
|
|
to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
description: The Vault mountPath here is the mount path
|
|
to use when authenticating with Vault. For example,
|
|
setting a value to `/v1/auth/foo`, will use the path
|
|
`/v1/auth/foo/login` to authenticate with Vault. If
|
|
unspecified, the default value "/v1/auth/kubernetes"
|
|
will be used.
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault Role
|
|
to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: The required Secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with Vault.
|
|
Use of 'ambient credentials' is not supported.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- role
|
|
- secretRef
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by presenting
|
|
a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault server
|
|
certificate. Only used if the Server URL is using HTTPS protocol.
|
|
This parameter is ignored for plain HTTP protocol connection.
|
|
If not set the system root certificates are used to validate
|
|
the TLS connection.
|
|
format: byte
|
|
type: string
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a set
|
|
of features within Vault Enterprise that allows Vault environments
|
|
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
|
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault PKI backend''s
|
|
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
|
type: string
|
|
server:
|
|
description: 'Server is the connection address for the Vault server,
|
|
e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
required:
|
|
- auth
|
|
- path
|
|
- server
|
|
type: object
|
|
venafi:
|
|
description: Venafi configures this issuer to sign certificates using
|
|
a Venafi TPP or Venafi Cloud policy zone.
|
|
properties:
|
|
cloud:
|
|
description: Cloud specifies the Venafi cloud configuration settings.
|
|
Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
apiTokenSecretRef:
|
|
description: APITokenSecretRef is a secret key selector for
|
|
the Venafi Cloud API token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: URL is the base URL for Venafi Cloud. Defaults
|
|
to "https://api.venafi.cloud/v1".
|
|
type: string
|
|
required:
|
|
- apiTokenSecretRef
|
|
type: object
|
|
tpp:
|
|
description: TPP specifies Trust Protection Platform configuration
|
|
settings. Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded TLS certificate to
|
|
use to verify connections to the TPP instance. If specified,
|
|
system roots will not be used and the issuing CA for the
|
|
TPP instance must be verifiable using the provided root.
|
|
If not specified, the connection will be verified using
|
|
the cert-manager system root certificates.
|
|
format: byte
|
|
type: string
|
|
credentialsRef:
|
|
description: CredentialsRef is a reference to a Secret containing
|
|
the username and password for the TPP server. The secret
|
|
must contain two keys, 'username' and 'password'.
|
|
properties:
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: 'URL is the base URL for the vedsdk endpoint
|
|
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
|
type: string
|
|
required:
|
|
- credentialsRef
|
|
- url
|
|
type: object
|
|
zone:
|
|
description: Zone is the Venafi Policy Zone to use for this issuer.
|
|
All requests made to the Venafi platform will be restricted
|
|
by the named zone policy. This field is required.
|
|
type: string
|
|
required:
|
|
- zone
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: Status of the ClusterIssuer. This is set and managed automatically.
|
|
properties:
|
|
acme:
|
|
description: ACME specific status options. This field should only
|
|
be set if the Issuer is configured to use an ACME server to issue
|
|
certificates.
|
|
properties:
|
|
lastRegisteredEmail:
|
|
description: LastRegisteredEmail is the email associated with
|
|
the latest registered ACME account, in order to track changes
|
|
made to registered account associated with the Issuer
|
|
type: string
|
|
uri:
|
|
description: URI is the unique account identifier, which can also
|
|
be used to retrieve account details from the CA
|
|
type: string
|
|
type: object
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready`.
|
|
items:
|
|
description: IssuerCondition contains condition information for
|
|
an Issuer.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: Type of the condition, known values are ('Ready').
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before
|
|
order across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha3
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: A ClusterIssuer represents a certificate issuing authority which
|
|
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
|
however it is cluster-scoped and therefore can be referenced by resources
|
|
that exist in *any* namespace, not just the same namespace as the referent.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the ClusterIssuer resource.
|
|
properties:
|
|
acme:
|
|
description: ACME configures this issuer to communicate with a RFC8555
|
|
(ACME) server to obtain signed x509 certificates.
|
|
properties:
|
|
disableAccountKeyGeneration:
|
|
description: Enables or disables generating a new ACME account
|
|
key. If true, the Issuer resource will *not* request a new account
|
|
but will expect the account key to be supplied via an existing
|
|
secret. If false, the cert-manager system will generate a new
|
|
ACME account key for the Issuer. Defaults to false.
|
|
type: boolean
|
|
email:
|
|
description: Email is the email address to be associated with
|
|
the ACME account. This field is optional, but it is strongly
|
|
recommended to be set. It will be used to contact you in case
|
|
of issues with your account or certificates, including expiry
|
|
notification emails. This field may be updated after the account
|
|
is initially registered.
|
|
type: string
|
|
externalAccountBinding:
|
|
description: ExternalAccountBinding is a reference to a CA external
|
|
account of the ACME server. If set, upon registration cert-manager
|
|
will attempt to associate the given external account credentials
|
|
with the registered ACME account.
|
|
properties:
|
|
keyAlgorithm:
|
|
description: keyAlgorithm is the MAC key algorithm that the
|
|
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
|
enum:
|
|
- HS256
|
|
- HS384
|
|
- HS512
|
|
type: string
|
|
keyID:
|
|
description: keyID is the ID of the CA key that the External
|
|
Account is bound to.
|
|
type: string
|
|
keySecretRef:
|
|
description: keySecretRef is a Secret Key Selector referencing
|
|
a data item in a Kubernetes Secret which holds the symmetric
|
|
MAC key of the External Account Binding. The `key` is the
|
|
index string that is paired with the key data in the Secret
|
|
and should not be confused with the key data itself, or
|
|
indeed with the External Account Binding keyID above. The
|
|
secret key stored in the Secret **must** be un-padded, base64
|
|
URL encoded data.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- keyAlgorithm
|
|
- keyID
|
|
- keySecretRef
|
|
type: object
|
|
preferredChain:
|
|
description: 'PreferredChain is the chain to use if the ACME server
|
|
outputs multiple. PreferredChain is no guarantee that this one
|
|
gets delivered by the ACME endpoint. For example, for Let''s
|
|
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
|
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
|
picks the first certificate bundle in the ACME alternative chains
|
|
that has a certificate with this value as its issuer''s CN'
|
|
maxLength: 64
|
|
type: string
|
|
privateKeySecretRef:
|
|
description: PrivateKey is the name of a Kubernetes Secret resource
|
|
that will be used to store the automatically generated ACME
|
|
account private key. Optionally, a `key` may be specified to
|
|
select a specific entry within the named Secret resource. If
|
|
`key` is not specified, a default of `tls.key` will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field may
|
|
be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to. More
|
|
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
server:
|
|
description: 'Server is the URL used to access the ACME server''s
|
|
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
|
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
|
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
|
type: string
|
|
skipTLSVerify:
|
|
description: Enables or disables validation of the ACME server
|
|
TLS certificate. If true, requests to the ACME server will not
|
|
have their TLS certificate validated (i.e. insecure connections
|
|
will be allowed). Only enable this option in development environments.
|
|
The cert-manager system installed roots will be used to verify
|
|
connections to the ACME server if this is false. Defaults to
|
|
false.
|
|
type: boolean
|
|
solvers:
|
|
description: 'Solvers is a list of challenge solvers that will
|
|
be used to solve ACME challenges for the matching domains. Solver
|
|
configurations must be provided in order to obtain certificates
|
|
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
|
items:
|
|
description: Configures an issuer to solve challenges using
|
|
the specified options. Only one of HTTP01 or DNS01 may be
|
|
provided.
|
|
properties:
|
|
dns01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the DNS01 challenge flow.
|
|
properties:
|
|
acmedns:
|
|
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
|
API to manage DNS01 challenge records.
|
|
properties:
|
|
accountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
host:
|
|
type: string
|
|
required:
|
|
- accountSecretRef
|
|
- host
|
|
type: object
|
|
akamai:
|
|
description: Use the Akamai DNS zone management API
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
accessTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientSecretSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
serviceConsumerDomain:
|
|
type: string
|
|
required:
|
|
- accessTokenSecretRef
|
|
- clientSecretSecretRef
|
|
- clientTokenSecretRef
|
|
- serviceConsumerDomain
|
|
type: object
|
|
azuredns:
|
|
description: Use the Microsoft Azure DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
clientID:
|
|
description: if both this and ClientSecret are left
|
|
unset MSI will be used
|
|
type: string
|
|
clientSecretSecretRef:
|
|
description: if both this and ClientID are left
|
|
unset MSI will be used
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
environment:
|
|
enum:
|
|
- AzurePublicCloud
|
|
- AzureChinaCloud
|
|
- AzureGermanCloud
|
|
- AzureUSGovernmentCloud
|
|
type: string
|
|
hostedZoneName:
|
|
type: string
|
|
resourceGroupName:
|
|
type: string
|
|
subscriptionID:
|
|
type: string
|
|
tenantID:
|
|
description: when specifying ClientID and ClientSecret
|
|
then this field is also needed
|
|
type: string
|
|
required:
|
|
- resourceGroupName
|
|
- subscriptionID
|
|
type: object
|
|
clouddns:
|
|
description: Use the Google Cloud DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
hostedZoneName:
|
|
description: HostedZoneName is an optional field
|
|
that tells cert-manager in which Cloud DNS zone
|
|
the challenge record has to be created. If left
|
|
empty cert-manager will automatically choose a
|
|
zone.
|
|
type: string
|
|
project:
|
|
type: string
|
|
serviceAccountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- project
|
|
type: object
|
|
cloudflare:
|
|
description: Use the Cloudflare API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
apiKeySecretRef:
|
|
description: 'API key to use to authenticate with
|
|
Cloudflare. Note: using an API token to authenticate
|
|
is now the recommended method as it allows greater
|
|
control of permissions.'
