From 9cc70e9e7072809d0ddb627a99879c56fffda9e6 Mon Sep 17 00:00:00 2001
From: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
Date: Thu, 6 Aug 2020 07:26:55 +0100
Subject: [PATCH] Upgrade JetStack Cert-Manager to v0.15.2 (#6414)

* Upgrade JetStack Cert-Manager to v0.15.2

* Add README.md table of contents
---
 README.md                                     |    2 +-
 roles/download/defaults/main.yml              |   24 +-
 .../ingress_controller/cert_manager/README.md |  186 +-
 .../cert_manager/tasks/main.yml               |   51 +-
 .../templates/00-namespace.yml.j2             |   15 +-
 .../clusterissuer-cert-manager.yml.j2         |   23 +
 .../templates/clusterrole-cert-manager.yml.j2 |  293 +-
 .../clusterrolebinding-cert-manager.yml.j2    |  150 +-
 .../templates/crd-certificate.yml.j2          |  295 +-
 .../templates/crd-challenge.yml.j2            | 1466 +++++++
 .../templates/crd-clusterissuer.yml.j2        | 3518 +++++++++--------
 .../cert_manager/templates/crd-issuer.yml.j2  | 3514 ++++++++--------
 .../cert_manager/templates/crd-order.yml.j2   |  253 ++
 .../templates/deploy-cert-manager.yml.j2      |  171 +-
 .../templates/role-cert-manager.yml.j2        |   85 +
 .../templates/rolebinding-cert-manager.yml.j2 |   79 +
 .../templates/sa-cert-manager.yml.j2          |   48 +-
 .../templates/secret-cert-manager.yml.j2      |    9 +
 .../templates/svc-cert-manager.yml.j2         |   60 +
 .../templates/webhook-cert-manager.yml.j2     |   96 +
 20 files changed, 6786 insertions(+), 3552 deletions(-)
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
 create mode 100644 roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2

diff --git a/README.md b/README.md
index 31b54eabb..20cde4339 100644
--- a/README.md
+++ b/README.md
@@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [ambassador](https://github.com/datawire/ambassador): v1.5
   - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
   - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
-  - [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1
+  - [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
   - [coredns](https://github.com/coredns/coredns) v1.6.7
   - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0
 
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index bbe497008..1380c6b4c 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
 ingress_ambassador_image_tag: "v1.2.8"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.8"
-cert_manager_version: "v0.11.1"
+cert_manager_version: "v0.15.2"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
+cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
+cert_manager_cainjector_image_tag: "{{ cert_manager_version }}"
+cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook"
+cert_manager_webhook_image_tag: "{{ cert_manager_version }}"
 addon_resizer_version: "1.8.9"
 addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
 addon_resizer_image_tag: "{{ addon_resizer_version }}"
@@ -1078,6 +1082,24 @@ downloads:
     groups:
     - kube-node
 
+  cert_manager_cainjector:
+    enabled: "{{ cert_manager_enabled }}"
+    container: true
+    repo: "{{ cert_manager_cainjector_image_repo }}"
+    tag: "{{ cert_manager_cainjector_image_tag }}"
+    sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}"
+    groups:
+    - kube-node
+
+  cert_manager_webhook:
+    enabled: "{{ cert_manager_enabled }}"
+    container: true
+    repo: "{{ cert_manager_webhook_image_repo }}"
+    tag: "{{ cert_manager_webhook_image_tag }}"
+    sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}"
+    groups:
+    - kube-node
+
   csi_attacher:
     enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
     container: true
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
index b0f008676..99501f292 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
@@ -1,17 +1,179 @@
-Deployment files
-================
+# Installation Guide
 
-This directory contains example deployment manifests for cert-manager that can
-be used in place of the official Helm chart.
+- [Installation Guide](#installation-guide)
+  - [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
+  - [Securing Ingress Resources](#securing-ingress-resources)
+    - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
+      - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
+      - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
+      - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
+      - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
 
-This is useful if you are deploying cert-manager into an environment without
-Helm, or want to inspect a 'bare minimum' deployment.
+Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
 
-Where do these come from?
--------------------------
+The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
 
-The manifests in these subdirectories are generated from the Helm chart
-automatically. The `values.yaml` files used to configure cert-manager can be
-found in [`hack/deploy`](../../hack/deploy/).
+Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
 
-They are automatically generated by running `./hack/update-deploy-gen.sh`.
+## Kubernetes TLS Root CA Certificate/Key Secret
+
+If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
+
+If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
+
+e.g.
+
+```shell
+$ cat ca.pem | base64 -w 0
+LS0tLS1CRUdJTiBDRVJU...
+
+$ cat ca-key.pem | base64 -w 0
+LS0tLS1CRUdJTiBSU0Eg...
+```
+
+For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
+
+Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true.
+
+```ini
+# Cert manager deployment
+cert_manager_enabled: true
+```
+
+If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
+
+## Securing Ingress Resources
+
+A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
+
+To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true.
+
+```ini
+# Nginx ingress controller deployment
+ingress_nginx_enabled: true
+```
+
+For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+
+```yaml
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: prometheus-k8s
+  namespace: monitoring
+  labels:
+    prometheus: k8s
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: ca-issuer
+spec:
+  tls:
+  - hosts:
+    - prometheus.example.com
+    secretName: prometheus-dashboard-certs
+  rules:
+  - host: prometheus.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: prometheus-k8s
+          servicePort: web
+```
+
+Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
+
+For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc.
+
+### Create New TLS Root CA Certificate and Key
+
+#### Install Cloudflare PKI/TLS `cfssl` Toolkit.
+
+e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package.
+
+```shell
+$ sudo apt-get install -y golang-cfssl
+```
+
+#### Create Root Certificate Authority (CA) Configuration File
+
+The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
+
+```shell
+$ cat > ca-config.json <<EOF
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "kubernetes": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+EOF
+```
+
+#### Create Certficate Signing Request (CSR) Configuration File
+
+The TLS certificate `names` details can be updated to your own specific requirements.
+
+```shell
+$ cat > ca-csr.json <<EOF
+{
+  "CN": "Kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "CA",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+```
+
+#### Create TLS Root CA Certificate and Key
+
+```shell
+$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+ca.pem
+ca-key.pem
+```
+
+Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
+
+```shell
+$ openssl x509 -text -noout -in ca.pem
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
+        Validity
+            Not Before: Jul 10 15:21:00 2020 GMT
+            Not After : Jul  9 15:21:00 2025 GMT
+        Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
+        Subject Public Key Info:
+        ...
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier:
+                D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
+                ...
