From 9cc70e9e7072809d0ddb627a99879c56fffda9e6 Mon Sep 17 00:00:00 2001 From: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com> Date: Thu, 6 Aug 2020 07:26:55 +0100 Subject: [PATCH] Upgrade JetStack Cert-Manager to v0.15.2 (#6414) * Upgrade JetStack Cert-Manager to v0.15.2 * Add README.md table of contents --- README.md | 2 +- roles/download/defaults/main.yml | 24 +- .../ingress_controller/cert_manager/README.md | 186 +- .../cert_manager/tasks/main.yml | 51 +- .../templates/00-namespace.yml.j2 | 15 +- .../clusterissuer-cert-manager.yml.j2 | 23 + .../templates/clusterrole-cert-manager.yml.j2 | 293 +- .../clusterrolebinding-cert-manager.yml.j2 | 150 +- .../templates/crd-certificate.yml.j2 | 295 +- .../templates/crd-challenge.yml.j2 | 1466 +++++++ .../templates/crd-clusterissuer.yml.j2 | 3518 +++++++++-------- .../cert_manager/templates/crd-issuer.yml.j2 | 3514 ++++++++-------- .../cert_manager/templates/crd-order.yml.j2 | 253 ++ .../templates/deploy-cert-manager.yml.j2 | 171 +- .../templates/role-cert-manager.yml.j2 | 85 + .../templates/rolebinding-cert-manager.yml.j2 | 79 + .../templates/sa-cert-manager.yml.j2 | 48 +- .../templates/secret-cert-manager.yml.j2 | 9 + .../templates/svc-cert-manager.yml.j2 | 60 + .../templates/webhook-cert-manager.yml.j2 | 96 + 20 files changed, 6786 insertions(+), 3552 deletions(-) create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2 diff --git a/README.md b/README.md index 31b54eabb..20cde4339 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported. - [ambassador](https://github.com/datawire/ambassador): v1.5 - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11 - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11 - - [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1 + - [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2 - [coredns](https://github.com/coredns/coredns) v1.6.7 - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0 diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index bbe497008..1380c6b4c 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat ingress_ambassador_image_tag: "v1.2.8" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_tag: "v1.1.8" -cert_manager_version: "v0.11.1" +cert_manager_version: "v0.15.2" cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller" cert_manager_controller_image_tag: "{{ cert_manager_version }}" +cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector" +cert_manager_cainjector_image_tag: "{{ cert_manager_version }}" +cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook" +cert_manager_webhook_image_tag: "{{ cert_manager_version }}" addon_resizer_version: "1.8.9" addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer" addon_resizer_image_tag: "{{ addon_resizer_version }}" @@ -1078,6 +1082,24 @@ downloads: groups: - kube-node + cert_manager_cainjector: + enabled: "{{ cert_manager_enabled }}" + container: true + repo: "{{ cert_manager_cainjector_image_repo }}" + tag: "{{ cert_manager_cainjector_image_tag }}" + sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}" + groups: + - kube-node + + cert_manager_webhook: + enabled: "{{ cert_manager_enabled }}" + container: true + repo: "{{ cert_manager_webhook_image_repo }}" + tag: "{{ cert_manager_webhook_image_tag }}" + sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}" + groups: + - kube-node + csi_attacher: enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}" container: true diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md index b0f008676..99501f292 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md @@ -1,17 +1,179 @@ -Deployment files -================ +# Installation Guide -This directory contains example deployment manifests for cert-manager that can -be used in place of the official Helm chart. +- [Installation Guide](#installation-guide) + - [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret) + - [Securing Ingress Resources](#securing-ingress-resources) + - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) + - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit) + - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file) + - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file) + - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key) -This is useful if you are deploying cert-manager into an environment without -Helm, or want to inspect a 'bare minimum' deployment. +Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry. -Where do these come from? -------------------------- +The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively. -The manifests in these subdirectories are generated from the Helm chart -automatically. The `values.yaml` files used to configure cert-manager can be -found in [`hack/deploy`](../../hack/deploy/). +Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future. -They are automatically generated by running `./hack/update-deploy-gen.sh`. +## Kubernetes TLS Root CA Certificate/Key Secret + +If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster. + +If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager. + +e.g. + +```shell +$ cat ca.pem | base64 -w 0 +LS0tLS1CRUdJTiBDRVJU... + +$ cat ca-key.pem | base64 -w 0 +LS0tLS1CRUdJTiBSU0Eg... +``` + +For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc. + +Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true. + +```ini +# Cert manager deployment +cert_manager_enabled: true +``` + +If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available. + +## Securing Ingress Resources + +A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this. + +To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true. + +```ini +# Nginx ingress controller deployment +ingress_nginx_enabled: true +``` + +For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition. + +```yaml +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: prometheus-k8s + namespace: monitoring + labels: + prometheus: k8s + annotations: + kubernetes.io/ingress.class: "nginx" + cert-manager.io/cluster-issuer: ca-issuer +spec: + tls: + - hosts: + - prometheus.example.com + secretName: prometheus-dashboard-certs + rules: + - host: prometheus.example.com + http: + paths: + - path: / + backend: + serviceName: prometheus-k8s + servicePort: web +``` + +Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret. + +For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc. + +### Create New TLS Root CA Certificate and Key + +#### Install Cloudflare PKI/TLS `cfssl` Toolkit. + +e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package. + +```shell +$ sudo apt-get install -y golang-cfssl +``` + +#### Create Root Certificate Authority (CA) Configuration File + +The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created. + +```shell +$ cat > ca-config.json < ca-csr.json <.