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
apiTokenSecretRef:
|
|
description: API token used to authenticate with
|
|
Cloudflare.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
email:
|
|
description: Email of the account, only required
|
|
when using API key based authentication.
|
|
type: string
|
|
type: object
|
|
cnameStrategy:
|
|
description: CNAMEStrategy configures how the DNS01
|
|
provider should handle CNAME records when found in
|
|
DNS zones.
|
|
enum:
|
|
- None
|
|
- Follow
|
|
type: string
|
|
digitalocean:
|
|
description: Use the DigitalOcean DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
tokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- tokenSecretRef
|
|
type: object
|
|
rfc2136:
|
|
description: Use RFC2136 ("Dynamic Updates in the Domain
|
|
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
nameserver:
|
|
description: The IP address or hostname of an authoritative
|
|
DNS server supporting RFC2136 in the form host:port.
|
|
If the host is an IPv6 address it must be enclosed
|
|
in square brackets (e.g [2001:db8::1]) ; port
|
|
is optional. This field is required.
|
|
type: string
|
|
tsigAlgorithm:
|
|
description: 'The TSIG Algorithm configured in the
|
|
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
|
and ``tsigKeyName`` are defined. Supported values
|
|
are (case-insensitive): ``HMACMD5`` (default),
|
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
type: string
|
|
tsigKeyName:
|
|
description: The TSIG Key name configured in the
|
|
DNS. If ``tsigSecretSecretRef`` is defined, this
|
|
field is required.
|
|
type: string
|
|
tsigSecretSecretRef:
|
|
description: The name of the secret containing the
|
|
TSIG value. If ``tsigKeyName`` is defined, this
|
|
field is required.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- nameserver
|
|
type: object
|
|
route53:
|
|
description: Use the AWS Route53 API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
accessKeyID:
|
|
description: 'The AccessKeyID is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata see:
|
|
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
type: string
|
|
hostedZoneID:
|
|
description: If set, the provider will manage only
|
|
this zone in Route53 and will not do an lookup
|
|
using the route53:ListHostedZonesByName api call.
|
|
type: string
|
|
region:
|
|
description: Always set the region when using AccessKeyID
|
|
and SecretAccessKey
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the Route53
|
|
provider will assume using either the explicit
|
|
credentials AccessKeyID/SecretAccessKey or the
|
|
inferred credentials from environment variables,
|
|
shared credentials file or AWS Instance metadata
|
|
type: string
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- region
|
|
type: object
|
|
webhook:
|
|
description: Configure an external webhook based DNS01
|
|
challenge solver to manage DNS01 challenge records.
|
|
properties:
|
|
config:
|
|
description: Additional configuration that should
|
|
be passed to the webhook apiserver when challenges
|
|
are processed. This can contain arbitrary JSON
|
|
data. Secret values should not be specified in
|
|
this stanza. If secret values are needed (e.g.
|
|
credentials for a DNS service), you should use
|
|
a SecretKeySelector to reference a Secret resource.
|
|
For details on the schema of this field, consult
|
|
the webhook provider implementation's documentation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
groupName:
|
|
description: The API group name that should be used
|
|
when POSTing ChallengePayload resources to the
|
|
webhook apiserver. This should be the same as
|
|
the GroupName specified in the webhook provider
|
|
implementation.
|
|
type: string
|
|
solverName:
|
|
description: The name of the solver to use, as defined
|
|
in the webhook provider implementation. This will
|
|
typically be the name of the provider, e.g. 'cloudflare'.
|
|
type: string
|
|
required:
|
|
- groupName
|
|
- solverName
|
|
type: object
|
|
type: object
|
|
http01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the HTTP01 challenge flow.
|
|
It is not possible to obtain certificates for wildcard
|
|
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
|
mechanism.
|
|
properties:
|
|
ingress:
|
|
description: The ingress based HTTP01 challenge solver
|
|
will solve challenges by creating or modifying Ingress
|
|
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
|
to 'challenge solver' pods that are provisioned by
|
|
cert-manager for each Challenge to be completed.
|
|
properties:
|
|
class:
|
|
description: The ingress class to use when creating
|
|
Ingress resources to solve ACME challenges that
|
|
use this challenge solver. Only one of 'class'
|
|
or 'name' may be specified.
|
|
type: string
|
|
ingressTemplate:
|
|
description: Optional ingress template used to configure
|
|
the ACME challenge solver ingress used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the ingress
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the created ACME HTTP01 solver
|
|
ingress.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver ingress.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: The name of the ingress resource that
|
|
should have ACME challenge solving routes inserted
|
|
into it in order to solve HTTP01 challenges. This
|
|
is typically used in conjunction with ingress
|
|
controllers like ingress-gce, which maintains
|
|
a 1:1 mapping between external IPs and ingress
|
|
resources.
|
|
type: string
|
|
podTemplate:
|
|
description: Optional pod template used to configure
|
|
the ACME challenge solver pods used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the pod
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the create ACME HTTP01 solver
|
|
pods.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver pods.
|
|
type: object
|
|
type: object
|
|
spec:
|
|
description: PodSpec defines overrides for the
|
|
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
|
'nodeSelector', 'affinity', 'serviceAccountName'
|
|
and 'tolerations' fields are supported currently.
|
|
All other fields will be ignored.
|
|
properties:
|
|
affinity:
|
|
description: If specified, the pod's scheduling
|
|
constraints
|
|
properties:
|
|
nodeAffinity:
|
|
description: Describes node affinity
|
|
scheduling rules for the pod.
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node matches
|
|
the corresponding matchExpressions;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: An empty preferred
|
|
scheduling term matches all
|
|
objects with implicit weight
|
|
0 (i.e. it's a no-op). A null
|
|
preferred scheduling term matches
|
|
no objects (i.e. is also a no-op).
|
|
properties:
|
|
preference:
|
|
description: A node selector
|
|
term, associated with the
|
|
corresponding weight.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
weight:
|
|
description: Weight associated
|
|
with matching the corresponding
|
|
nodeSelectorTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- preference
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to an
|
|
update), the system may or may
|
|
not try to eventually evict the
|
|
pod from its node.
|
|
properties:
|
|
nodeSelectorTerms:
|
|
description: Required. A list
|
|
of node selector terms. The
|
|
terms are ORed.
|
|
items:
|
|
description: A null or empty
|
|
node selector term matches
|
|
no objects. The requirements
|
|
of them are ANDed. The TopologySelectorTerm
|
|
type implements a subset
|
|
of the NodeSelectorTerm.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
required:
|
|
- nodeSelectorTerms
|
|
type: object
|
|
type: object
|
|
podAffinity:
|
|
description: Describes pod affinity
|
|
scheduling rules (e.g. co-locate this
|
|
pod in the same node, zone, etc. as
|
|
some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node has pods
|
|
which matches the corresponding
|
|
podAffinityTerm; the node(s) with
|
|
the highest sum are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to a pod
|
|
label update), the system may
|
|
or may not try to eventually evict
|
|
the pod from its node. When there
|
|
are multiple elements, the lists
|
|
of nodes corresponding to each
|
|
podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
podAntiAffinity:
|
|
description: Describes pod anti-affinity
|
|
scheduling rules (e.g. avoid putting
|
|
this pod in the same node, zone, etc.
|
|
as some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the anti-affinity
|
|
expressions specified by this
|
|
field, but it may choose a node
|
|
that violates one or more of the
|
|
expressions. The node that is
|
|
most preferred is the one with
|
|
the greatest sum of weights, i.e.
|
|
for each node that meets all of
|
|
the scheduling requirements (resource
|
|
request, requiredDuringScheduling
|
|
anti-affinity expressions, etc.),
|
|
compute a sum by iterating through
|
|
the elements of this field and
|
|
adding "weight" to the sum if
|
|
the node has pods which matches
|
|
the corresponding podAffinityTerm;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the anti-affinity
|
|
requirements specified by this
|
|
field are not met at scheduling
|
|
time, the pod will not be scheduled
|
|
onto the node. If the anti-affinity
|
|
requirements specified by this
|
|
field cease to be met at some
|
|
point during pod execution (e.g.
|
|
due to a pod label update), the
|
|
system may or may not try to eventually
|
|
evict the pod from its node. When
|
|
there are multiple elements, the
|
|
lists of nodes corresponding to
|
|
each podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
nodeSelector:
|
|
additionalProperties:
|
|
type: string
|
|
description: 'NodeSelector is a selector
|
|
which must be true for the pod to fit
|
|
on a node. Selector which must match a
|
|
node''s labels for the pod to be scheduled
|
|
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
type: object
|
|
priorityClassName:
|
|
description: If specified, the pod's priorityClassName.
|
|
type: string
|
|
serviceAccountName:
|
|
description: If specified, the pod's service
|
|
account
|
|
type: string
|
|
tolerations:
|
|
description: If specified, the pod's tolerations.
|
|
items:
|
|
description: The pod this Toleration is
|
|
attached to tolerates any taint that
|
|
matches the triple <key,value,effect>
|
|
using the matching operator <operator>.
|
|
properties:
|
|
effect:
|
|
description: Effect indicates the
|
|
taint effect to match. Empty means
|
|
match all taint effects. When specified,
|
|
allowed values are NoSchedule, PreferNoSchedule
|
|
and NoExecute.
|
|
type: string
|
|
key:
|
|
description: Key is the taint key
|
|
that the toleration applies to.
|
|
Empty means match all taint keys.
|
|
If the key is empty, operator must
|
|
be Exists; this combination means
|
|
to match all values and all keys.
|
|
type: string
|
|
operator:
|
|
description: Operator represents a
|
|
key's relationship to the value.
|
|
Valid operators are Exists and Equal.
|
|
Defaults to Equal. Exists is equivalent
|
|
to wildcard for value, so that a
|
|
pod can tolerate all taints of a
|
|
particular category.
|
|
type: string
|
|
tolerationSeconds:
|
|
description: TolerationSeconds represents
|
|
the period of time the toleration
|
|
(which must be of effect NoExecute,
|
|
otherwise this field is ignored)
|
|
tolerates the taint. By default,
|
|
it is not set, which means tolerate
|
|
the taint forever (do not evict).
|
|
Zero and negative values will be
|
|
treated as 0 (evict immediately)
|
|
by the system.
|
|
format: int64
|
|
type: integer
|
|
value:
|
|
description: Value is the taint value
|
|
the toleration matches to. If the
|
|
operator is Exists, the value should
|
|
be empty, otherwise just a regular
|
|
string.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
serviceType:
|
|
description: Optional service type for Kubernetes
|
|
solver service
|
|
type: string
|
|
type: object
|
|
type: object
|
|
selector:
|
|
description: Selector selects a set of DNSNames on the Certificate
|
|
resource that should be solved using this challenge solver.