+```
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
index d8ca7ad17..5029cb1df 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
@@ -28,19 +28,30 @@
   when:
     - inventory_hostname == groups['kube-master'][0]
 
+- name: Cert Manager | Templates list
+  set_fact:
+    cert_manager_templates:
+      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
+      - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
+      - { name: crd-certificate, file: crd-certificate.yml, type: crd }
+      - { name: crd-challenge, file: crd-challenge.yml, type: crd }
+      - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
+      - { name: crd-issuer, file: crd-issuer.yml, type: crd }
+      - { name: crd-order, file: crd-order.yml, type: crd }
+      - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
+      - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
+      - { name: role-cert-manager, file: role-cert-manager.yml, type: role }
+      - { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
+      - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
+      - { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
+      - { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
+      - { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }
+
 - name: Cert Manager | Create manifests
   template:
     src: "{{ item.file }}.j2"
     dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
-  with_items:
-    - { name: 00-namespace, file: 00-namespace.yml, type: ns }
-    - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
-    - { name: crd-certificate, file: crd-certificate.yml, type: crd }
-    - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
-    - { name: crd-issuer, file: crd-issuer.yml, type: crd }
-    - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
-    - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
-    - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
+  with_items: "{{ cert_manager_templates }}"
   register: cert_manager_manifests
   when:
     - inventory_hostname == groups['kube-master'][0]
@@ -48,7 +59,6 @@
 - name: Cert Manager | Apply manifests
   kube:
     name: "{{ item.item.name }}"
-    namespace: "{{ cert_manager_namespace }}"
     kubectl: "{{ bin_dir }}/kubectl"
     resource: "{{ item.item.type }}"
     filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
@@ -56,3 +66,24 @@
   with_items: "{{ cert_manager_manifests.results }}"
   when:
     - inventory_hostname == groups['kube-master'][0]
+
+- name: Cert Manager | Wait for Webhook pods become ready
+  shell: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
+  register: cert_manager_webhook_pods_ready
+  when: inventory_hostname == groups['kube-master'][0]
+
+- name: Cert Manager | Create ClusterIssuer manifest
+  template:
+    src: "clusterissuer-cert-manager.yml.j2"
+    dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
+  register: cert_manager_clusterissuer_manifest
+  when:
+    - inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_ready is succeeded
+
+- name: Cert Manager | Apply ClusterIssuer manifest
+  kube:
+    name: "clusterissuer-cert-manager"
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
+    state: "latest"
+  when: inventory_hostname == groups['kube-master'][0] and cert_manager_clusterissuer_manifest is succeeded
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
index fef90aed6..5db14efb7 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
@@ -1,3 +1,17 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 ---
 apiVersion: v1
 kind: Namespace
@@ -5,4 +19,3 @@ metadata:
   name: {{ cert_manager_namespace }}
   labels:
     name: {{ cert_manager_namespace }}
-    certmanager.k8s.io/disable-validation: "true"
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
new file mode 100644
index 000000000..f016ad053
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
@@ -0,0 +1,23 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: ca-issuer
+  namespace: {{ cert_manager_namespace }}
+spec:
+  ca:
+    secretName: ca-key-pair
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
index 6ab011195..1ad7a8742 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
@@ -1,20 +1,293 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-cainjector
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: cainjector
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "create", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["auditregistration.k8s.io"]
+    resources: ["auditsinks"]
+    verbs: ["get", "list", "watch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-orders
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "orders/status"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "challenges"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["create", "delete"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-ingress-shim
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests"]
+    verbs: ["create", "update", "delete"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["extensions"]
+    resources: ["ingresses/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: cert-manager
+  name: cert-manager-view
   labels:
     app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
-  - apiGroups: ["certmanager.k8s.io"]
-    resources: ["certificates", "issuers", "clusterissuers"]
-    verbs: ["*"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-challenges
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  # Use to update challenge resource status
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "challenges/status"]
+    verbs: ["update"]
+  # Used to watch challenge resources
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["get", "list", "watch"]
+  # Used to watch challenges, issuer and clusterissuer resources
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  # Need to be able to retrieve ACME account private key to complete challenges
   - apiGroups: [""]
-    resources: ["configmaps", "secrets", "events", "services", "pods"]
-    verbs: ["*"]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  # Used to create events
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  # HTTP01 rules
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch", "create", "delete"]
   - apiGroups: ["extensions"]
     resources: ["ingresses"]
-    verbs: ["*"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  # We require the ability to specify a custom hostname when we are creating
+  # new ingress resources.
+  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes/custom-host"]
+    verbs: ["create"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges/finalizers"]
+    verbs: ["update"]
+  # DNS01 rules (duplicated above)
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-issuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "issuers/status"]
+    verbs: ["update"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-clusterissuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "clusterissuers/status"]
+    verbs: ["update"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-edit
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager-controller-certificates
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+    verbs: ["update"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders"]
+    verbs: ["create", "delete", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
index 926762ec5..381169536 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
@@ -1,17 +1,153 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: cert-manager
+  name: cert-manager-cainjector
   labels:
-    app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: cainjector
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cert-manager
+  name: cert-manager-cainjector
+subjects:
+  - name: cert-manager-cainjector
+    namespace: {{ cert_manager_namespace }}
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-certificates
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-certificates
+subjects:
+  - name: cert-manager
+    namespace: {{ cert_manager_namespace }}
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-clusterissuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-clusterissuers
+subjects:
+  - name: cert-manager
+    namespace: {{ cert_manager_namespace }}
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-challenges
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-challenges
+subjects:
+  - name: cert-manager
+    namespace: {{ cert_manager_namespace }}
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-ingress-shim
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-ingress-shim
+subjects:
+  - name: cert-manager
+    namespace: {{ cert_manager_namespace }}
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-orders
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-orders
+subjects:
+  - name: cert-manager
+    namespace: {{ cert_manager_namespace }}
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-controller-issuers
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-controller-issuers
 subjects:
   - name: cert-manager
     namespace: {{ cert_manager_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
index 40f6ebd04..1b90c7a8b 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
@@ -1,25 +1,291 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 ---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: certificates.certmanager.k8s.io
+  name: certificaterequests.cert-manager.io
   annotations:
-    "helm.sh/hook": crd-install
-    "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
   labels:
     app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
-  group: certmanager.k8s.io
+  additionalPrinterColumns:
+  - JSONPath: .status.conditions[?(@.type=="Ready")].status
+    name: Ready
+    type: string
+  - JSONPath: .spec.issuerRef.name
+    name: Issuer
+    priority: 1
+    type: string
+  - JSONPath: .status.conditions[?(@.type=="Ready")].message
+    name: Status
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: cert-manager.io
+  preserveUnknownFields: false
+  conversion:
+    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+    strategy: Webhook
+    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+    webhookClientConfig:
+      service:
+        namespace: '{{ cert_manager_namespace }}'
+        name: 'cert-manager-webhook'
+        path: /convert
+  names:
+    kind: CertificateRequest
+    listKind: CertificateRequestList
+    plural: certificaterequests
+    shortNames:
+    - cr
+    - crs
+    singular: certificaterequest
   scope: Namespaced
+  subresources:
+    status: {}
   versions:
-  - name: v1alpha1
+  - name: v1alpha2
     served: true
     storage: true
-    schema:
-      openAPIV3Schema:
+  - name: v1alpha3
+    served: true
+    storage: false
+  "validation":
+    "openAPIV3Schema":
+      description: CertificateRequest is a type to represent a Certificate Signing
+        Request
+      type: object
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: CertificateRequestSpec defines the desired state of CertificateRequest
+          type: object
+          required:
+          - csr
+          - issuerRef
+          properties:
+            csr:
+              description: Byte slice containing the PEM encoded CertificateSigningRequest
+              type: string
+              format: byte
+            duration:
+              description: Requested certificate default Duration
+              type: string
+            isCA:
+              description: IsCA will mark the resulting certificate as valid for signing.
+                This implies that the 'cert sign' usage is set
+              type: boolean
+            issuerRef:
+              description: IssuerRef is a reference to the issuer for this CertificateRequest.  If
+                the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+                with the given name in the same namespace as the CertificateRequest
+                will be used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+                with the provided name will be used. The 'name' field in this stanza
+                is required at all times. The group field refers to the API group
+                of the issuer which defaults to 'cert-manager.io' if empty.
+              type: object
+              required:
+              - name
+              properties:
+                group:
+                  type: string
+                kind:
+                  type: string
+                name:
+                  type: string
+            usages:
+              description: Usages is the set of x509 actions that are enabled for
+                a given key. Defaults are ('digital signature', 'key encipherment')
+                if empty
+              type: array
+              items:
+                description: 'KeyUsage specifies valid usage contexts for keys. See:
+                  https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                  Valid KeyUsage values are as follows: "signing", "digital signature",
+                  "content commitment", "key encipherment", "key agreement", "data
+                  encipherment", "cert sign", "crl sign", "encipher only", "decipher
+                  only", "any", "server auth", "client auth", "code signing", "email
+                  protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+                  user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+                  sgc"'
+                type: string
+                enum:
+                - signing
+                - digital signature
+                - content commitment
+                - key encipherment
+                - key agreement
+                - data encipherment
+                - cert sign
+                - crl sign
+                - encipher only
+                - decipher only
+                - any
+                - server auth
+                - client auth
+                - code signing
+                - email protection
+                - s/mime
+                - ipsec end system
+                - ipsec tunnel
+                - ipsec user
+                - timestamping
+                - ocsp signing
+                - microsoft sgc
+                - netscape sgc
+        status:
+          description: CertificateStatus defines the observed state of CertificateRequest
+            and resulting signed certificate.