`. For DNS01 challenges, this is the + base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. + type: object + properties: + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset MSI + will be used + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret then + this field is also needed + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. If + the host is an IPv6 address it must be enclosed in square + brackets (e.g [2001:db8::1]) ; port is optional. This + field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` + are defined. Supported values are (case-insensitive): + ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or + ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to + the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to + the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + type: array + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + type: object + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + matchFields: + description: A list of node selector + requirements by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + type: array + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + matchFields: + description: A list of node selector + requirements by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + type: array + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + type: array + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + type: array + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + type: array + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + type: array + items: + type: string + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + type: object + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + additionalProperties: + type: string + token: + description: Token is the ACME challenge token for this challenge. This + is the raw value returned from the ACME server. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01". + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + status: + type: object + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 index ca1fabaf6..20e3b51bc 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 @@ -1,1774 +1,1820 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + --- -apiVersion: apiextensions.k8s.io/v1 +apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: clusterissuers.certmanager.k8s.io + name: clusterissuers.cert-manager.io annotations: - "helm.sh/hook": crd-install - "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update" + cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca labels: app: cert-manager - chart: cert-manager-v0.5.2 - release: cert-manager - heritage: Tiller + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-{{ cert_manager_version }} spec: - group: certmanager.k8s.io - scope: Cluster + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + preserveUnknownFields: false + conversion: + # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. + strategy: Webhook + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: + namespace: '{{ cert_manager_namespace }}' + name: 'cert-manager-webhook' + path: /convert names: kind: ClusterIssuer + listKind: ClusterIssuerList plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} versions: - - name: v1alpha1 + - name: v1alpha2 served: true storage: true - schema: - openAPIV3Schema: - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec is the specification of an Issuer. This includes - any configuration required for the issuer. + - name: v1alpha3 + served: true + storage: false + "validation": + "openAPIV3Schema": + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + type: object + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer type: object + required: + - privateKeySecretRef + - server properties: - acme: - description: ACMEIssuer contains the specification for an ACME issuer + email: + description: Email is the email for this account + type: string + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. type: object required: - - privateKeySecretRef - - server + - keyAlgorithm + - keyID + - keySecretRef properties: - email: - description: Email is the email for this account + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or indeed - with the External Account Binding keyID above. The secret - key stored in the Secret **must** be un-padded, base64 URL - encoded data. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - privateKeySecretRef: - description: PrivateKey is the name of a secret containing the private - key for this user account. + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + encoded data. type: object required: - name properties: key: - description: The key of the secret to select from. Must be a - valid secret key. + description: The key of the secret to select from. Must + be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string - server: - description: Server is the ACME server URL - type: string - skipTLSVerify: - description: If true, skip verifying the ACME server TLS certificate - type: boolean - solvers: - description: Solvers is a list of challenge solvers that will be - used to solve ACME challenges for the matching domains. - type: array - items: - type: object - properties: - dns01: - type: object - properties: - acmedns: - description: ACMEIssuerDNS01ProviderAcmeDNS is a structure - containing the configuration for ACME-DNS servers - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - host: - type: string - akamai: - description: ACMEIssuerDNS01ProviderAkamai is a structure - containing the DNS configuration for Akamai DNS—Zone - Record Management API - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: ACMEIssuerDNS01ProviderAzureDNS is a structure - containing the configuration for Azure DNS - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - clouddns: - description: ACMEIssuerDNS01ProviderCloudDNS is a structure - containing the DNS configuration for Google Cloud DNS - type: object - required: - - project - properties: - project: - type: string - serviceAccountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - cloudflare: - description: ACMEIssuerDNS01ProviderCloudflare is a structure - containing the DNS configuration for Cloudflare - type: object - required: - - email - properties: - apiKeySecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - apiTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - email: - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: ACMEIssuerDNS01ProviderDigitalOcean is a - structure containing the DNS configuration for DigitalOcean - Domains - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - rfc2136: - description: ACMEIssuerDNS01ProviderRFC2136 is a structure - containing the configuration for RFC2136 DNS - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port is - optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field - is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - route53: - description: ACMEIssuerDNS01ProviderRoute53 is a structure - containing the Route 53 configuration for AWS - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup using - the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit credentials - AccessKeyID/SecretAccessKey or the inferred credentials - from environment variables, shared credentials file - or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - webhook: - description: ACMEIssuerDNS01ProviderWebhook specifies - configuration for a webhook DNS01 provider, including - where to POST ChallengePayload resources. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for - a DNS service), you should use a SecretKeySelector - to reference a Secret resource. For details on the - schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the webhook - apiserver. This should be the same as the GroupName - specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: ACMEChallengeSolverHTTP01 contains configuration - detailing how to solve HTTP01 challenges within a Kubernetes - cluster. Typically this is accomplished through creating - 'routes' of some description that configure ingress controllers - to direct traffic to 'solver pods', which are responsible - for responding to the ACME server's HTTP requests. - type: object - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' or - 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels - or annotations overlap with in-built values, - the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to - the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress controllers - like ingress-gce, which maintains a 1:1 mapping - between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels - or annotations overlap with in-built values, - the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to - the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'nodeSelector', - 'affinity' and 'tolerations' fields are supported - currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling - constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches the - corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - type: array - items: - description: An empty preferred - scheduling term matches all objects - with implicit weight 0 (i.e. it's - a no-op). A null preferred scheduling - term matches no objects (i.e. - is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to an update), the system - may or may not try to eventually - evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - type: array - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset of - the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the - same node, zone, etc. as some other - pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to a pod label update), - the system may or may not try to - eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and adding - "weight" to the sum if the node - has pods which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this field - are not met at scheduling time, - the pod will not be scheduled onto - the node. If the anti-affinity requirements - specified by this field cease to - be met at some point during pod - execution (e.g. due to a pod label - update), the system may or may not - try to eventually evict the pod - from its node. When there are multiple - elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. - Selector which must match a node''s labels - for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is - attached to tolerates any taint that matches - the triple using the - matching operator . - type: object - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match - all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that - the toleration applies to. Empty means - match all taint keys. If the key is - empty, operator must be Exists; this - combination means to match all values - and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to - Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate - all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) tolerates - the taint. By default, it is not set, - which means tolerate the taint forever - (do not evict). Zero and negative - values will be treated as 0 (evict - immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be - used to solve. If specified and a match is found, a - dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same dnsNames - value, the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be - used to solve. The most specific DNS zone match specified - here will take precedence over other DNS zone matches, - so a solver specifying sys.example.com will be selected - over one specifying example.com for the domain www.sys.example.com. - If multiple solvers match with the same dnsZones value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the - set of certificate's that this challenge solver will - apply to. - type: object - additionalProperties: - type: string - ca: + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. type: object required: - - secretName + - name properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates - issued by this Issuer. + key: + description: The key of the secret to select from. Must be a + valid secret key. type: string - selfSigned: - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - type: object - required: - - auth - - path - - server - properties: - auth: - description: Vault authentication - type: object - properties: - appRole: - description: This Secret contains a AppRole and Secret - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: Where the authentication path is mounted in - Vault. - type: string - roleId: - type: string - secretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - kubernetes: - description: This contains a Role and Secret with a ServiceAccount - token to authenticate with vault. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, setting - a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` - to authenticate with Vault. If unspecified, the default - value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount with - a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - tokenSecretRef: - description: This Secret contains the Vault token key - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - caBundle: - description: Base64 encoded CA bundle to validate Vault server certificate. - Only used if the Server URL is using HTTPS protocol. This parameter - is ignored for plain HTTP protocol connection. If not set the - system root certificates are used to validate the TLS connection. + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string - format: byte - path: - description: Vault URL path to the certificate role - type: string - server: - description: Server is the vault connection address - type: string - venafi: - description: VenafiIssuer describes issuer configuration details for - Venafi Cloud. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for Venafi Cloud - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use - to verify connections to the TPP instance. If specified, system - roots will not be used and the issuing CA for the TPP instance - must be verifiable using the provided root. If not specified, - the connection will be verified using the cert-manager system - root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret must - contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for the Venafi TPP instance - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted by - the named zone policy. This field is required. - type: string - status: - description: IssuerStatus contains status information about an Issuer - type: object - properties: - acme: - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the - latest registered ACME account, in order to track changes made - to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - conditions: + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. type: array items: - description: IssuerCondition contains condition information for an - Issuer. type: object - required: - - status - - type properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, currently ('Ready'). - type: string \ No newline at end of file + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port is + optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + type: array + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + type: array + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + additionalProperties: + type: string + ca: + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + selfSigned: + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + type: object + required: + - auth + - path + - server + properties: + auth: + description: Vault authentication + type: object + properties: + appRole: + description: This Secret contains a AppRole and Secret + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + tokenSecretRef: + description: This Secret contains the Vault token key + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + type: string + format: byte + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for Venafi Cloud + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for the Venafi TPP instance + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + status: + description: IssuerStatus contains status information about an Issuer + type: object + properties: + acme: + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + conditions: + type: array + items: + description: IssuerCondition contains condition information for an + Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 index f393168ff..f7f5b5823 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 @@ -1,1774 +1,1820 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + --- -apiVersion: apiextensions.k8s.io/v1 +apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: issuers.certmanager.k8s.io + name: issuers.cert-manager.io annotations: - "helm.sh/hook": crd-install - "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update" + cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca labels: app: cert-manager - chart: cert-manager-v0.5.2 - release: cert-manager - heritage: Tiller + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-{{ cert_manager_version }} spec: - group: certmanager.k8s.io - scope: Namespaced + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + preserveUnknownFields: false + conversion: + # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. + strategy: Webhook + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: + namespace: '{{ cert_manager_namespace }}' + name: 'cert-manager-webhook' + path: /convert names: kind: Issuer + listKind: IssuerList plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} versions: - - name: v1alpha1 + - name: v1alpha2 served: true storage: true - schema: - openAPIV3Schema: + - name: v1alpha3 + served: true + storage: false + "validation": + "openAPIV3Schema": + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. type: object properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec is the specification of an Issuer. This includes - any configuration required for the issuer. + acme: + description: ACMEIssuer contains the specification for an ACME issuer type: object + required: + - privateKeySecretRef + - server properties: - acme: - description: ACMEIssuer contains the specification for an ACME issuer + email: + description: Email is the email for this account + type: string + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. type: object required: - - privateKeySecretRef - - server + - keyAlgorithm + - keyID + - keySecretRef properties: - email: - description: Email is the email for this account + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or indeed - with the External Account Binding keyID above. The secret - key stored in the Secret **must** be un-padded, base64 URL - encoded data. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - privateKeySecretRef: - description: PrivateKey is the name of a secret containing the private - key for this user account. + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + encoded data. type: object required: - name properties: key: - description: The key of the secret to select from. Must be a - valid secret key. + description: The key of the secret to select from. Must + be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string - server: - description: Server is the ACME server URL - type: string - skipTLSVerify: - description: If true, skip verifying the ACME server TLS certificate - type: boolean - solvers: - description: Solvers is a list of challenge solvers that will be - used to solve ACME challenges for the matching domains. - type: array - items: - type: object - properties: - dns01: - type: object - properties: - acmedns: - description: ACMEIssuerDNS01ProviderAcmeDNS is a structure - containing the configuration for ACME-DNS servers - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - host: - type: string - akamai: - description: ACMEIssuerDNS01ProviderAkamai is a structure - containing the DNS configuration for Akamai DNS—Zone - Record Management API - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientSecretSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - clientTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - serviceConsumerDomain: - type: string - azuredns: - description: ACMEIssuerDNS01ProviderAzureDNS is a structure - containing the configuration for Azure DNS - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - environment: - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - clouddns: - description: ACMEIssuerDNS01ProviderCloudDNS is a structure - containing the DNS configuration for Google Cloud DNS - type: object - required: - - project - properties: - project: - type: string - serviceAccountSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - cloudflare: - description: ACMEIssuerDNS01ProviderCloudflare is a structure - containing the DNS configuration for Cloudflare - type: object - required: - - email - properties: - apiKeySecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - apiTokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - email: - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: ACMEIssuerDNS01ProviderDigitalOcean is a - structure containing the DNS configuration for DigitalOcean - Domains - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - rfc2136: - description: ACMEIssuerDNS01ProviderRFC2136 is a structure - containing the configuration for RFC2136 DNS - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port is - optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field - is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - route53: - description: ACMEIssuerDNS01ProviderRoute53 is a structure - containing the Route 53 configuration for AWS - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup using - the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit credentials - AccessKeyID/SecretAccessKey or the inferred credentials - from environment variables, shared credentials file - or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - webhook: - description: ACMEIssuerDNS01ProviderWebhook specifies - configuration for a webhook DNS01 provider, including - where to POST ChallengePayload resources. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON data. - Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for - a DNS service), you should use a SecretKeySelector - to reference a Secret resource. For details on the - schema of this field, consult the webhook provider - implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the webhook - apiserver. This should be the same as the GroupName - specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: ACMEChallengeSolverHTTP01 contains configuration - detailing how to solve HTTP01 challenges within a Kubernetes - cluster. Typically this is accomplished through creating - 'routes' of some description that configure ingress controllers - to direct traffic to 'solver pods', which are responsible - for responding to the ACME server's HTTP requests. - type: object - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - type: object - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' or - 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels - or annotations overlap with in-built values, - the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to - the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress controllers - like ingress-gce, which maintains a 1:1 mapping - between external IPs and ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 challenges - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels - or annotations overlap with in-built values, - the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to - the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'nodeSelector', - 'affinity' and 'tolerations' fields are supported - currently. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling - constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches the - corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - type: array - items: - description: An empty preferred - scheduling term matches all objects - with implicit weight 0 (i.e. it's - a no-op). A null preferred scheduling - term matches no objects (i.e. - is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to an update), the system - may or may not try to eventually - evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - type: array - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset of - the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node - selector requirements - by node's labels. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchFields: - description: A list of node - selector requirements - by node's fields. - type: array - items: - description: A node selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, Exists, - DoesNotExist. Gt, - and Lt. - type: string - values: - description: An array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. If - the operator is - Gt or Lt, the values - array must have - a single element, - which will be interpreted - as an integer. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the - same node, zone, etc. as some other - pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - affinity expressions, etc.), compute - a sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the node. - If the affinity requirements specified - by this field cease to be met at - some point during pod execution - (e.g. due to a pod label update), - the system may or may not try to - eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose - a node that violates one or more - of the expressions. The node that - is most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and adding - "weight" to the sum if the node - has pods which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - type: array - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to find - the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements are - ANDed. - type: array - items: - description: A label - selector requirement - is a selector that - contains values, - a key, and an operator - that relates the - key and values. - type: object - required: - - key - - operator - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents a - key's relationship - to a set of - values. Valid - operators are - In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array - of string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or - DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels - map is equivalent - to an element of matchExpressions, - whose key field is - "key", the operator - is "In", and the values - array contains only - "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching - the labelSelector in the - specified namespaces, - where co-located is defined - as running on a node whose - value of the label with - key topologyKey matches - that of any node on which - any of the selected pods - is running. Empty topologyKey - is not allowed. - type: string - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the range - 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this field - are not met at scheduling time, - the pod will not be scheduled onto - the node. If the anti-affinity requirements - specified by this field cease to - be met at some point during pod - execution (e.g. due to a pod label - update), the system may or may not - try to eventually evict the pod - from its node. When there are multiple - elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods - (namely those matching the labelSelector - relative to the given namespace(s)) - that this pod should be co-located - (affinity) or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value - of the label with key - matches that of any node on which - a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - type: object - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - type: array - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - type: object - required: - - key - - operator - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - additionalProperties: - type: string - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - type: array - items: - type: string - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - nodeSelector: - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. - Selector which must match a node''s labels - for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is - attached to tolerates any taint that matches - the triple using the - matching operator . - type: object - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match - all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that - the toleration applies to. Empty means - match all taint keys. If the key is - empty, operator must be Exists; this - combination means to match all values - and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to - Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate - all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) tolerates - the taint. By default, it is not set, - which means tolerate the taint forever - (do not evict). Zero and negative - values will be treated as 0 (evict - immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be - used to solve. If specified and a match is found, a - dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same dnsNames - value, the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be - used to solve. The most specific DNS zone match specified - here will take precedence over other DNS zone matches, - so a solver specifying sys.example.com will be selected - over one specifying example.com for the domain www.sys.example.com. - If multiple solvers match with the same dnsZones value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the - set of certificate's that this challenge solver will - apply to. - type: object - additionalProperties: - type: string - ca: + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. type: object required: - - secretName + - name properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates - issued by this Issuer. + key: + description: The key of the secret to select from. Must be a + valid secret key. type: string - selfSigned: - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - type: object - required: - - auth - - path - - server - properties: - auth: - description: Vault authentication - type: object - properties: - appRole: - description: This Secret contains a AppRole and Secret - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: Where the authentication path is mounted in - Vault. - type: string - roleId: - type: string - secretRef: - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - kubernetes: - description: This contains a Role and Secret with a ServiceAccount - token to authenticate with vault. - type: object - required: - - role - - secretRef - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, setting - a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` - to authenticate with Vault. If unspecified, the default - value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount with - a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - tokenSecretRef: - description: This Secret contains the Vault token key - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - caBundle: - description: Base64 encoded CA bundle to validate Vault server certificate. - Only used if the Server URL is using HTTPS protocol. This parameter - is ignored for plain HTTP protocol connection. If not set the - system root certificates are used to validate the TLS connection. + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' type: string - format: byte - path: - description: Vault URL path to the certificate role - type: string - server: - description: Server is the vault connection address - type: string - venafi: - description: VenafiIssuer describes issuer configuration details for - Venafi Cloud. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for Venafi Cloud - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to use - to verify connections to the TPP instance. If specified, system - roots will not be used and the issuing CA for the TPP instance - must be verifiable using the provided root. If not specified, - the connection will be verified using the cert-manager system - root certificates. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret must - contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - url: - description: URL is the base URL for the Venafi TPP instance - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted by - the named zone policy. This field is required. - type: string - status: - description: IssuerStatus contains status information about an Issuer - type: object - properties: - acme: - type: object - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the - latest registered ACME account, in order to track changes made - to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - conditions: + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. type: array items: - description: IssuerCondition contains condition information for an - Issuer. type: object - required: - - status - - type properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details - of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for - the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, currently ('Ready'). - type: string \ No newline at end of file + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port is + optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + type: array + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + type: array + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + additionalProperties: + type: string + ca: + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + selfSigned: + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + type: object + required: + - auth + - path + - server + properties: + auth: + description: Vault authentication + type: object + properties: + appRole: + description: This Secret contains a AppRole and Secret + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + tokenSecretRef: + description: This Secret contains the Vault token key + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + type: string + format: byte + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for Venafi Cloud + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for the Venafi TPP instance + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + status: + description: IssuerStatus contains status information about an Issuer + type: object + properties: + acme: + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + conditions: + type: array + items: + description: IssuerCondition contains condition information for an + Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2 new file mode 100644 index 000000000..c0dc137ac --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2 @@ -0,0 +1,253 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-{{ cert_manager_version }} +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + preserveUnknownFields: false + conversion: + # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources. + strategy: Webhook + # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server. + webhookClientConfig: + service: + namespace: '{{ cert_manager_namespace }}' + name: 'cert-manager-webhook' + path: /convert + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha2 + served: true + storage: true + - name: v1alpha3 + served: true + storage: false + "validation": + "openAPIV3Schema": + description: Order is a type to represent an Order with an ACME server + type: object + required: + - metadata + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + required: + - csr + - issuerRef + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + type: string + format: byte + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + type: array + items: + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + status: + type: object + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + type: array + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + type: object + required: + - url + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + type: array + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + type: object + required: + - token + - type + - url + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a Challenge + resource for the authorization. This will occur when working + with an ACME server that enables 'authz reuse' (such as Let's + Encrypt's production endpoint). If not set and 'identifier' + is set, the state is assumed to be pending and a Challenge will + be created. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + type: string + format: byte + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + type: string + format: date-time + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2 index 383dab5d3..fcf1890fb 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2 @@ -1,3 +1,62 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-cainjector + namespace: {{ cert_manager_namespace }} + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: cainjector + helm.sh/chart: cert-manager-{{ cert_manager_version }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: cainjector + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: cainjector + helm.sh/chart: cert-manager-{{ cert_manager_version }} + spec: + serviceAccountName: cert-manager-cainjector + containers: + - name: cert-manager + image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}" + imagePullPolicy: {{ k8s_image_pull_policy }} + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} --- apiVersion: apps/v1 kind: Deployment @@ -6,39 +65,113 @@ metadata: namespace: {{ cert_manager_namespace }} labels: app: cert-manager - chart: cert-manager-v0.5.2 - release: cert-manager - heritage: Tiller + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + helm.sh/chart: cert-manager-{{ cert_manager_version }} spec: replicas: 1 selector: matchLabels: - app: cert-manager - release: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller template: metadata: labels: app: cert-manager - release: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-{{ cert_manager_version }} annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' spec: - priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}} serviceAccountName: cert-manager containers: - name: cert-manager - image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }} + image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} args: - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=$(POD_NAMESPACE) + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + ports: + - containerPort: 9402 + protocol: TCP env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace resources: - requests: - cpu: 10m - memory: 32Mi - securityContext: - runAsUser: {{ cert_manager_user }} + {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-webhook + namespace: {{ cert_manager_namespace }} + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: webhook + template: + metadata: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} + spec: + serviceAccountName: cert-manager-webhook + containers: + - name: cert-manager + image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}" + imagePullPolicy: {{ k8s_image_pull_policy }} + args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }} + - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca + - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc + ports: + - name: https + containerPort: 10250 + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2 new file mode 100644 index 000000000..0c9208c83 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2 @@ -0,0 +1,85 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: cainjector + helm.sh/chart: cert-manager-{{ cert_manager_version }} +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + helm.sh/chart: cert-manager-{{ cert_manager_version }} +rules: + # Used for leader election by the controller + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager-webhook:dynamic-serving + namespace: {{ cert_manager_namespace }} + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: + - 'cert-manager-webhook-ca' + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2 new file mode 100644 index 000000000..cffb81903 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2 @@ -0,0 +1,79 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: cainjector + helm.sh/chart: cert-manager-{{ cert_manager_version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-cainjector:leaderelection +subjects: + - kind: ServiceAccount + name: cert-manager-cainjector + namespace: {{ cert_manager_namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + helm.sh/chart: cert-manager-{{ cert_manager_version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: {{ cert_manager_namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-webhook:dynamic-serving + namespace: {{ cert_manager_namespace }} + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-webhook:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: {{ cert_manager_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2 index 6380634a7..126aa49b1 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2 @@ -1,3 +1,30 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-cainjector + namespace: {{ cert_manager_namespace }} + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: cainjector + helm.sh/chart: cert-manager-{{ cert_manager_version }} --- apiVersion: v1 kind: ServiceAccount @@ -6,6 +33,21 @@ metadata: namespace: {{ cert_manager_namespace }} labels: app: cert-manager - chart: cert-manager-v0.5.2 - release: cert-manager - heritage: Tiller + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + helm.sh/chart: cert-manager-{{ cert_manager_version }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-webhook + namespace: {{ cert_manager_namespace }} + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2 new file mode 100644 index 000000000..c9785f43e --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2 @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: ca-key-pair + namespace: {{ cert_manager_namespace }} +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2 new file mode 100644 index 000000000..0ee3ff352 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2 @@ -0,0 +1,60 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +kind: Service +metadata: + name: cert-manager + namespace: {{ cert_manager_namespace }} + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + helm.sh/chart: cert-manager-{{ cert_manager_version }} +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + targetPort: 9402 + selector: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +--- +apiVersion: v1 +kind: Service +metadata: + name: cert-manager-webhook + namespace: {{ cert_manager_namespace }} + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 10250 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: webhook diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2 new file mode 100644 index 000000000..843ac320a --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2 @@ -0,0 +1,96 @@ +# Copyright YEAR The Jetstack cert-manager contributors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - v1alpha2 + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - "*/*" + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: cert-manager-webhook + namespace: {{ cert_manager_namespace }} + path: /mutate +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: webhook + helm.sh/chart: cert-manager-{{ cert_manager_version }} + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - cert-manager + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - v1alpha2 + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - "*/*" + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: cert-manager-webhook + namespace: {{ cert_manager_namespace }} + path: /validate