|
|
If not specified, the solver will be treated as the 'default'
|
|
solver with the lowest priority, i.e. if any other solver
|
|
has a more specific match, it will be used instead.
|
|
properties:
|
|
dnsNames:
|
|
description: List of DNSNames that this solver will
|
|
be used to solve. If specified and a match is found,
|
|
a dnsNames selector will take precedence over a dnsZones
|
|
selector. If multiple solvers match with the same
|
|
dnsNames value, the solver with the most matching
|
|
labels in matchLabels will be selected. If neither
|
|
has more matches, the solver defined earlier in the
|
|
list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
dnsZones:
|
|
description: List of DNSZones that this solver will
|
|
be used to solve. The most specific DNS zone match
|
|
specified here will take precedence over other DNS
|
|
zone matches, so a solver specifying sys.example.com
|
|
will be selected over one specifying example.com for
|
|
the domain www.sys.example.com. If multiple solvers
|
|
match with the same dnsZones value, the solver with
|
|
the most matching labels in matchLabels will be selected.
|
|
If neither has more matches, the solver defined earlier
|
|
in the list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: A label selector that is used to refine
|
|
the set of certificate's that this challenge solver
|
|
will apply to.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
required:
|
|
- privateKeySecretRef
|
|
- server
|
|
type: object
|
|
ca:
|
|
description: CA configures this issuer to sign certificates using
|
|
a signing CA keypair stored in a Secret resource. This is used to
|
|
build internal PKIs that are managed by cert-manager.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set,
|
|
certificates will be issued without distribution points set.
|
|
items:
|
|
type: string
|
|
type: array
|
|
secretName:
|
|
description: SecretName is the name of the secret used to sign
|
|
Certificates issued by this Issuer.
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
selfSigned:
|
|
description: SelfSigned configures this issuer to 'self sign' certificates
|
|
using the private key used to create the CertificateRequest object.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set
|
|
certificate will be issued without CDP. Values are strings.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
vault:
|
|
description: Vault configures this issuer to sign certificates using
|
|
a HashiCorp Vault PKI backend.
|
|
properties:
|
|
auth:
|
|
description: Auth configures how cert-manager authenticates with
|
|
the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the App
|
|
Role auth mechanism, with the role and secret stored in
|
|
a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
description: 'Path where the App Role authentication backend
|
|
is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend in
|
|
Vault.
|
|
type: string
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the app
|
|
role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret resource
|
|
to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
description: The Vault mountPath here is the mount path
|
|
to use when authenticating with Vault. For example,
|
|
setting a value to `/v1/auth/foo`, will use the path
|
|
`/v1/auth/foo/login` to authenticate with Vault. If
|
|
unspecified, the default value "/v1/auth/kubernetes"
|
|
will be used.
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault Role
|
|
to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: The required Secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with Vault.
|
|
Use of 'ambient credentials' is not supported.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- role
|
|
- secretRef
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by presenting
|
|
a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault server
|
|
certificate. Only used if the Server URL is using HTTPS protocol.
|
|
This parameter is ignored for plain HTTP protocol connection.
|
|
If not set the system root certificates are used to validate
|
|
the TLS connection.
|
|
format: byte
|
|
type: string
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a set
|
|
of features within Vault Enterprise that allows Vault environments
|
|
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
|
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault PKI backend''s
|
|
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
|
type: string
|
|
server:
|
|
description: 'Server is the connection address for the Vault server,
|
|
e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
required:
|
|
- auth
|
|
- path
|
|
- server
|
|
type: object
|
|
venafi:
|
|
description: Venafi configures this issuer to sign certificates using
|
|
a Venafi TPP or Venafi Cloud policy zone.
|
|
properties:
|
|
cloud:
|
|
description: Cloud specifies the Venafi cloud configuration settings.
|
|
Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
apiTokenSecretRef:
|
|
description: APITokenSecretRef is a secret key selector for
|
|
the Venafi Cloud API token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: URL is the base URL for Venafi Cloud. Defaults
|
|
to "https://api.venafi.cloud/v1".
|
|
type: string
|
|
required:
|
|
- apiTokenSecretRef
|
|
type: object
|
|
tpp:
|
|
description: TPP specifies Trust Protection Platform configuration
|
|
settings. Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded TLS certificate to
|
|
use to verify connections to the TPP instance. If specified,
|
|
system roots will not be used and the issuing CA for the
|
|
TPP instance must be verifiable using the provided root.
|
|
If not specified, the connection will be verified using
|
|
the cert-manager system root certificates.
|
|
format: byte
|
|
type: string
|
|
credentialsRef:
|
|
description: CredentialsRef is a reference to a Secret containing
|
|
the username and password for the TPP server. The secret
|
|
must contain two keys, 'username' and 'password'.
|
|
properties:
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: 'URL is the base URL for the vedsdk endpoint
|
|
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
|
type: string
|
|
required:
|
|
- credentialsRef
|
|
- url
|
|
type: object
|
|
zone:
|
|
description: Zone is the Venafi Policy Zone to use for this issuer.
|
|
All requests made to the Venafi platform will be restricted
|
|
by the named zone policy. This field is required.
|
|
type: string
|
|
required:
|
|
- zone
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: Status of the ClusterIssuer. This is set and managed automatically.
|
|
properties:
|
|
acme:
|
|
description: ACME specific status options. This field should only
|
|
be set if the Issuer is configured to use an ACME server to issue
|
|
certificates.
|
|
properties:
|
|
lastRegisteredEmail:
|
|
description: LastRegisteredEmail is the email associated with
|
|
the latest registered ACME account, in order to track changes
|
|
made to registered account associated with the Issuer
|
|
type: string
|
|
uri:
|
|
description: URI is the unique account identifier, which can also
|
|
be used to retrieve account details from the CA
|
|
type: string
|
|
type: object
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready`.
|
|
items:
|
|
description: IssuerCondition contains condition information for
|
|
an Issuer.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: Type of the condition, known values are ('Ready').
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before
|
|
order across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: A ClusterIssuer represents a certificate issuing authority which
|
|
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
|
however it is cluster-scoped and therefore can be referenced by resources
|
|
that exist in *any* namespace, not just the same namespace as the referent.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the ClusterIssuer resource.
|
|
properties:
|
|
acme:
|
|
description: ACME configures this issuer to communicate with a RFC8555
|
|
(ACME) server to obtain signed x509 certificates.
|
|
properties:
|
|
disableAccountKeyGeneration:
|
|
description: Enables or disables generating a new ACME account
|
|
key. If true, the Issuer resource will *not* request a new account
|
|
but will expect the account key to be supplied via an existing
|
|
secret. If false, the cert-manager system will generate a new
|
|
ACME account key for the Issuer. Defaults to false.
|
|
type: boolean
|
|
email:
|
|
description: Email is the email address to be associated with
|
|
the ACME account. This field is optional, but it is strongly
|
|
recommended to be set. It will be used to contact you in case
|
|
of issues with your account or certificates, including expiry
|
|
notification emails. This field may be updated after the account
|
|
is initially registered.
|
|
type: string
|
|
externalAccountBinding:
|
|
description: ExternalAccountBinding is a reference to a CA external
|
|
account of the ACME server. If set, upon registration cert-manager
|
|
will attempt to associate the given external account credentials
|
|
with the registered ACME account.
|
|
properties:
|
|
keyAlgorithm:
|
|
description: keyAlgorithm is the MAC key algorithm that the
|
|
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
|
enum:
|
|
- HS256
|
|
- HS384
|
|
- HS512
|
|
type: string
|
|
keyID:
|
|
description: keyID is the ID of the CA key that the External
|
|
Account is bound to.
|
|
type: string
|
|
keySecretRef:
|
|
description: keySecretRef is a Secret Key Selector referencing
|
|
a data item in a Kubernetes Secret which holds the symmetric
|
|
MAC key of the External Account Binding. The `key` is the
|
|
index string that is paired with the key data in the Secret
|
|
and should not be confused with the key data itself, or
|
|
indeed with the External Account Binding keyID above. The
|
|
secret key stored in the Secret **must** be un-padded, base64
|
|
URL encoded data.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- keyAlgorithm
|
|
- keyID
|
|
- keySecretRef
|
|
type: object
|
|
preferredChain:
|
|
description: 'PreferredChain is the chain to use if the ACME server
|
|
outputs multiple. PreferredChain is no guarantee that this one
|
|
gets delivered by the ACME endpoint. For example, for Let''s
|
|
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
|
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
|
picks the first certificate bundle in the ACME alternative chains
|
|
that has a certificate with this value as its issuer''s CN'
|
|
maxLength: 64
|
|
type: string
|
|
privateKeySecretRef:
|
|
description: PrivateKey is the name of a Kubernetes Secret resource
|
|
that will be used to store the automatically generated ACME
|
|
account private key. Optionally, a `key` may be specified to
|
|
select a specific entry within the named Secret resource. If
|
|
`key` is not specified, a default of `tls.key` will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field may
|
|
be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to. More
|
|
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
server:
|
|
description: 'Server is the URL used to access the ACME server''s
|
|
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
|
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
|
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
|
type: string
|
|
skipTLSVerify:
|
|
description: Enables or disables validation of the ACME server
|
|
TLS certificate. If true, requests to the ACME server will not
|
|
have their TLS certificate validated (i.e. insecure connections
|
|
will be allowed). Only enable this option in development environments.
|
|
The cert-manager system installed roots will be used to verify
|
|
connections to the ACME server if this is false. Defaults to
|
|
false.
|
|
type: boolean
|
|
solvers:
|
|
description: 'Solvers is a list of challenge solvers that will
|
|
be used to solve ACME challenges for the matching domains. Solver
|
|
configurations must be provided in order to obtain certificates
|
|
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
|
items:
|
|
description: Configures an issuer to solve challenges using
|
|
the specified options. Only one of HTTP01 or DNS01 may be
|
|
provided.