+          type: object
+          properties:
+            ca:
+              description: Byte slice containing the PEM encoded certificate authority
+                of the signed certificate.
+              type: string
+              format: byte
+            certificate:
+              description: Byte slice containing a PEM encoded signed certificate
+                resulting from the given certificate signing request.
+              type: string
+              format: byte
+            conditions:
+              type: array
+              items:
+                description: CertificateRequestCondition contains condition information
+                  for a CertificateRequest.
+                type: object
+                required:
+                - status
+                - type
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    type: string
+                    format: date-time
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    type: string
+                    enum:
+                    - "True"
+                    - "False"
+                    - Unknown
+                  type:
+                    description: Type of the condition, currently ('Ready', 'InvalidRequest').
+                    type: string
+            failureTime:
+              description: FailureTime stores the time that this CertificateRequest
+                failed. This is used to influence garbage collection and back-off.
+              type: string
+              format: date-time
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: certificates.cert-manager.io
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.conditions[?(@.type=="Ready")].status
+    name: Ready
+    type: string
+  - JSONPath: .spec.secretName
+    name: Secret
+    type: string
+  - JSONPath: .spec.issuerRef.name
+    name: Issuer
+    priority: 1
+    type: string
+  - JSONPath: .status.conditions[?(@.type=="Ready")].message
+    name: Status
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: cert-manager.io
+  preserveUnknownFields: false
+  conversion:
+    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+    strategy: Webhook
+    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+    webhookClientConfig:
+      service:
+        namespace: '{{ cert_manager_namespace }}'
+        name: 'cert-manager-webhook'
+        path: /convert
+  names:
+    kind: Certificate
+    listKind: CertificateList
+    plural: certificates
+    shortNames:
+    - cert
+    - certs
+    singular: certificate
+  scope: Namespaced
+  subresources:
+    status: {}
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+    "schema":
+      "openAPIV3Schema":
         description: Certificate is a type to represent a Certificate from ACME
         type: object
         properties:
@@ -711,10 +977,3 @@ spec:
                   issuance by checking if the revision value in the annotation is
                   greater than this field."
                 type: integer
-  names:
-    kind: Certificate
-    plural: certificates
-    shortNames:
-      - cert
-      - certs
-
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
new file mode 100644
index 000000000..63e0f56d8
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
@@ -0,0 +1,1466 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: challenges.acme.cert-manager.io
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.state
+    name: State
+    type: string
+  - JSONPath: .spec.dnsName
+    name: Domain
+    type: string
+  - JSONPath: .status.reason
+    name: Reason
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: acme.cert-manager.io
+  preserveUnknownFields: false
+  conversion:
+    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+    strategy: Webhook
+    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+    webhookClientConfig:
+      service:
+        namespace: '{{ cert_manager_namespace }}'
+        name: 'cert-manager-webhook'
+        path: /convert
+  names:
+    kind: Challenge
+    listKind: ChallengeList
+    plural: challenges
+    singular: challenge
+  scope: Namespaced
+  subresources:
+    status: {}
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+  - name: v1alpha3
+    served: true
+    storage: false
+  "validation":
+    "openAPIV3Schema":
+      description: Challenge is a type to represent a Challenge request with an ACME
+        server
+      type: object
+      required:
+      - metadata
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          type: object
+          required:
+          - authzURL
+          - dnsName
+          - issuerRef
+          - key
+          - solver
+          - token
+          - type
+          - url
+          properties:
+            authzURL:
+              description: AuthzURL is the URL to the ACME Authorization resource
+                that this challenge is a part of.
+              type: string
+            dnsName:
+              description: DNSName is the identifier that this challenge is for, e.g.
+                example.com. If the requested DNSName is a 'wildcard', this field
+                MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+                it must be `example.com`.
+              type: string
+            issuerRef:
+              description: IssuerRef references a properly configured ACME-type Issuer
+                which should be used to create this Challenge. If the Issuer does
+                not exist, processing will be retried. If the Issuer is not an 'ACME'
+                Issuer, an error will be returned and the Challenge will be marked
+                as failed.
+              type: object
+              required:
+              - name
+              properties:
+                group:
+                  type: string
+                kind:
+                  type: string
+                name:
+                  type: string
+            key:
+              description: 'Key is the ACME challenge key for this challenge For HTTP01
+                challenges, this is the value that must be responded with to complete
+                the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
+                from acme server for challenge>`. For DNS01 challenges, this is the
+                base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+                from acme server for challenge>` text that must be set as the TXT
+                record content.'
+              type: string
+            solver:
+              description: Solver contains the domain solving configuration that should
+                be used to solve this challenge resource.
+              type: object
+              properties:
+                dns01:
+                  type: object
+                  properties:
+                    acmedns:
+                      description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
+                        the configuration for ACME-DNS servers
+                      type: object
+                      required:
+                      - accountSecretRef
+                      - host
+                      properties:
+                        accountSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        host:
+                          type: string
+                    akamai:
+                      description: ACMEIssuerDNS01ProviderAkamai is a structure containing
+                        the DNS configuration for Akamai DNS—Zone Record Management
+                        API
+                      type: object
+                      required:
+                      - accessTokenSecretRef
+                      - clientSecretSecretRef
+                      - clientTokenSecretRef
+                      - serviceConsumerDomain
+                      properties:
+                        accessTokenSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        clientSecretSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        clientTokenSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        serviceConsumerDomain:
+                          type: string
+                    azuredns:
+                      description: ACMEIssuerDNS01ProviderAzureDNS is a structure
+                        containing the configuration for Azure DNS
+                      type: object
+                      required:
+                      - resourceGroupName
+                      - subscriptionID
+                      properties:
+                        clientID:
+                          description: if both this and ClientSecret are left unset
+                            MSI will be used
+                          type: string
+                        clientSecretSecretRef:
+                          description: if both this and ClientID are left unset MSI
+                            will be used
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        environment:
+                          type: string
+                          enum:
+                          - AzurePublicCloud
+                          - AzureChinaCloud
+                          - AzureGermanCloud
+                          - AzureUSGovernmentCloud
+                        hostedZoneName:
+                          type: string
+                        resourceGroupName:
+                          type: string
+                        subscriptionID:
+                          type: string
+                        tenantID:
+                          description: when specifying ClientID and ClientSecret then
+                            this field is also needed
+                          type: string
+                    clouddns:
+                      description: ACMEIssuerDNS01ProviderCloudDNS is a structure
+                        containing the DNS configuration for Google Cloud DNS
+                      type: object
+                      required:
+                      - project
+                      properties:
+                        project:
+                          type: string
+                        serviceAccountSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    cloudflare:
+                      description: ACMEIssuerDNS01ProviderCloudflare is a structure
+                        containing the DNS configuration for Cloudflare
+                      type: object
+                      required:
+                      - email
+                      properties:
+                        apiKeySecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        apiTokenSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                        email:
+                          type: string
+                    cnameStrategy:
+                      description: CNAMEStrategy configures how the DNS01 provider
+                        should handle CNAME records when found in DNS zones.
+                      type: string
+                      enum:
+                      - None
+                      - Follow
+                    digitalocean:
+                      description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
+                        containing the DNS configuration for DigitalOcean Domains
+                      type: object
+                      required:
+                      - tokenSecretRef
+                      properties:
+                        tokenSecretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    rfc2136:
+                      description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
+                        the configuration for RFC2136 DNS
+                      type: object
+                      required:
+                      - nameserver
+                      properties:
+                        nameserver:
+                          description: The IP address or hostname of an authoritative
+                            DNS server supporting RFC2136 in the form host:port. If
+                            the host is an IPv6 address it must be enclosed in square
+                            brackets (e.g [2001:db8::1]) ; port is optional. This
+                            field is required.
+                          type: string
+                        tsigAlgorithm:
+                          description: 'The TSIG Algorithm configured in the DNS supporting
+                            RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``
+                            are defined. Supported values are (case-insensitive):
+                            ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or
+                            ``HMACSHA512``.'
+                          type: string
+                        tsigKeyName:
+                          description: The TSIG Key name configured in the DNS. If
+                            ``tsigSecretSecretRef`` is defined, this field is required.
+                          type: string
+                        tsigSecretSecretRef:
+                          description: The name of the secret containing the TSIG
+                            value. If ``tsigKeyName`` is defined, this field is required.
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    route53:
+                      description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
+                        the Route 53 configuration for AWS
+                      type: object
+                      required:
+                      - region
+                      properties:
+                        accessKeyID:
+                          description: 'The AccessKeyID is used for authentication.
+                            If not set we fall-back to using env vars, shared credentials
+                            file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                          type: string
+                        hostedZoneID:
+                          description: If set, the provider will manage only this
+                            zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName
+                            api call.
+                          type: string
+                        region:
+                          description: Always set the region when using AccessKeyID
+                            and SecretAccessKey
+                          type: string
+                        role:
+                          description: Role is a Role ARN which the Route53 provider
+                            will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+                            or the inferred credentials from environment variables,
+                            shared credentials file or AWS Instance metadata
+                          type: string
+                        secretAccessKeySecretRef:
+                          description: The SecretAccessKey is used for authentication.
+                            If not set we fall-back to using env vars, shared credentials
+                            file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    webhook:
+                      description: ACMEIssuerDNS01ProviderWebhook specifies configuration
+                        for a webhook DNS01 provider, including where to POST ChallengePayload
+                        resources.
+                      type: object
+                      required:
+                      - groupName
+                      - solverName
+                      properties:
+                        config:
+                          description: Additional configuration that should be passed
+                            to the webhook apiserver when challenges are processed.
+                            This can contain arbitrary JSON data. Secret values should
+                            not be specified in this stanza. If secret values are
+                            needed (e.g. credentials for a DNS service), you should
+                            use a SecretKeySelector to reference a Secret resource.
+                            For details on the schema of this field, consult the webhook
+                            provider implementation's documentation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        groupName:
+                          description: The API group name that should be used when
+                            POSTing ChallengePayload resources to the webhook apiserver.
+                            This should be the same as the GroupName specified in
+                            the webhook provider implementation.
+                          type: string
+                        solverName:
+                          description: The name of the solver to use, as defined in
+                            the webhook provider implementation. This will typically
+                            be the name of the provider, e.g. 'cloudflare'.
+                          type: string
+                http01:
+                  description: ACMEChallengeSolverHTTP01 contains configuration detailing
+                    how to solve HTTP01 challenges within a Kubernetes cluster. Typically
+                    this is accomplished through creating 'routes' of some description
+                    that configure ingress controllers to direct traffic to 'solver
+                    pods', which are responsible for responding to the ACME server's
+                    HTTP requests.
+                  type: object
+                  properties:
+                    ingress:
+                      description: The ingress based HTTP01 challenge solver will
+                        solve challenges by creating or modifying Ingress resources
+                        in order to route requests for '/.well-known/acme-challenge/XYZ'
+                        to 'challenge solver' pods that are provisioned by cert-manager
+                        for each Challenge to be completed.
+                      type: object
+                      properties:
+                        class:
+                          description: The ingress class to use when creating Ingress
+                            resources to solve ACME challenges that use this challenge
+                            solver. Only one of 'class' or 'name' may be specified.
+                          type: string
+                        ingressTemplate:
+                          description: Optional ingress template used to configure
+                            the ACME challenge solver ingress used for HTTP01 challenges
+                          type: object
+                          properties:
+                            metadata:
+                              description: ObjectMeta overrides for the ingress used
+                                to solve HTTP01 challenges. Only the 'labels' and
+                                'annotations' fields may be set. If labels or annotations
+                                overlap with in-built values, the values here will
+                                override the in-built values.
+                              type: object
+                              properties:
+                                annotations:
+                                  description: Annotations that should be added to
+                                    the created ACME HTTP01 solver ingress.
+                                  type: object
+                                  additionalProperties:
+                                    type: string
+                                labels:
+                                  description: Labels that should be added to the
+                                    created ACME HTTP01 solver ingress.
+                                  type: object
+                                  additionalProperties:
+                                    type: string
+                        name:
+                          description: The name of the ingress resource that should
+                            have ACME challenge solving routes inserted into it in
+                            order to solve HTTP01 challenges. This is typically used
+                            in conjunction with ingress controllers like ingress-gce,
+                            which maintains a 1:1 mapping between external IPs and
+                            ingress resources.
+                          type: string
+                        podTemplate:
+                          description: Optional pod template used to configure the
+                            ACME challenge solver pods used for HTTP01 challenges
+                          type: object
+                          properties:
+                            metadata:
+                              description: ObjectMeta overrides for the pod used to
+                                solve HTTP01 challenges. Only the 'labels' and 'annotations'
+                                fields may be set. If labels or annotations overlap
+                                with in-built values, the values here will override
+                                the in-built values.
+                              type: object
+                              properties:
+                                annotations:
+                                  description: Annotations that should be added to
+                                    the create ACME HTTP01 solver pods.
+                                  type: object
+                                  additionalProperties:
+                                    type: string
+                                labels:
+                                  description: Labels that should be added to the
+                                    created ACME HTTP01 solver pods.
+                                  type: object
+                                  additionalProperties:
+                                    type: string
+                            spec:
+                              description: PodSpec defines overrides for the HTTP01
+                                challenge solver pod. Only the 'nodeSelector', 'affinity'
+                                and 'tolerations' fields are supported currently.
+                                All other fields will be ignored.
+                              type: object
+                              properties:
+                                affinity:
+                                  description: If specified, the pod's scheduling
+                                    constraints
+                                  type: object
+                                  properties:
+                                    nodeAffinity:
+                                      description: Describes node affinity scheduling
+                                        rules for the pod.
+                                      type: object
+                                      properties:
+                                        preferredDuringSchedulingIgnoredDuringExecution:
+                                          description: The scheduler will prefer to
+                                            schedule pods to nodes that satisfy the
+                                            affinity expressions specified by this
+                                            field, but it may choose a node that violates
+                                            one or more of the expressions. The node
+                                            that is most preferred is the one with
+                                            the greatest sum of weights, i.e. for
+                                            each node that meets all of the scheduling
+                                            requirements (resource request, requiredDuringScheduling
+                                            affinity expressions, etc.), compute a
+                                            sum by iterating through the elements
+                                            of this field and adding "weight" to the
+                                            sum if the node matches the corresponding
+                                            matchExpressions; the node(s) with the
+                                            highest sum are the most preferred.
+                                          type: array
+                                          items:
+                                            description: An empty preferred scheduling
+                                              term matches all objects with implicit
+                                              weight 0 (i.e. it's a no-op). A null
+                                              preferred scheduling term matches no
+                                              objects (i.e. is also a no-op).
+                                            type: object
+                                            required:
+                                            - preference
+                                            - weight
+                                            properties:
+                                              preference:
+                                                description: A node selector term,
+                                                  associated with the corresponding
+                                                  weight.
+                                                type: object
+                                                properties:
+                                                  matchExpressions:
+                                                    description: A list of node selector
+                                                      requirements by node's labels.
+                                                    type: array
+                                                    items:
+                                                      description: A node selector
+                                                        requirement is a selector
+                                                        that contains values, a key,
+                                                        and an operator that relates
+                                                        the key and values.
+                                                      type: object
+                                                      required:
+                                                      - key
+                                                      - operator
+                                                      properties:
+                                                        key:
+                                                          description: The label key
+                                                            that the selector applies
+                                                            to.
+                                                          type: string
+                                                        operator:
+                                                          description: Represents
+                                                            a key's relationship to
+                                                            a set of values. Valid
+                                                            operators are In, NotIn,
+                                                            Exists, DoesNotExist.
+                                                            Gt, and Lt.
+                                                          type: string
+                                                        values:
+                                                          description: An array of
+                                                            string values. If the
+                                                            operator is In or NotIn,
+                                                            the values array must
+                                                            be non-empty. If the operator
+                                                            is Exists or DoesNotExist,
+                                                            the values array must
+                                                            be empty. If the operator
+                                                            is Gt or Lt, the values
+                                                            array must have a single
+                                                            element, which will be
+                                                            interpreted as an integer.