|
|
properties:
|
|
dns01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the DNS01 challenge flow.
|
|
properties:
|
|
acmeDNS:
|
|
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
|
API to manage DNS01 challenge records.
|
|
properties:
|
|
accountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
host:
|
|
type: string
|
|
required:
|
|
- accountSecretRef
|
|
- host
|
|
type: object
|
|
akamai:
|
|
description: Use the Akamai DNS zone management API
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
accessTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientSecretSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
serviceConsumerDomain:
|
|
type: string
|
|
required:
|
|
- accessTokenSecretRef
|
|
- clientSecretSecretRef
|
|
- clientTokenSecretRef
|
|
- serviceConsumerDomain
|
|
type: object
|
|
azureDNS:
|
|
description: Use the Microsoft Azure DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
clientID:
|
|
description: if both this and ClientSecret are left
|
|
unset MSI will be used
|
|
type: string
|
|
clientSecretSecretRef:
|
|
description: if both this and ClientID are left
|
|
unset MSI will be used
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
environment:
|
|
enum:
|
|
- AzurePublicCloud
|
|
- AzureChinaCloud
|
|
- AzureGermanCloud
|
|
- AzureUSGovernmentCloud
|
|
type: string
|
|
hostedZoneName:
|
|
type: string
|
|
resourceGroupName:
|
|
type: string
|
|
subscriptionID:
|
|
type: string
|
|
tenantID:
|
|
description: when specifying ClientID and ClientSecret
|
|
then this field is also needed
|
|
type: string
|
|
required:
|
|
- resourceGroupName
|
|
- subscriptionID
|
|
type: object
|
|
cloudDNS:
|
|
description: Use the Google Cloud DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
hostedZoneName:
|
|
description: HostedZoneName is an optional field
|
|
that tells cert-manager in which Cloud DNS zone
|
|
the challenge record has to be created. If left
|
|
empty cert-manager will automatically choose a
|
|
zone.
|
|
type: string
|
|
project:
|
|
type: string
|
|
serviceAccountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- project
|
|
type: object
|
|
cloudflare:
|
|
description: Use the Cloudflare API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
apiKeySecretRef:
|
|
description: 'API key to use to authenticate with
|
|
Cloudflare. Note: using an API token to authenticate
|
|
is now the recommended method as it allows greater
|
|
control of permissions.'
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
apiTokenSecretRef:
|
|
description: API token used to authenticate with
|
|
Cloudflare.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
email:
|
|
description: Email of the account, only required
|
|
when using API key based authentication.
|
|
type: string
|
|
type: object
|
|
cnameStrategy:
|
|
description: CNAMEStrategy configures how the DNS01
|
|
provider should handle CNAME records when found in
|
|
DNS zones.
|
|
enum:
|
|
- None
|
|
- Follow
|
|
type: string
|
|
digitalocean:
|
|
description: Use the DigitalOcean DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
tokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- tokenSecretRef
|
|
type: object
|
|
rfc2136:
|
|
description: Use RFC2136 ("Dynamic Updates in the Domain
|
|
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
nameserver:
|
|
description: The IP address or hostname of an authoritative
|
|
DNS server supporting RFC2136 in the form host:port.
|
|
If the host is an IPv6 address it must be enclosed
|
|
in square brackets (e.g [2001:db8::1]) ; port
|
|
is optional. This field is required.
|
|
type: string
|
|
tsigAlgorithm:
|
|
description: 'The TSIG Algorithm configured in the
|
|
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
|
and ``tsigKeyName`` are defined. Supported values
|
|
are (case-insensitive): ``HMACMD5`` (default),
|
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
type: string
|
|
tsigKeyName:
|
|
description: The TSIG Key name configured in the
|
|
DNS. If ``tsigSecretSecretRef`` is defined, this
|
|
field is required.
|
|
type: string
|
|
tsigSecretSecretRef:
|
|
description: The name of the secret containing the
|
|
TSIG value. If ``tsigKeyName`` is defined, this
|
|
field is required.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- nameserver
|
|
type: object
|
|
route53:
|
|
description: Use the AWS Route53 API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
accessKeyID:
|
|
description: 'The AccessKeyID is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata see:
|
|
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
type: string
|
|
hostedZoneID:
|
|
description: If set, the provider will manage only
|
|
this zone in Route53 and will not do an lookup
|
|
using the route53:ListHostedZonesByName api call.
|
|
type: string
|
|
region:
|
|
description: Always set the region when using AccessKeyID
|
|
and SecretAccessKey
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the Route53
|
|
provider will assume using either the explicit
|
|
credentials AccessKeyID/SecretAccessKey or the
|
|
inferred credentials from environment variables,
|
|
shared credentials file or AWS Instance metadata
|
|
type: string
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- region
|
|
type: object
|
|
webhook:
|
|
description: Configure an external webhook based DNS01
|
|
challenge solver to manage DNS01 challenge records.
|
|
properties:
|
|
config:
|
|
description: Additional configuration that should
|
|
be passed to the webhook apiserver when challenges
|
|
are processed. This can contain arbitrary JSON
|
|
data. Secret values should not be specified in
|
|
this stanza. If secret values are needed (e.g.
|
|
credentials for a DNS service), you should use
|
|
a SecretKeySelector to reference a Secret resource.
|
|
For details on the schema of this field, consult
|
|
the webhook provider implementation's documentation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
groupName:
|
|
description: The API group name that should be used
|
|
when POSTing ChallengePayload resources to the
|
|
webhook apiserver. This should be the same as
|
|
the GroupName specified in the webhook provider
|
|
implementation.
|
|
type: string
|
|
solverName:
|
|
description: The name of the solver to use, as defined
|
|
in the webhook provider implementation. This will
|
|
typically be the name of the provider, e.g. 'cloudflare'.
|
|
type: string
|
|
required:
|
|
- groupName
|
|
- solverName
|
|
type: object
|
|
type: object
|
|
http01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the HTTP01 challenge flow.
|
|
It is not possible to obtain certificates for wildcard
|
|
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
|
mechanism.
|
|
properties:
|
|
ingress:
|
|
description: The ingress based HTTP01 challenge solver
|
|
will solve challenges by creating or modifying Ingress
|
|
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
|
to 'challenge solver' pods that are provisioned by
|
|
cert-manager for each Challenge to be completed.
|
|
properties:
|
|
class:
|
|
description: The ingress class to use when creating
|
|
Ingress resources to solve ACME challenges that
|
|
use this challenge solver. Only one of 'class'
|
|
or 'name' may be specified.
|
|
type: string
|
|
ingressTemplate:
|
|
description: Optional ingress template used to configure
|
|
the ACME challenge solver ingress used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the ingress
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the created ACME HTTP01 solver
|
|
ingress.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver ingress.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: The name of the ingress resource that
|
|
should have ACME challenge solving routes inserted
|
|
into it in order to solve HTTP01 challenges. This
|
|
is typically used in conjunction with ingress
|
|
controllers like ingress-gce, which maintains
|
|
a 1:1 mapping between external IPs and ingress
|
|
resources.
|
|
type: string
|
|
podTemplate:
|
|
description: Optional pod template used to configure
|
|
the ACME challenge solver pods used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the pod
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the create ACME HTTP01 solver
|
|
pods.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver pods.
|
|
type: object
|
|
type: object
|
|
spec:
|
|
description: PodSpec defines overrides for the
|
|
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
|
'nodeSelector', 'affinity', 'serviceAccountName'
|
|
and 'tolerations' fields are supported currently.
|
|
All other fields will be ignored.
|
|
properties:
|
|
affinity:
|
|
description: If specified, the pod's scheduling
|
|
constraints
|
|
properties:
|
|
nodeAffinity:
|
|
description: Describes node affinity
|
|
scheduling rules for the pod.
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node matches
|
|
the corresponding matchExpressions;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: An empty preferred
|
|
scheduling term matches all
|
|
objects with implicit weight
|
|
0 (i.e. it's a no-op). A null
|
|
preferred scheduling term matches
|
|
no objects (i.e. is also a no-op).
|
|
properties:
|
|
preference:
|
|
description: A node selector
|
|
term, associated with the
|
|
corresponding weight.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
weight:
|
|
description: Weight associated
|
|
with matching the corresponding
|
|
nodeSelectorTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- preference
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to an
|
|
update), the system may or may
|
|
not try to eventually evict the
|
|
pod from its node.
|
|
properties:
|
|
nodeSelectorTerms:
|
|
description: Required. A list
|
|
of node selector terms. The
|
|
terms are ORed.
|
|
items:
|
|
description: A null or empty
|
|
node selector term matches
|
|
no objects. The requirements
|
|
of them are ANDed. The TopologySelectorTerm
|
|
type implements a subset
|
|
of the NodeSelectorTerm.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
required:
|
|
- nodeSelectorTerms
|
|
type: object
|
|
type: object
|
|
podAffinity:
|
|
description: Describes pod affinity
|
|
scheduling rules (e.g. co-locate this
|
|
pod in the same node, zone, etc. as
|
|
some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node has pods
|
|
which matches the corresponding
|
|
podAffinityTerm; the node(s) with
|
|
the highest sum are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to a pod
|
|
label update), the system may
|
|
or may not try to eventually evict
|
|
the pod from its node. When there
|
|
are multiple elements, the lists
|
|
of nodes corresponding to each
|
|
podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
podAntiAffinity:
|
|
description: Describes pod anti-affinity
|
|
scheduling rules (e.g. avoid putting
|
|
this pod in the same node, zone, etc.
|
|
as some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the anti-affinity
|
|
expressions specified by this
|
|
field, but it may choose a node
|
|
that violates one or more of the
|
|
expressions. The node that is
|
|
most preferred is the one with
|
|
the greatest sum of weights, i.e.
|
|
for each node that meets all of
|
|
the scheduling requirements (resource
|
|
request, requiredDuringScheduling
|
|
anti-affinity expressions, etc.),
|
|
compute a sum by iterating through
|
|
the elements of this field and
|
|
adding "weight" to the sum if
|
|
the node has pods which matches
|
|
the corresponding podAffinityTerm;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the anti-affinity
|
|
requirements specified by this
|
|
field are not met at scheduling
|
|
time, the pod will not be scheduled
|
|
onto the node. If the anti-affinity
|
|
requirements specified by this
|
|
field cease to be met at some
|
|
point during pod execution (e.g.