+                                                            This array is replaced
+                                                            during a strategic merge
+                                                            patch.
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                  matchFields:
+                                                    description: A list of node selector
+                                                      requirements by node's fields.
+                                                    type: array
+                                                    items:
+                                                      description: A node selector
+                                                        requirement is a selector
+                                                        that contains values, a key,
+                                                        and an operator that relates
+                                                        the key and values.
+                                                      type: object
+                                                      required:
+                                                      - key
+                                                      - operator
+                                                      properties:
+                                                        key:
+                                                          description: The label key
+                                                            that the selector applies
+                                                            to.
+                                                          type: string
+                                                        operator:
+                                                          description: Represents
+                                                            a key's relationship to
+                                                            a set of values. Valid
+                                                            operators are In, NotIn,
+                                                            Exists, DoesNotExist.
+                                                            Gt, and Lt.
+                                                          type: string
+                                                        values:
+                                                          description: An array of
+                                                            string values. If the
+                                                            operator is In or NotIn,
+                                                            the values array must
+                                                            be non-empty. If the operator
+                                                            is Exists or DoesNotExist,
+                                                            the values array must
+                                                            be empty. If the operator
+                                                            is Gt or Lt, the values
+                                                            array must have a single
+                                                            element, which will be
+                                                            interpreted as an integer.
+                                                            This array is replaced
+                                                            during a strategic merge
+                                                            patch.
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                              weight:
+                                                description: Weight associated with
+                                                  matching the corresponding nodeSelectorTerm,
+                                                  in the range 1-100.
+                                                type: integer
+                                                format: int32
+                                        requiredDuringSchedulingIgnoredDuringExecution:
+                                          description: If the affinity requirements
+                                            specified by this field are not met at
+                                            scheduling time, the pod will not be scheduled
+                                            onto the node. If the affinity requirements
+                                            specified by this field cease to be met
+                                            at some point during pod execution (e.g.
+                                            due to an update), the system may or may
+                                            not try to eventually evict the pod from
+                                            its node.
+                                          type: object
+                                          required:
+                                          - nodeSelectorTerms
+                                          properties:
+                                            nodeSelectorTerms:
+                                              description: Required. A list of node
+                                                selector terms. The terms are ORed.
+                                              type: array
+                                              items:
+                                                description: A null or empty node
+                                                  selector term matches no objects.
+                                                  The requirements of them are ANDed.
+                                                  The TopologySelectorTerm type implements
+                                                  a subset of the NodeSelectorTerm.
+                                                type: object
+                                                properties:
+                                                  matchExpressions:
+                                                    description: A list of node selector
+                                                      requirements by node's labels.
+                                                    type: array
+                                                    items:
+                                                      description: A node selector
+                                                        requirement is a selector
+                                                        that contains values, a key,
+                                                        and an operator that relates
+                                                        the key and values.
+                                                      type: object
+                                                      required:
+                                                      - key
+                                                      - operator
+                                                      properties:
+                                                        key:
+                                                          description: The label key
+                                                            that the selector applies
+                                                            to.
+                                                          type: string
+                                                        operator:
+                                                          description: Represents
+                                                            a key's relationship to
+                                                            a set of values. Valid
+                                                            operators are In, NotIn,
+                                                            Exists, DoesNotExist.
+                                                            Gt, and Lt.
+                                                          type: string
+                                                        values:
+                                                          description: An array of
+                                                            string values. If the
+                                                            operator is In or NotIn,
+                                                            the values array must
+                                                            be non-empty. If the operator
+                                                            is Exists or DoesNotExist,
+                                                            the values array must
+                                                            be empty. If the operator
+                                                            is Gt or Lt, the values
+                                                            array must have a single
+                                                            element, which will be
+                                                            interpreted as an integer.
+                                                            This array is replaced
+                                                            during a strategic merge
+                                                            patch.
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                  matchFields:
+                                                    description: A list of node selector
+                                                      requirements by node's fields.
+                                                    type: array
+                                                    items:
+                                                      description: A node selector
+                                                        requirement is a selector
+                                                        that contains values, a key,
+                                                        and an operator that relates
+                                                        the key and values.
+                                                      type: object
+                                                      required:
+                                                      - key
+                                                      - operator
+                                                      properties:
+                                                        key:
+                                                          description: The label key
+                                                            that the selector applies
+                                                            to.
+                                                          type: string
+                                                        operator:
+                                                          description: Represents
+                                                            a key's relationship to
+                                                            a set of values. Valid
+                                                            operators are In, NotIn,
+                                                            Exists, DoesNotExist.
+                                                            Gt, and Lt.
+                                                          type: string
+                                                        values:
+                                                          description: An array of
+                                                            string values. If the
+                                                            operator is In or NotIn,
+                                                            the values array must
+                                                            be non-empty. If the operator
+                                                            is Exists or DoesNotExist,
+                                                            the values array must
+                                                            be empty. If the operator
+                                                            is Gt or Lt, the values
+                                                            array must have a single
+                                                            element, which will be
+                                                            interpreted as an integer.
+                                                            This array is replaced
+                                                            during a strategic merge
+                                                            patch.
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                    podAffinity:
+                                      description: Describes pod affinity scheduling
+                                        rules (e.g. co-locate this pod in the same
+                                        node, zone, etc. as some other pod(s)).
+                                      type: object
+                                      properties:
+                                        preferredDuringSchedulingIgnoredDuringExecution:
+                                          description: The scheduler will prefer to
+                                            schedule pods to nodes that satisfy the
+                                            affinity expressions specified by this
+                                            field, but it may choose a node that violates
+                                            one or more of the expressions. The node
+                                            that is most preferred is the one with
+                                            the greatest sum of weights, i.e. for
+                                            each node that meets all of the scheduling
+                                            requirements (resource request, requiredDuringScheduling
+                                            affinity expressions, etc.), compute a
+                                            sum by iterating through the elements
+                                            of this field and adding "weight" to the
+                                            sum if the node has pods which matches
+                                            the corresponding podAffinityTerm; the
+                                            node(s) with the highest sum are the most
+                                            preferred.
+                                          type: array
+                                          items:
+                                            description: The weights of all of the
+                                              matched WeightedPodAffinityTerm fields
+                                              are added per-node to find the most
+                                              preferred node(s)
+                                            type: object
+                                            required:
+                                            - podAffinityTerm
+                                            - weight
+                                            properties:
+                                              podAffinityTerm:
+                                                description: Required. A pod affinity
+                                                  term, associated with the corresponding
+                                                  weight.
+                                                type: object
+                                                required:
+                                                - topologyKey
+                                                properties:
+                                                  labelSelector:
+                                                    description: A label query over
+                                                      a set of resources, in this
+                                                      case pods.
+                                                    type: object
+                                                    properties:
+                                                      matchExpressions:
+                                                        description: matchExpressions
+                                                          is a list of label selector
+                                                          requirements. The requirements
+                                                          are ANDed.
+                                                        type: array
+                                                        items:
+                                                          description: A label selector
+                                                            requirement is a selector
+                                                            that contains values,
+                                                            a key, and an operator
+                                                            that relates the key and
+                                                            values.
+                                                          type: object
+                                                          required:
+                                                          - key
+                                                          - operator
+                                                          properties:
+                                                            key:
+                                                              description: key is
+                                                                the label key that
+                                                                the selector applies
+                                                                to.
+                                                              type: string
+                                                            operator:
+                                                              description: operator
+                                                                represents a key's
+                                                                relationship to a
+                                                                set of values. Valid
+                                                                operators are In,
+                                                                NotIn, Exists and
+                                                                DoesNotExist.
+                                                              type: string
+                                                            values:
+                                                              description: values
+                                                                is an array of string
+                                                                values. If the operator
+                                                                is In or NotIn, the
+                                                                values array must
+                                                                be non-empty. If the
+                                                                operator is Exists
+                                                                or DoesNotExist, the
+                                                                values array must
+                                                                be empty. This array
+                                                                is replaced during
+                                                                a strategic merge
+                                                                patch.
+                                                              type: array
+                                                              items:
+                                                                type: string
+                                                      matchLabels:
+                                                        description: matchLabels is
+                                                          a map of {key,value} pairs.
+                                                          A single {key,value} in
+                                                          the matchLabels map is equivalent
+                                                          to an element of matchExpressions,
+                                                          whose key field is "key",
+                                                          the operator is "In", and
+                                                          the values array contains
+                                                          only "value". The requirements
+                                                          are ANDed.
+                                                        type: object
+                                                        additionalProperties:
+                                                          type: string
+                                                  namespaces:
+                                                    description: namespaces specifies
+                                                      which namespaces the labelSelector
+                                                      applies to (matches against);
+                                                      null or empty list means "this
+                                                      pod's namespace"
+                                                    type: array
+                                                    items:
+                                                      type: string
+                                                  topologyKey:
+                                                    description: This pod should be
+                                                      co-located (affinity) or not
+                                                      co-located (anti-affinity) with
+                                                      the pods matching the labelSelector
+                                                      in the specified namespaces,
+                                                      where co-located is defined
+                                                      as running on a node whose value
+                                                      of the label with key topologyKey
+                                                      matches that of any node on
+                                                      which any of the selected pods
+                                                      is running. Empty topologyKey
+                                                      is not allowed.
+                                                    type: string
+                                              weight:
+                                                description: weight associated with
+                                                  matching the corresponding podAffinityTerm,
+                                                  in the range 1-100.
+                                                type: integer
+                                                format: int32
+                                        requiredDuringSchedulingIgnoredDuringExecution:
+                                          description: If the affinity requirements
+                                            specified by this field are not met at
+                                            scheduling time, the pod will not be scheduled
+                                            onto the node. If the affinity requirements
+                                            specified by this field cease to be met
+                                            at some point during pod execution (e.g.
+                                            due to a pod label update), the system
+                                            may or may not try to eventually evict
+                                            the pod from its node. When there are
+                                            multiple elements, the lists of nodes
+                                            corresponding to each podAffinityTerm
+                                            are intersected, i.e. all terms must be
+                                            satisfied.
+                                          type: array
+                                          items:
+                                            description: Defines a set of pods (namely
+                                              those matching the labelSelector relative
+                                              to the given namespace(s)) that this
+                                              pod should be co-located (affinity)
+                                              or not co-located (anti-affinity) with,
+                                              where co-located is defined as running
+                                              on a node whose value of the label with
+                                              key <topologyKey> matches that of any
+                                              node on which a pod of the set of pods
+                                              is running
+                                            type: object
+                                            required:
+                                            - topologyKey
+                                            properties:
+                                              labelSelector:
+                                                description: A label query over a
+                                                  set of resources, in this case pods.
+                                                type: object
+                                                properties:
+                                                  matchExpressions:
+                                                    description: matchExpressions
+                                                      is a list of label selector
+                                                      requirements. The requirements
+                                                      are ANDed.
+                                                    type: array
+                                                    items:
+                                                      description: A label selector
+                                                        requirement is a selector
+                                                        that contains values, a key,
+                                                        and an operator that relates
+                                                        the key and values.
+                                                      type: object
+                                                      required:
+                                                      - key
+                                                      - operator
+                                                      properties:
+                                                        key:
+                                                          description: key is the
+                                                            label key that the selector
+                                                            applies to.
+                                                          type: string
+                                                        operator:
+                                                          description: operator represents
+                                                            a key's relationship to
+                                                            a set of values. Valid
+                                                            operators are In, NotIn,
+                                                            Exists and DoesNotExist.
+                                                          type: string
+                                                        values:
+                                                          description: values is an
+                                                            array of string values.
+                                                            If the operator is In
+                                                            or NotIn, the values array
+                                                            must be non-empty. If
+                                                            the operator is Exists
+                                                            or DoesNotExist, the values
+                                                            array must be empty. This
+                                                            array is replaced during
+                                                            a strategic merge patch.
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                  matchLabels:
+                                                    description: matchLabels is a
+                                                      map of {key,value} pairs. A
+                                                      single {key,value} in the matchLabels
+                                                      map is equivalent to an element
+                                                      of matchExpressions, whose key
+                                                      field is "key", the operator
+                                                      is "In", and the values array
+                                                      contains only "value". The requirements
+                                                      are ANDed.
+                                                    type: object
+                                                    additionalProperties:
+                                                      type: string
+                                              namespaces:
+                                                description: namespaces specifies
+                                                  which namespaces the labelSelector
+                                                  applies to (matches against); null
+                                                  or empty list means "this pod's
+                                                  namespace"
+                                                type: array
+                                                items:
+                                                  type: string
+                                              topologyKey:
+                                                description: This pod should be co-located
+                                                  (affinity) or not co-located (anti-affinity)
+                                                  with the pods matching the labelSelector
+                                                  in the specified namespaces, where
+                                                  co-located is defined as running
+                                                  on a node whose value of the label
+                                                  with key topologyKey matches that
+                                                  of any node on which any of the
+                                                  selected pods is running. Empty
+                                                  topologyKey is not allowed.
+                                                type: string
+                                    podAntiAffinity:
+                                      description: Describes pod anti-affinity scheduling
+                                        rules (e.g. avoid putting this pod in the
+                                        same node, zone, etc. as some other pod(s)).
+                                      type: object
+                                      properties:
+                                        preferredDuringSchedulingIgnoredDuringExecution:
+                                          description: The scheduler will prefer to
+                                            schedule pods to nodes that satisfy the
+                                            anti-affinity expressions specified by
+                                            this field, but it may choose a node that
+                                            violates one or more of the expressions.
+                                            The node that is most preferred is the
+                                            one with the greatest sum of weights,
+                                            i.e. for each node that meets all of the
+                                            scheduling requirements (resource request,
+                                            requiredDuringScheduling anti-affinity
+                                            expressions, etc.), compute a sum by iterating
+                                            through the elements of this field and
+                                            adding "weight" to the sum if the node
+                                            has pods which matches the corresponding
+                                            podAffinityTerm; the node(s) with the
+                                            highest sum are the most preferred.
+                                          type: array
+                                          items:
+                                            description: The weights of all of the
+                                              matched WeightedPodAffinityTerm fields
+                                              are added per-node to find the most
+                                              preferred node(s)
+                                            type: object
+                                            required:
+                                            - podAffinityTerm
+                                            - weight
+                                            properties:
+                                              podAffinityTerm:
+                                                description: Required. A pod affinity
+                                                  term, associated with the corresponding
+                                                  weight.
+                                                type: object
+                                                required:
+                                                - topologyKey
+                                                properties:
+                                                  labelSelector:
+                                                    description: A label query over
+                                                      a set of resources, in this
+                                                      case pods.
+                                                    type: object
+                                                    properties:
+                                                      matchExpressions:
+                                                        description: matchExpressions
+                                                          is a list of label selector
+                                                          requirements. The requirements
+                                                          are ANDed.
+                                                        type: array
+                                                        items:
+                                                          description: A label selector
+                                                            requirement is a selector
+                                                            that contains values,
+                                                            a key, and an operator
+                                                            that relates the key and
+                                                            values.
+                                                          type: object
+                                                          required:
+                                                          - key
+                                                          - operator
+                                                          properties:
+                                                            key:
+                                                              description: key is
+                                                                the label key that
+                                                                the selector applies
+                                                                to.
+                                                              type: string
+                                                            operator:
+                                                              description: operator
+                                                                represents a key's
+                                                                relationship to a
+                                                                set of values. Valid
+                                                                operators are In,
+                                                                NotIn, Exists and
+                                                                DoesNotExist.
+                                                              type: string
+                                                            values:
+                                                              description: values
+                                                                is an array of string
+                                                                values. If the operator
+                                                                is In or NotIn, the
+                                                                values array must
+                                                                be non-empty. If the
+                                                                operator is Exists
+                                                                or DoesNotExist, the
+                                                                values array must
+                                                                be empty. This array
+                                                                is replaced during
+                                                                a strategic merge
+                                                                patch.
+                                                              type: array
+                                                              items:
+                                                                type: string
+                                                      matchLabels:
+                                                        description: matchLabels is
+                                                          a map of {key,value} pairs.