|
|
due to a pod label update), the
|
|
system may or may not try to eventually
|
|
evict the pod from its node. When
|
|
there are multiple elements, the
|
|
lists of nodes corresponding to
|
|
each podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
nodeSelector:
|
|
additionalProperties:
|
|
type: string
|
|
description: 'NodeSelector is a selector
|
|
which must be true for the pod to fit
|
|
on a node. Selector which must match a
|
|
node''s labels for the pod to be scheduled
|
|
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
type: object
|
|
priorityClassName:
|
|
description: If specified, the pod's priorityClassName.
|
|
type: string
|
|
serviceAccountName:
|
|
description: If specified, the pod's service
|
|
account
|
|
type: string
|
|
tolerations:
|
|
description: If specified, the pod's tolerations.
|
|
items:
|
|
description: The pod this Toleration is
|
|
attached to tolerates any taint that
|
|
matches the triple <key,value,effect>
|
|
using the matching operator <operator>.
|
|
properties:
|
|
effect:
|
|
description: Effect indicates the
|
|
taint effect to match. Empty means
|
|
match all taint effects. When specified,
|
|
allowed values are NoSchedule, PreferNoSchedule
|
|
and NoExecute.
|
|
type: string
|
|
key:
|
|
description: Key is the taint key
|
|
that the toleration applies to.
|
|
Empty means match all taint keys.
|
|
If the key is empty, operator must
|
|
be Exists; this combination means
|
|
to match all values and all keys.
|
|
type: string
|
|
operator:
|
|
description: Operator represents a
|
|
key's relationship to the value.
|
|
Valid operators are Exists and Equal.
|
|
Defaults to Equal. Exists is equivalent
|
|
to wildcard for value, so that a
|
|
pod can tolerate all taints of a
|
|
particular category.
|
|
type: string
|
|
tolerationSeconds:
|
|
description: TolerationSeconds represents
|
|
the period of time the toleration
|
|
(which must be of effect NoExecute,
|
|
otherwise this field is ignored)
|
|
tolerates the taint. By default,
|
|
it is not set, which means tolerate
|
|
the taint forever (do not evict).
|
|
Zero and negative values will be
|
|
treated as 0 (evict immediately)
|
|
by the system.
|
|
format: int64
|
|
type: integer
|
|
value:
|
|
description: Value is the taint value
|
|
the toleration matches to. If the
|
|
operator is Exists, the value should
|
|
be empty, otherwise just a regular
|
|
string.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
serviceType:
|
|
description: Optional service type for Kubernetes
|
|
solver service
|
|
type: string
|
|
type: object
|
|
type: object
|
|
selector:
|
|
description: Selector selects a set of DNSNames on the Certificate
|
|
resource that should be solved using this challenge solver.
|
|
If not specified, the solver will be treated as the 'default'
|
|
solver with the lowest priority, i.e. if any other solver
|
|
has a more specific match, it will be used instead.
|
|
properties:
|
|
dnsNames:
|
|
description: List of DNSNames that this solver will
|
|
be used to solve. If specified and a match is found,
|
|
a dnsNames selector will take precedence over a dnsZones
|
|
selector. If multiple solvers match with the same
|
|
dnsNames value, the solver with the most matching
|
|
labels in matchLabels will be selected. If neither
|
|
has more matches, the solver defined earlier in the
|
|
list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
dnsZones:
|
|
description: List of DNSZones that this solver will
|
|
be used to solve. The most specific DNS zone match
|
|
specified here will take precedence over other DNS
|
|
zone matches, so a solver specifying sys.example.com
|
|
will be selected over one specifying example.com for
|
|
the domain www.sys.example.com. If multiple solvers
|
|
match with the same dnsZones value, the solver with
|
|
the most matching labels in matchLabels will be selected.
|
|
If neither has more matches, the solver defined earlier
|
|
in the list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: A label selector that is used to refine
|
|
the set of certificate's that this challenge solver
|
|
will apply to.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
required:
|
|
- privateKeySecretRef
|
|
- server
|
|
type: object
|
|
ca:
|
|
description: CA configures this issuer to sign certificates using
|
|
a signing CA keypair stored in a Secret resource. This is used to
|
|
build internal PKIs that are managed by cert-manager.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set,
|
|
certificates will be issued without distribution points set.
|
|
items:
|
|
type: string
|
|
type: array
|
|
secretName:
|
|
description: SecretName is the name of the secret used to sign
|
|
Certificates issued by this Issuer.
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
selfSigned:
|
|
description: SelfSigned configures this issuer to 'self sign' certificates
|
|
using the private key used to create the CertificateRequest object.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set
|
|
certificate will be issued without CDP. Values are strings.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
vault:
|
|
description: Vault configures this issuer to sign certificates using
|
|
a HashiCorp Vault PKI backend.
|
|
properties:
|
|
auth:
|
|
description: Auth configures how cert-manager authenticates with
|
|
the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the App
|
|
Role auth mechanism, with the role and secret stored in
|
|
a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
description: 'Path where the App Role authentication backend
|
|
is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend in
|
|
Vault.
|
|
type: string
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the app
|
|
role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret resource
|
|
to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
description: The Vault mountPath here is the mount path
|
|
to use when authenticating with Vault. For example,
|
|
setting a value to `/v1/auth/foo`, will use the path
|
|
`/v1/auth/foo/login` to authenticate with Vault. If
|
|
unspecified, the default value "/v1/auth/kubernetes"
|
|
will be used.
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault Role
|
|
to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: The required Secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with Vault.
|
|
Use of 'ambient credentials' is not supported.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- role
|
|
- secretRef
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by presenting
|
|
a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault server
|
|
certificate. Only used if the Server URL is using HTTPS protocol.
|
|
This parameter is ignored for plain HTTP protocol connection.
|
|
If not set the system root certificates are used to validate
|
|
the TLS connection.
|
|
format: byte
|
|
type: string
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a set
|
|
of features within Vault Enterprise that allows Vault environments
|
|
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
|
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault PKI backend''s
|
|
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
|
type: string
|
|
server:
|
|
description: 'Server is the connection address for the Vault server,
|
|
e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
required:
|
|
- auth
|
|
- path
|
|
- server
|
|
type: object
|
|
venafi:
|
|
description: Venafi configures this issuer to sign certificates using
|
|
a Venafi TPP or Venafi Cloud policy zone.
|
|
properties:
|
|
cloud:
|
|
description: Cloud specifies the Venafi cloud configuration settings.
|
|
Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
apiTokenSecretRef:
|
|
description: APITokenSecretRef is a secret key selector for
|
|
the Venafi Cloud API token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: URL is the base URL for Venafi Cloud. Defaults
|
|
to "https://api.venafi.cloud/v1".
|
|
type: string
|
|
required:
|
|
- apiTokenSecretRef
|
|
type: object
|
|
tpp:
|
|
description: TPP specifies Trust Protection Platform configuration
|
|
settings. Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded TLS certificate to
|
|
use to verify connections to the TPP instance. If specified,
|
|
system roots will not be used and the issuing CA for the
|
|
TPP instance must be verifiable using the provided root.
|
|
If not specified, the connection will be verified using
|
|
the cert-manager system root certificates.
|
|
format: byte
|
|
type: string
|
|
credentialsRef:
|
|
description: CredentialsRef is a reference to a Secret containing
|
|
the username and password for the TPP server. The secret
|
|
must contain two keys, 'username' and 'password'.
|
|
properties:
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: 'URL is the base URL for the vedsdk endpoint
|
|
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
|
type: string
|
|
required:
|
|
- credentialsRef
|
|
- url
|
|
type: object
|
|
zone:
|
|
description: Zone is the Venafi Policy Zone to use for this issuer.
|
|
All requests made to the Venafi platform will be restricted
|
|
by the named zone policy. This field is required.
|
|
type: string
|
|
required:
|
|
- zone
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: Status of the ClusterIssuer. This is set and managed automatically.
|
|
properties:
|
|
acme:
|
|
description: ACME specific status options. This field should only
|
|
be set if the Issuer is configured to use an ACME server to issue
|
|
certificates.
|
|
properties:
|
|
lastRegisteredEmail:
|
|
description: LastRegisteredEmail is the email associated with
|
|
the latest registered ACME account, in order to track changes
|
|
made to registered account associated with the Issuer
|
|
type: string
|
|
uri:
|
|
description: URI is the unique account identifier, which can also
|
|
be used to retrieve account details from the CA
|
|
type: string
|
|
type: object
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready`.
|
|
items:
|
|
description: IssuerCondition contains condition information for
|
|
an Issuer.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: Type of the condition, known values are ('Ready').