+                                                          A single {key,value} in
+                                                          the matchLabels map is equivalent
+                                                          to an element of matchExpressions,
+                                                          whose key field is "key",
+                                                          the operator is "In", and
+                                                          the values array contains
+                                                          only "value". The requirements
+                                                          are ANDed.
+                                                        type: object
+                                                        additionalProperties:
+                                                          type: string
+                                                  namespaces:
+                                                    description: namespaces specifies
+                                                      which namespaces the labelSelector
+                                                      applies to (matches against);
+                                                      null or empty list means "this
+                                                      pod's namespace"
+                                                    type: array
+                                                    items:
+                                                      type: string
+                                                  topologyKey:
+                                                    description: This pod should be
+                                                      co-located (affinity) or not
+                                                      co-located (anti-affinity) with
+                                                      the pods matching the labelSelector
+                                                      in the specified namespaces,
+                                                      where co-located is defined
+                                                      as running on a node whose value
+                                                      of the label with key topologyKey
+                                                      matches that of any node on
+                                                      which any of the selected pods
+                                                      is running. Empty topologyKey
+                                                      is not allowed.
+                                                    type: string
+                                              weight:
+                                                description: weight associated with
+                                                  matching the corresponding podAffinityTerm,
+                                                  in the range 1-100.
+                                                type: integer
+                                                format: int32
+                                        requiredDuringSchedulingIgnoredDuringExecution:
+                                          description: If the anti-affinity requirements
+                                            specified by this field are not met at
+                                            scheduling time, the pod will not be scheduled
+                                            onto the node. If the anti-affinity requirements
+                                            specified by this field cease to be met
+                                            at some point during pod execution (e.g.
+                                            due to a pod label update), the system
+                                            may or may not try to eventually evict
+                                            the pod from its node. When there are
+                                            multiple elements, the lists of nodes
+                                            corresponding to each podAffinityTerm
+                                            are intersected, i.e. all terms must be
+                                            satisfied.
+                                          type: array
+                                          items:
+                                            description: Defines a set of pods (namely
+                                              those matching the labelSelector relative
+                                              to the given namespace(s)) that this
+                                              pod should be co-located (affinity)
+                                              or not co-located (anti-affinity) with,
+                                              where co-located is defined as running
+                                              on a node whose value of the label with
+                                              key <topologyKey> matches that of any
+                                              node on which a pod of the set of pods
+                                              is running
+                                            type: object
+                                            required:
+                                            - topologyKey
+                                            properties:
+                                              labelSelector:
+                                                description: A label query over a
+                                                  set of resources, in this case pods.
+                                                type: object
+                                                properties:
+                                                  matchExpressions:
+                                                    description: matchExpressions
+                                                      is a list of label selector
+                                                      requirements. The requirements
+                                                      are ANDed.
+                                                    type: array
+                                                    items:
+                                                      description: A label selector
+                                                        requirement is a selector
+                                                        that contains values, a key,
+                                                        and an operator that relates
+                                                        the key and values.
+                                                      type: object
+                                                      required:
+                                                      - key
+                                                      - operator
+                                                      properties:
+                                                        key:
+                                                          description: key is the
+                                                            label key that the selector
+                                                            applies to.
+                                                          type: string
+                                                        operator:
+                                                          description: operator represents
+                                                            a key's relationship to
+                                                            a set of values. Valid
+                                                            operators are In, NotIn,
+                                                            Exists and DoesNotExist.
+                                                          type: string
+                                                        values:
+                                                          description: values is an
+                                                            array of string values.
+                                                            If the operator is In
+                                                            or NotIn, the values array
+                                                            must be non-empty. If
+                                                            the operator is Exists
+                                                            or DoesNotExist, the values
+                                                            array must be empty. This
+                                                            array is replaced during
+                                                            a strategic merge patch.
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                  matchLabels:
+                                                    description: matchLabels is a
+                                                      map of {key,value} pairs. A
+                                                      single {key,value} in the matchLabels
+                                                      map is equivalent to an element
+                                                      of matchExpressions, whose key
+                                                      field is "key", the operator
+                                                      is "In", and the values array
+                                                      contains only "value". The requirements
+                                                      are ANDed.
+                                                    type: object
+                                                    additionalProperties:
+                                                      type: string
+                                              namespaces:
+                                                description: namespaces specifies
+                                                  which namespaces the labelSelector
+                                                  applies to (matches against); null
+                                                  or empty list means "this pod's
+                                                  namespace"
+                                                type: array
+                                                items:
+                                                  type: string
+                                              topologyKey:
+                                                description: This pod should be co-located
+                                                  (affinity) or not co-located (anti-affinity)
+                                                  with the pods matching the labelSelector
+                                                  in the specified namespaces, where
+                                                  co-located is defined as running
+                                                  on a node whose value of the label
+                                                  with key topologyKey matches that
+                                                  of any node on which any of the
+                                                  selected pods is running. Empty
+                                                  topologyKey is not allowed.
+                                                type: string
+                                nodeSelector:
+                                  description: 'NodeSelector is a selector which must
+                                    be true for the pod to fit on a node. Selector
+                                    which must match a node''s labels for the pod
+                                    to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                  type: object
+                                  additionalProperties:
+                                    type: string
+                                tolerations:
+                                  description: If specified, the pod's tolerations.
+                                  type: array
+                                  items:
+                                    description: The pod this Toleration is attached
+                                      to tolerates any taint that matches the triple
+                                      <key,value,effect> using the matching operator
+                                      <operator>.
+                                    type: object
+                                    properties:
+                                      effect:
+                                        description: Effect indicates the taint effect
+                                          to match. Empty means match all taint effects.
+                                          When specified, allowed values are NoSchedule,
+                                          PreferNoSchedule and NoExecute.
+                                        type: string
+                                      key:
+                                        description: Key is the taint key that the
+                                          toleration applies to. Empty means match
+                                          all taint keys. If the key is empty, operator
+                                          must be Exists; this combination means to
+                                          match all values and all keys.
+                                        type: string
+                                      operator:
+                                        description: Operator represents a key's relationship
+                                          to the value. Valid operators are Exists
+                                          and Equal. Defaults to Equal. Exists is
+                                          equivalent to wildcard for value, so that
+                                          a pod can tolerate all taints of a particular
+                                          category.
+                                        type: string
+                                      tolerationSeconds:
+                                        description: TolerationSeconds represents
+                                          the period of time the toleration (which
+                                          must be of effect NoExecute, otherwise this
+                                          field is ignored) tolerates the taint. By
+                                          default, it is not set, which means tolerate
+                                          the taint forever (do not evict). Zero and
+                                          negative values will be treated as 0 (evict
+                                          immediately) by the system.
+                                        type: integer
+                                        format: int64
+                                      value:
+                                        description: Value is the taint value the
+                                          toleration matches to. If the operator is
+                                          Exists, the value should be empty, otherwise
+                                          just a regular string.
+                                        type: string
+                        serviceType:
+                          description: Optional service type for Kubernetes solver
+                            service
+                          type: string
+                selector:
+                  description: Selector selects a set of DNSNames on the Certificate
+                    resource that should be solved using this challenge solver.
+                  type: object
+                  properties:
+                    dnsNames:
+                      description: List of DNSNames that this solver will be used
+                        to solve. If specified and a match is found, a dnsNames selector
+                        will take precedence over a dnsZones selector. If multiple
+                        solvers match with the same dnsNames value, the solver with
+                        the most matching labels in matchLabels will be selected.
+                        If neither has more matches, the solver defined earlier in
+                        the list will be selected.
+                      type: array
+                      items:
+                        type: string
+                    dnsZones:
+                      description: List of DNSZones that this solver will be used
+                        to solve. The most specific DNS zone match specified here
+                        will take precedence over other DNS zone matches, so a solver
+                        specifying sys.example.com will be selected over one specifying
+                        example.com for the domain www.sys.example.com. If multiple
+                        solvers match with the same dnsZones value, the solver with
+                        the most matching labels in matchLabels will be selected.
+                        If neither has more matches, the solver defined earlier in
+                        the list will be selected.
+                      type: array
+                      items:
+                        type: string
+                    matchLabels:
+                      description: A label selector that is used to refine the set
+                        of certificate's that this challenge solver will apply to.