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before
|
|
order across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: A ClusterIssuer represents a certificate issuing authority which
|
|
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
|
however it is cluster-scoped and therefore can be referenced by resources
|
|
that exist in *any* namespace, not just the same namespace as the referent.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the ClusterIssuer resource.
|
|
properties:
|
|
acme:
|
|
description: ACME configures this issuer to communicate with a RFC8555
|
|
(ACME) server to obtain signed x509 certificates.
|
|
properties:
|
|
disableAccountKeyGeneration:
|
|
description: Enables or disables generating a new ACME account
|
|
key. If true, the Issuer resource will *not* request a new account
|
|
but will expect the account key to be supplied via an existing
|
|
secret. If false, the cert-manager system will generate a new
|
|
ACME account key for the Issuer. Defaults to false.
|
|
type: boolean
|
|
email:
|
|
description: Email is the email address to be associated with
|
|
the ACME account. This field is optional, but it is strongly
|
|
recommended to be set. It will be used to contact you in case
|
|
of issues with your account or certificates, including expiry
|
|
notification emails. This field may be updated after the account
|
|
is initially registered.
|
|
type: string
|
|
externalAccountBinding:
|
|
description: ExternalAccountBinding is a reference to a CA external
|
|
account of the ACME server. If set, upon registration cert-manager
|
|
will attempt to associate the given external account credentials
|
|
with the registered ACME account.
|
|
properties:
|
|
keyAlgorithm:
|
|
description: keyAlgorithm is the MAC key algorithm that the
|
|
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
|
enum:
|
|
- HS256
|
|
- HS384
|
|
- HS512
|
|
type: string
|
|
keyID:
|
|
description: keyID is the ID of the CA key that the External
|
|
Account is bound to.
|
|
type: string
|
|
keySecretRef:
|
|
description: keySecretRef is a Secret Key Selector referencing
|
|
a data item in a Kubernetes Secret which holds the symmetric
|
|
MAC key of the External Account Binding. The `key` is the
|
|
index string that is paired with the key data in the Secret
|
|
and should not be confused with the key data itself, or
|
|
indeed with the External Account Binding keyID above. The
|
|
secret key stored in the Secret **must** be un-padded, base64
|
|
URL encoded data.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- keyAlgorithm
|
|
- keyID
|
|
- keySecretRef
|
|
type: object
|
|
preferredChain:
|
|
description: 'PreferredChain is the chain to use if the ACME server
|
|
outputs multiple. PreferredChain is no guarantee that this one
|
|
gets delivered by the ACME endpoint. For example, for Let''s
|
|
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
|
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
|
picks the first certificate bundle in the ACME alternative chains
|
|
that has a certificate with this value as its issuer''s CN'
|
|
maxLength: 64
|
|
type: string
|
|
privateKeySecretRef:
|
|
description: PrivateKey is the name of a Kubernetes Secret resource
|
|
that will be used to store the automatically generated ACME
|
|
account private key. Optionally, a `key` may be specified to
|
|
select a specific entry within the named Secret resource. If
|
|
`key` is not specified, a default of `tls.key` will be used.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field may
|
|
be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to. More
|
|
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
server:
|
|
description: 'Server is the URL used to access the ACME server''s
|
|
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
|
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
|
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
|
type: string
|
|
skipTLSVerify:
|
|
description: Enables or disables validation of the ACME server
|
|
TLS certificate. If true, requests to the ACME server will not
|
|
have their TLS certificate validated (i.e. insecure connections
|
|
will be allowed). Only enable this option in development environments.
|
|
The cert-manager system installed roots will be used to verify
|
|
connections to the ACME server if this is false. Defaults to
|
|
false.
|
|
type: boolean
|
|
solvers:
|
|
description: 'Solvers is a list of challenge solvers that will
|
|
be used to solve ACME challenges for the matching domains. Solver
|
|
configurations must be provided in order to obtain certificates
|
|
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
|
items:
|
|
description: Configures an issuer to solve challenges using
|
|
the specified options. Only one of HTTP01 or DNS01 may be
|
|
provided.
|
|
properties:
|
|
dns01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the DNS01 challenge flow.
|
|
properties:
|
|
acmeDNS:
|
|
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
|
API to manage DNS01 challenge records.
|
|
properties:
|
|
accountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
host:
|
|
type: string
|
|
required:
|
|
- accountSecretRef
|
|
- host
|
|
type: object
|
|
akamai:
|
|
description: Use the Akamai DNS zone management API
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
accessTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientSecretSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
clientTokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
serviceConsumerDomain:
|
|
type: string
|
|
required:
|
|
- accessTokenSecretRef
|
|
- clientSecretSecretRef
|
|
- clientTokenSecretRef
|
|
- serviceConsumerDomain
|
|
type: object
|
|
azureDNS:
|
|
description: Use the Microsoft Azure DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
clientID:
|
|
description: if both this and ClientSecret are left
|
|
unset MSI will be used
|
|
type: string
|
|
clientSecretSecretRef:
|
|
description: if both this and ClientID are left
|
|
unset MSI will be used
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
environment:
|
|
enum:
|
|
- AzurePublicCloud
|
|
- AzureChinaCloud
|
|
- AzureGermanCloud
|
|
- AzureUSGovernmentCloud
|
|
type: string
|
|
hostedZoneName:
|
|
type: string
|
|
resourceGroupName:
|
|
type: string
|
|
subscriptionID:
|
|
type: string
|
|
tenantID:
|
|
description: when specifying ClientID and ClientSecret
|
|
then this field is also needed
|
|
type: string
|
|
required:
|
|
- resourceGroupName
|
|
- subscriptionID
|
|
type: object
|
|
cloudDNS:
|
|
description: Use the Google Cloud DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
hostedZoneName:
|
|
description: HostedZoneName is an optional field
|
|
that tells cert-manager in which Cloud DNS zone
|
|
the challenge record has to be created. If left
|
|
empty cert-manager will automatically choose a
|
|
zone.
|
|
type: string
|
|
project:
|
|
type: string
|
|
serviceAccountSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- project
|
|
type: object
|
|
cloudflare:
|
|
description: Use the Cloudflare API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
apiKeySecretRef:
|
|
description: 'API key to use to authenticate with
|
|
Cloudflare. Note: using an API token to authenticate
|
|
is now the recommended method as it allows greater
|
|
control of permissions.'
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
apiTokenSecretRef:
|
|
description: API token used to authenticate with
|
|
Cloudflare.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
email:
|
|
description: Email of the account, only required
|
|
when using API key based authentication.
|
|
type: string
|
|
type: object
|
|
cnameStrategy:
|
|
description: CNAMEStrategy configures how the DNS01
|
|
provider should handle CNAME records when found in
|
|
DNS zones.
|
|
enum:
|
|
- None
|
|
- Follow
|
|
type: string
|
|
digitalocean:
|
|
description: Use the DigitalOcean DNS API to manage
|
|
DNS01 challenge records.
|
|
properties:
|
|
tokenSecretRef:
|
|
description: A reference to a specific 'key' within
|
|
a Secret resource. In some instances, `key` is
|
|
a required field.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- tokenSecretRef
|
|
type: object
|
|
rfc2136:
|
|
description: Use RFC2136 ("Dynamic Updates in the Domain
|
|
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|
to manage DNS01 challenge records.
|
|
properties:
|
|
nameserver:
|
|
description: The IP address or hostname of an authoritative
|
|
DNS server supporting RFC2136 in the form host:port.
|
|
If the host is an IPv6 address it must be enclosed
|
|
in square brackets (e.g [2001:db8::1]) ; port
|
|
is optional. This field is required.
|
|
type: string
|
|
tsigAlgorithm:
|
|
description: 'The TSIG Algorithm configured in the
|
|
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
|
and ``tsigKeyName`` are defined. Supported values
|
|
are (case-insensitive): ``HMACMD5`` (default),
|
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
|
type: string
|
|
tsigKeyName:
|
|
description: The TSIG Key name configured in the
|
|
DNS. If ``tsigSecretSecretRef`` is defined, this
|
|
field is required.
|
|
type: string
|
|
tsigSecretSecretRef:
|
|
description: The name of the secret containing the
|
|
TSIG value. If ``tsigKeyName`` is defined, this
|
|
field is required.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- nameserver
|
|
type: object
|
|
route53:
|
|
description: Use the AWS Route53 API to manage DNS01
|
|
challenge records.
|
|
properties:
|
|
accessKeyID:
|
|
description: 'The AccessKeyID is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata see:
|
|
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
|
type: string
|
|
hostedZoneID:
|
|
description: If set, the provider will manage only
|
|
this zone in Route53 and will not do an lookup
|
|
using the route53:ListHostedZonesByName api call.
|
|
type: string
|
|
region:
|
|
description: Always set the region when using AccessKeyID
|
|
and SecretAccessKey
|
|
type: string
|
|
role:
|
|
description: Role is a Role ARN which the Route53
|
|
provider will assume using either the explicit
|
|
credentials AccessKeyID/SecretAccessKey or the
|
|
inferred credentials from environment variables,
|
|
shared credentials file or AWS Instance metadata
|
|
type: string
|
|
secretAccessKeySecretRef:
|
|
description: The SecretAccessKey is used for authentication.
|
|
If not set we fall-back to using env vars, shared
|
|
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret
|
|
resource's `data` field to be used. Some instances
|
|
of this field may be defaulted, in others
|
|
it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- region
|
|
type: object
|
|
webhook:
|
|
description: Configure an external webhook based DNS01
|
|
challenge solver to manage DNS01 challenge records.
|
|
properties:
|
|
config:
|
|
description: Additional configuration that should
|
|
be passed to the webhook apiserver when challenges
|
|
are processed. This can contain arbitrary JSON
|
|
data. Secret values should not be specified in
|
|
this stanza. If secret values are needed (e.g.
|
|
credentials for a DNS service), you should use
|
|
a SecretKeySelector to reference a Secret resource.
|
|
For details on the schema of this field, consult
|
|
the webhook provider implementation's documentation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
groupName:
|
|
description: The API group name that should be used
|
|
when POSTing ChallengePayload resources to the
|
|
webhook apiserver. This should be the same as
|
|
the GroupName specified in the webhook provider
|
|
implementation.
|
|
type: string
|
|
solverName:
|
|
description: The name of the solver to use, as defined
|
|
in the webhook provider implementation. This will
|
|
typically be the name of the provider, e.g. 'cloudflare'.
|
|
type: string
|
|
required:
|
|
- groupName
|
|
- solverName
|
|
type: object
|
|
type: object
|
|
http01:
|
|
description: Configures cert-manager to attempt to complete
|
|
authorizations by performing the HTTP01 challenge flow.
|
|
It is not possible to obtain certificates for wildcard
|
|
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
|
mechanism.
|
|
properties:
|
|
ingress:
|
|
description: The ingress based HTTP01 challenge solver
|
|
will solve challenges by creating or modifying Ingress
|
|
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
|
to 'challenge solver' pods that are provisioned by
|
|
cert-manager for each Challenge to be completed.
|
|
properties:
|
|
class:
|
|
description: The ingress class to use when creating
|
|
Ingress resources to solve ACME challenges that
|
|
use this challenge solver. Only one of 'class'
|
|
or 'name' may be specified.
|
|
type: string
|
|
ingressTemplate:
|
|
description: Optional ingress template used to configure
|
|
the ACME challenge solver ingress used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the ingress
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the created ACME HTTP01 solver
|
|
ingress.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver ingress.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: The name of the ingress resource that
|
|
should have ACME challenge solving routes inserted
|
|
into it in order to solve HTTP01 challenges. This
|
|
is typically used in conjunction with ingress
|
|
controllers like ingress-gce, which maintains
|
|
a 1:1 mapping between external IPs and ingress
|
|
resources.
|
|
type: string
|
|
podTemplate:
|
|
description: Optional pod template used to configure
|
|
the ACME challenge solver pods used for HTTP01
|
|
challenges
|
|
properties:
|
|
metadata:
|
|
description: ObjectMeta overrides for the pod
|
|
used to solve HTTP01 challenges. Only the
|
|
'labels' and 'annotations' fields may be set.
|
|
If labels or annotations overlap with in-built
|
|
values, the values here will override the
|
|
in-built values.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations that should be
|
|
added to the create ACME HTTP01 solver
|
|
pods.
|
|
type: object
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels that should be added
|
|
to the created ACME HTTP01 solver pods.
|
|
type: object
|
|
type: object
|
|
spec:
|
|
description: PodSpec defines overrides for the
|
|
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
|
'nodeSelector', 'affinity', 'serviceAccountName'
|
|
and 'tolerations' fields are supported currently.
|
|
All other fields will be ignored.
|
|
properties:
|
|
affinity:
|
|
description: If specified, the pod's scheduling
|
|
constraints
|
|
properties:
|
|
nodeAffinity:
|
|
description: Describes node affinity
|
|
scheduling rules for the pod.
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node matches
|
|
the corresponding matchExpressions;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: An empty preferred
|
|
scheduling term matches all
|
|
objects with implicit weight
|
|
0 (i.e. it's a no-op). A null
|
|
preferred scheduling term matches
|
|
no objects (i.e. is also a no-op).
|
|
properties:
|
|
preference:
|
|
description: A node selector
|
|
term, associated with the
|
|
corresponding weight.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
weight:
|
|
description: Weight associated
|
|
with matching the corresponding
|
|
nodeSelectorTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- preference
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to an
|
|
update), the system may or may
|
|
not try to eventually evict the
|
|
pod from its node.
|
|
properties:
|
|
nodeSelectorTerms:
|
|
description: Required. A list
|
|
of node selector terms. The
|
|
terms are ORed.
|
|
items:
|
|
description: A null or empty
|
|
node selector term matches
|
|
no objects. The requirements
|
|
of them are ANDed. The TopologySelectorTerm
|
|
type implements a subset
|
|
of the NodeSelectorTerm.
|
|
properties:
|
|
matchExpressions:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's labels.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchFields:
|
|
description: A list of
|
|
node selector requirements
|
|
by node's fields.
|
|
items:
|
|
description: A node
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: The
|
|
label key that
|
|
the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: Represents
|
|
a key's relationship
|
|
to a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists, DoesNotExist.
|
|
Gt, and Lt.
|
|
type: string
|
|
values:
|
|
description: An
|
|
array of string
|
|
values. If the
|
|
operator is In
|
|
or NotIn, the
|
|
values array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
If the operator
|
|
is Gt or Lt, the
|
|
values array must
|
|
have a single
|
|
element, which
|
|
will be interpreted
|
|
as an integer.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
required:
|
|
- nodeSelectorTerms
|
|
type: object
|
|
type: object
|
|
podAffinity:
|
|
description: Describes pod affinity
|
|
scheduling rules (e.g. co-locate this
|
|
pod in the same node, zone, etc. as
|
|
some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the affinity expressions
|
|
specified by this field, but it
|
|
may choose a node that violates
|
|
one or more of the expressions.
|
|
The node that is most preferred
|
|
is the one with the greatest sum
|
|
of weights, i.e. for each node
|
|
that meets all of the scheduling
|
|
requirements (resource request,
|
|
requiredDuringScheduling affinity
|
|
expressions, etc.), compute a
|
|
sum by iterating through the elements
|
|
of this field and adding "weight"
|
|
to the sum if the node has pods
|
|
which matches the corresponding
|
|
podAffinityTerm; the node(s) with
|
|
the highest sum are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the affinity requirements
|
|
specified by this field are not
|
|
met at scheduling time, the pod
|
|
will not be scheduled onto the
|
|
node. If the affinity requirements
|
|
specified by this field cease
|
|
to be met at some point during
|
|
pod execution (e.g. due to a pod
|
|
label update), the system may
|
|
or may not try to eventually evict
|
|
the pod from its node. When there
|
|
are multiple elements, the lists
|
|
of nodes corresponding to each
|
|
podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
podAntiAffinity:
|
|
description: Describes pod anti-affinity
|
|
scheduling rules (e.g. avoid putting
|
|
this pod in the same node, zone, etc.
|
|
as some other pod(s)).
|
|
properties:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
description: The scheduler will
|
|
prefer to schedule pods to nodes
|
|
that satisfy the anti-affinity
|
|
expressions specified by this
|
|
field, but it may choose a node
|
|
that violates one or more of the
|
|
expressions. The node that is
|
|
most preferred is the one with
|
|
the greatest sum of weights, i.e.
|
|
for each node that meets all of
|
|
the scheduling requirements (resource
|
|
request, requiredDuringScheduling
|
|
anti-affinity expressions, etc.),
|
|
compute a sum by iterating through
|
|
the elements of this field and
|
|
adding "weight" to the sum if
|
|
the node has pods which matches
|
|
the corresponding podAffinityTerm;
|
|
the node(s) with the highest sum
|
|
are the most preferred.
|
|
items:
|
|
description: The weights of all
|
|
of the matched WeightedPodAffinityTerm
|
|
fields are added per-node to
|
|
find the most preferred node(s)
|
|
properties:
|
|
podAffinityTerm:
|
|
description: Required. A pod
|
|
affinity term, associated
|
|
with the corresponding weight.
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label
|
|
selector requirements.
|
|
The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector
|
|
that contains
|
|
values, a key,
|
|
and an operator
|
|
that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label
|
|
key that the
|
|
selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents
|
|
a key's relationship
|
|
to a set of
|
|
values. Valid
|
|
operators
|
|
are In, NotIn,
|
|
Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array
|
|
of string
|
|
values. If
|
|
the operator
|
|
is In or NotIn,
|
|
the values
|
|
array must
|
|
be non-empty.
|
|
If the operator
|
|
is Exists
|
|
or DoesNotExist,
|
|
the values
|
|
array must
|
|
be empty.
|
|
This array
|
|
is replaced
|
|
during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single
|
|
{key,value} in the
|
|
matchLabels map
|
|
is equivalent to
|
|
an element of matchExpressions,
|
|
whose key field
|
|
is "key", the operator
|
|
is "In", and the
|
|
values array contains
|
|
only "value". The
|
|
requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces
|
|
specifies which namespaces
|
|
the labelSelector applies
|
|
to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod
|
|
should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with
|
|
the pods matching the
|
|
labelSelector in the
|
|
specified namespaces,
|
|
where co-located is
|
|
defined as running on
|
|
a node whose value of
|
|
the label with key topologyKey
|
|
matches that of any
|
|
node on which any of
|
|
the selected pods is
|
|
running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
weight:
|
|
description: weight associated
|
|
with matching the corresponding
|
|
podAffinityTerm, in the
|
|
range 1-100.
|
|
format: int32
|
|
type: integer
|
|
required:
|
|
- podAffinityTerm
|
|
- weight
|
|
type: object
|
|
type: array
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
description: If the anti-affinity
|
|
requirements specified by this
|
|
field are not met at scheduling
|
|
time, the pod will not be scheduled
|
|
onto the node. If the anti-affinity
|
|
requirements specified by this
|
|
field cease to be met at some
|
|
point during pod execution (e.g.
|
|
due to a pod label update), the
|
|
system may or may not try to eventually
|
|
evict the pod from its node. When
|
|
there are multiple elements, the
|
|
lists of nodes corresponding to
|
|
each podAffinityTerm are intersected,
|
|
i.e. all terms must be satisfied.
|
|
items:
|
|
description: Defines a set of
|
|
pods (namely those matching
|
|
the labelSelector relative to
|
|
the given namespace(s)) that
|
|
this pod should be co-located
|
|
(affinity) or not co-located
|
|
(anti-affinity) with, where
|
|
co-located is defined as running
|
|
on a node whose value of the
|
|
label with key <topologyKey>
|
|
matches that of any node on
|
|
which a pod of the set of pods
|
|
is running
|
|
properties:
|
|
labelSelector:
|
|
description: A label query
|
|
over a set of resources,
|
|
in this case pods.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions
|
|
is a list of label selector
|
|
requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label
|
|
selector requirement
|
|
is a selector that
|
|
contains values, a
|
|
key, and an operator
|
|
that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key
|
|
is the label key
|
|
that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator
|
|
represents a key's
|
|
relationship to
|
|
a set of values.
|
|
Valid operators
|
|
are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values
|
|
is an array of
|
|
string values.
|
|
If the operator
|
|
is In or NotIn,
|
|
the values array
|
|
must be non-empty.
|
|
If the operator
|
|
is Exists or DoesNotExist,
|
|
the values array
|
|
must be empty.
|
|
This array is
|
|
replaced during
|
|
a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels
|
|
is a map of {key,value}
|
|
pairs. A single {key,value}
|
|
in the matchLabels map
|
|
is equivalent to an
|
|
element of matchExpressions,
|
|
whose key field is "key",
|
|
the operator is "In",
|
|
and the values array
|
|
contains only "value".
|
|
The requirements are
|
|
ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: namespaces specifies
|
|
which namespaces the labelSelector
|
|
applies to (matches against);
|
|
null or empty list means
|
|
"this pod's namespace"
|
|
items:
|
|
type: string
|
|
type: array
|
|
topologyKey:
|
|
description: This pod should
|
|
be co-located (affinity)
|
|
or not co-located (anti-affinity)
|
|
with the pods matching the
|
|
labelSelector in the specified
|
|
namespaces, where co-located
|
|
is defined as running on
|
|
a node whose value of the
|
|
label with key topologyKey
|
|
matches that of any node
|
|
on which any of the selected
|
|
pods is running. Empty topologyKey
|
|
is not allowed.
|
|
type: string
|
|
required:
|
|
- topologyKey
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
nodeSelector:
|
|
additionalProperties:
|
|
type: string
|
|
description: 'NodeSelector is a selector
|
|
which must be true for the pod to fit
|
|
on a node. Selector which must match a
|
|
node''s labels for the pod to be scheduled
|
|
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
|
type: object
|
|
priorityClassName:
|
|
description: If specified, the pod's priorityClassName.
|
|
type: string
|
|
serviceAccountName:
|
|
description: If specified, the pod's service
|
|
account
|
|
type: string
|
|
tolerations:
|
|
description: If specified, the pod's tolerations.
|
|
items:
|
|
description: The pod this Toleration is
|
|
attached to tolerates any taint that
|
|
matches the triple <key,value,effect>
|
|
using the matching operator <operator>.
|
|
properties:
|
|
effect:
|
|
description: Effect indicates the
|
|
taint effect to match. Empty means
|
|
match all taint effects. When specified,
|
|
allowed values are NoSchedule, PreferNoSchedule
|
|
and NoExecute.
|
|
type: string
|
|
key:
|
|
description: Key is the taint key
|
|
that the toleration applies to.
|
|
Empty means match all taint keys.
|
|
If the key is empty, operator must
|
|
be Exists; this combination means
|
|
to match all values and all keys.
|
|
type: string
|
|
operator:
|
|
description: Operator represents a
|
|
key's relationship to the value.
|
|
Valid operators are Exists and Equal.
|
|
Defaults to Equal. Exists is equivalent
|
|
to wildcard for value, so that a
|
|
pod can tolerate all taints of a
|
|
particular category.
|
|
type: string
|
|
tolerationSeconds:
|
|
description: TolerationSeconds represents
|
|
the period of time the toleration
|
|
(which must be of effect NoExecute,
|
|
otherwise this field is ignored)
|
|
tolerates the taint. By default,
|
|
it is not set, which means tolerate
|
|
the taint forever (do not evict).
|
|
Zero and negative values will be
|
|
treated as 0 (evict immediately)
|
|
by the system.
|
|
format: int64
|
|
type: integer
|
|
value:
|
|
description: Value is the taint value
|
|
the toleration matches to. If the
|
|
operator is Exists, the value should
|
|
be empty, otherwise just a regular
|
|
string.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
serviceType:
|
|
description: Optional service type for Kubernetes
|
|
solver service
|
|
type: string
|
|
type: object
|
|
type: object
|
|
selector:
|
|
description: Selector selects a set of DNSNames on the Certificate
|
|
resource that should be solved using this challenge solver.
|
|
If not specified, the solver will be treated as the 'default'
|
|
solver with the lowest priority, i.e. if any other solver
|
|
has a more specific match, it will be used instead.
|
|
properties:
|
|
dnsNames:
|
|
description: List of DNSNames that this solver will
|
|
be used to solve. If specified and a match is found,
|
|
a dnsNames selector will take precedence over a dnsZones
|
|
selector. If multiple solvers match with the same
|
|
dnsNames value, the solver with the most matching
|
|
labels in matchLabels will be selected. If neither
|
|
has more matches, the solver defined earlier in the
|
|
list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
dnsZones:
|
|
description: List of DNSZones that this solver will
|
|
be used to solve. The most specific DNS zone match
|
|
specified here will take precedence over other DNS
|
|
zone matches, so a solver specifying sys.example.com
|
|
will be selected over one specifying example.com for
|
|
the domain www.sys.example.com. If multiple solvers
|
|
match with the same dnsZones value, the solver with
|
|
the most matching labels in matchLabels will be selected.
|
|
If neither has more matches, the solver defined earlier
|
|
in the list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: A label selector that is used to refine
|
|
the set of certificate's that this challenge solver
|
|
will apply to.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
required:
|
|
- privateKeySecretRef
|
|
- server
|
|
type: object
|
|
ca:
|
|
description: CA configures this issuer to sign certificates using
|
|
a signing CA keypair stored in a Secret resource. This is used to
|
|
build internal PKIs that are managed by cert-manager.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set,
|
|
certificates will be issued without distribution points set.
|
|
items:
|
|
type: string
|
|
type: array
|
|
secretName:
|
|
description: SecretName is the name of the secret used to sign
|
|
Certificates issued by this Issuer.
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
selfSigned:
|
|
description: SelfSigned configures this issuer to 'self sign' certificates
|
|
using the private key used to create the CertificateRequest object.
|
|
properties:
|
|
crlDistributionPoints:
|
|
description: The CRL distribution points is an X.509 v3 certificate
|
|
extension which identifies the location of the CRL from which
|
|
the revocation of this certificate can be checked. If not set
|
|
certificate will be issued without CDP. Values are strings.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
vault:
|
|
description: Vault configures this issuer to sign certificates using
|
|
a HashiCorp Vault PKI backend.
|
|
properties:
|
|
auth:
|
|
description: Auth configures how cert-manager authenticates with
|
|
the Vault server.
|
|
properties:
|
|
appRole:
|
|
description: AppRole authenticates with Vault using the App
|
|
Role auth mechanism, with the role and secret stored in
|
|
a Kubernetes Secret resource.
|
|
properties:
|
|
path:
|
|
description: 'Path where the App Role authentication backend
|
|
is mounted in Vault, e.g: "approle"'
|
|
type: string
|
|
roleId:
|
|
description: RoleID configured in the App Role authentication
|
|
backend when setting up the authentication backend in
|
|
Vault.
|
|
type: string
|
|
secretRef:
|
|
description: Reference to a key in a Secret that contains
|
|
the App Role secret used to authenticate with Vault.
|
|
The `key` field must be specified and denotes which
|
|
entry within the Secret resource is used as the app
|
|
role secret.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
kubernetes:
|
|
description: Kubernetes authenticates with Vault by passing
|
|
the ServiceAccount token stored in the named Secret resource
|
|
to the Vault server.
|
|
properties:
|
|
mountPath:
|
|
description: The Vault mountPath here is the mount path
|
|
to use when authenticating with Vault. For example,
|
|
setting a value to `/v1/auth/foo`, will use the path
|
|
`/v1/auth/foo/login` to authenticate with Vault. If
|
|
unspecified, the default value "/v1/auth/kubernetes"
|
|
will be used.
|
|
type: string
|
|
role:
|
|
description: A required field containing the Vault Role
|
|
to assume. A Role binds a Kubernetes ServiceAccount
|
|
with a set of Vault policies.
|
|
type: string
|
|
secretRef:
|
|
description: The required Secret field containing a Kubernetes
|
|
ServiceAccount JWT used for authenticating with Vault.
|
|
Use of 'ambient credentials' is not supported.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this
|
|
field may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred
|
|
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- role
|
|
- secretRef
|
|
type: object
|
|
tokenSecretRef:
|
|
description: TokenSecretRef authenticates with Vault by presenting
|
|
a token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: PEM encoded CA bundle used to validate Vault server
|
|
certificate. Only used if the Server URL is using HTTPS protocol.
|
|
This parameter is ignored for plain HTTP protocol connection.
|
|
If not set the system root certificates are used to validate
|
|
the TLS connection.
|
|
format: byte
|
|
type: string
|
|
namespace:
|
|
description: 'Name of the vault namespace. Namespaces is a set
|
|
of features within Vault Enterprise that allows Vault environments
|
|
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
|
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
|
type: string
|
|
path:
|
|
description: 'Path is the mount path of the Vault PKI backend''s
|
|
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
|
type: string
|
|
server:
|
|
description: 'Server is the connection address for the Vault server,
|
|
e.g: "https://vault.example.com:8200".'
|
|
type: string
|
|
required:
|
|
- auth
|
|
- path
|
|
- server
|
|
type: object
|
|
venafi:
|
|
description: Venafi configures this issuer to sign certificates using
|
|
a Venafi TPP or Venafi Cloud policy zone.
|
|
properties:
|
|
cloud:
|
|
description: Cloud specifies the Venafi cloud configuration settings.
|
|
Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
apiTokenSecretRef:
|
|
description: APITokenSecretRef is a secret key selector for
|
|
the Venafi Cloud API token.
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: URL is the base URL for Venafi Cloud. Defaults
|
|
to "https://api.venafi.cloud/v1".
|
|
type: string
|
|
required:
|
|
- apiTokenSecretRef
|
|
type: object
|
|
tpp:
|
|
description: TPP specifies Trust Protection Platform configuration
|
|
settings. Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded TLS certificate to
|
|
use to verify connections to the TPP instance. If specified,
|
|
system roots will not be used and the issuing CA for the
|
|
TPP instance must be verifiable using the provided root.
|
|
If not specified, the connection will be verified using
|
|
the cert-manager system root certificates.
|
|
format: byte
|
|
type: string
|
|
credentialsRef:
|
|
description: CredentialsRef is a reference to a Secret containing
|
|
the username and password for the TPP server. The secret
|
|
must contain two keys, 'username' and 'password'.
|
|
properties:
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: 'URL is the base URL for the vedsdk endpoint
|
|
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
|
type: string
|
|
required:
|
|
- credentialsRef
|
|
- url
|
|
type: object
|
|
zone:
|
|
description: Zone is the Venafi Policy Zone to use for this issuer.
|
|
All requests made to the Venafi platform will be restricted
|
|
by the named zone policy. This field is required.
|
|
type: string
|
|
required:
|
|
- zone
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: Status of the ClusterIssuer. This is set and managed automatically.
|
|
properties:
|
|
acme:
|
|
description: ACME specific status options. This field should only
|
|
be set if the Issuer is configured to use an ACME server to issue
|
|
certificates.
|
|
properties:
|
|
lastRegisteredEmail:
|
|
description: LastRegisteredEmail is the email associated with
|
|
the latest registered ACME account, in order to track changes
|
|
made to registered account associated with the Issuer
|
|
type: string
|
|
uri:
|
|
description: URI is the unique account identifier, which can also
|
|
be used to retrieve account details from the CA
|
|
type: string
|
|
type: object
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready`.
|
|
items:
|
|
description: IssuerCondition contains condition information for
|
|
an Issuer.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: Type of the condition, known values are ('Ready').
|
|
type: string
|
|
required:
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|