+                      type: object
+                      additionalProperties:
+                        type: string
+            token:
+              description: Token is the ACME challenge token for this challenge. This
+                is the raw value returned from the ACME server.
+              type: string
+            type:
+              description: Type is the type of ACME challenge this resource represents,
+                e.g. "dns01" or "http01".
+              type: string
+            url:
+              description: URL is the URL of the ACME Challenge resource for this
+                challenge. This can be used to lookup details about the status of
+                this challenge.
+              type: string
+            wildcard:
+              description: Wildcard will be true if this challenge is for a wildcard
+                identifier, for example '*.example.com'.
+              type: boolean
+        status:
+          type: object
+          properties:
+            presented:
+              description: Presented will be set to true if the challenge values for
+                this challenge are currently 'presented'. This *does not* imply the
+                self check is passing. Only that the values have been 'submitted'
+                for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+                has been presented, or the HTTP01 configuration has been configured).
+              type: boolean
+            processing:
+              description: Processing is used to denote whether this challenge should
+                be processed or not. This field will only be set to true by the 'scheduling'
+                component. It will only be set to false by the 'challenges' controller,
+                after the challenge has reached a final state or timed out. If this
+                field is set to false, the challenge controller will not take any
+                more action.
+              type: boolean
+            reason:
+              description: Reason contains human readable information on why the Challenge
+                is in the current state.
+              type: string
+            state:
+              description: State contains the current 'state' of the challenge. If
+                not set, the state of the challenge is unknown.
+              type: string
+              enum:
+              - valid
+              - ready
+              - pending
+              - processing
+              - invalid
+              - expired
+              - errored
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
index ca1fabaf6..20e3b51bc 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
@@ -1,1774 +1,1820 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 ---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: clusterissuers.certmanager.k8s.io
+  name: clusterissuers.cert-manager.io
   annotations:
-    "helm.sh/hook": crd-install
-    "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
   labels:
     app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
-  group: certmanager.k8s.io
-  scope: Cluster
+  additionalPrinterColumns:
+  - JSONPath: .status.conditions[?(@.type=="Ready")].status
+    name: Ready
+    type: string
+  - JSONPath: .status.conditions[?(@.type=="Ready")].message
+    name: Status
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: cert-manager.io
+  preserveUnknownFields: false
+  conversion:
+    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+    strategy: Webhook
+    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+    webhookClientConfig:
+      service:
+        namespace: '{{ cert_manager_namespace }}'
+        name: 'cert-manager-webhook'
+        path: /convert
   names:
     kind: ClusterIssuer
+    listKind: ClusterIssuerList
     plural: clusterissuers
+    singular: clusterissuer
+  scope: Cluster
+  subresources:
+    status: {}
   versions:
-  - name: v1alpha1
+  - name: v1alpha2
     served: true
     storage: true
-    schema:
-      openAPIV3Schema:
-        type: object
-        properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation
-                of an object. Servers should convert recognized schemas to the latest
-                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this
-                object represents. Servers may infer this from the endpoint the client
-                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: IssuerSpec is the specification of an Issuer. This includes
-                any configuration required for the issuer.
+  - name: v1alpha3
+    served: true
+    storage: false
+  "validation":
+    "openAPIV3Schema":
+      type: object
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: IssuerSpec is the specification of an Issuer. This includes
+            any configuration required for the issuer.
+          type: object
+          properties:
+            acme:
+              description: ACMEIssuer contains the specification for an ACME issuer
               type: object
+              required:
+              - privateKeySecretRef
+              - server
               properties:
-                acme:
-                  description: ACMEIssuer contains the specification for an ACME issuer
+                email:
+                  description: Email is the email for this account
+                  type: string
+                externalAccountBinding:
+                  description: ExternalAccountBinding is a reference to a CA external
+                    account of the ACME server.
                   type: object
                   required:
-                  - privateKeySecretRef
-                  - server
+                  - keyAlgorithm
+                  - keyID
+                  - keySecretRef
                   properties:
-                    email:
-                      description: Email is the email for this account
+                    keyAlgorithm:
+                      description: keyAlgorithm is the MAC key algorithm that the
+                        key is used for. Valid values are "HS256", "HS384" and "HS512".
                       type: string
-                    externalAccountBinding:
-                      description: ExternalAccountBinding is a reference to a CA external
-                        account of the ACME server.
-                      type: object
-                      required:
-                      - keyAlgorithm
-                      - keyID
-                      - keySecretRef
-                      properties:
-                        keyAlgorithm:
-                          description: keyAlgorithm is the MAC key algorithm that the
-                            key is used for. Valid values are "HS256", "HS384" and "HS512".
-                          type: string
-                          enum:
-                          - HS256
-                          - HS384
-                          - HS512
-                        keyID:
-                          description: keyID is the ID of the CA key that the External
-                            Account is bound to.
-                          type: string
-                        keySecretRef:
-                          description: keySecretRef is a Secret Key Selector referencing
-                            a data item in a Kubernetes Secret which holds the symmetric
-                            MAC key of the External Account Binding. The `key` is the
-                            index string that is paired with the key data in the Secret
-                            and should not be confused with the key data itself, or indeed
-                            with the External Account Binding keyID above. The secret
-                            key stored in the Secret **must** be un-padded, base64 URL
-                            encoded data.
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            key:
-                              description: The key of the secret to select from. Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                    privateKeySecretRef:
-                      description: PrivateKey is the name of a secret containing the private
-                        key for this user account.
+                      enum:
+                      - HS256
+                      - HS384
+                      - HS512
+                    keyID:
+                      description: keyID is the ID of the CA key that the External
+                        Account is bound to.
+                      type: string
+                    keySecretRef:
+                      description: keySecretRef is a Secret Key Selector referencing
+                        a data item in a Kubernetes Secret which holds the symmetric
+                        MAC key of the External Account Binding. The `key` is the
+                        index string that is paired with the key data in the Secret
+                        and should not be confused with the key data itself, or indeed
+                        with the External Account Binding keyID above. The secret
+                        key stored in the Secret **must** be un-padded, base64 URL
+                        encoded data.
                       type: object
                       required:
                       - name
                       properties:
                         key:
-                          description: The key of the secret to select from. Must be a
-                            valid secret key.
+                          description: The key of the secret to select from. Must
+                            be a valid secret key.
                           type: string
                         name:
                           description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                             TODO: Add other useful fields. apiVersion, kind, uid?'
                           type: string
-                    server:
-                      description: Server is the ACME server URL
-                      type: string
-                    skipTLSVerify:
-                      description: If true, skip verifying the ACME server TLS certificate
-                      type: boolean
-                    solvers:
-                      description: Solvers is a list of challenge solvers that will be
-                        used to solve ACME challenges for the matching domains.
-                      type: array
-                      items:
-                        type: object
-                        properties:
-                          dns01:
-                            type: object
-                            properties:
-                              acmedns:
-                                description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
-                                  containing the configuration for ACME-DNS servers
-                                type: object
-                                required:
-                                - accountSecretRef
-                                - host
-                                properties:
-                                  accountSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  host:
-                                    type: string
-                              akamai:
-                                description: ACMEIssuerDNS01ProviderAkamai is a structure
-                                  containing the DNS configuration for Akamai DNS—Zone
-                                  Record Management API
-                                type: object
-                                required:
-                                - accessTokenSecretRef
-                                - clientSecretSecretRef
-                                - clientTokenSecretRef
-                                - serviceConsumerDomain
-                                properties:
-                                  accessTokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  clientSecretSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  clientTokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  serviceConsumerDomain:
-                                    type: string
-                              azuredns:
-                                description: ACMEIssuerDNS01ProviderAzureDNS is a structure
-                                  containing the configuration for Azure DNS
-                                type: object
-                                required:
-                                - resourceGroupName
-                                - subscriptionID
-                                properties:
-                                  clientID:
-                                    description: if both this and ClientSecret are left
-                                      unset MSI will be used
-                                    type: string
-                                  clientSecretSecretRef:
-                                    description: if both this and ClientID are left unset
-                                      MSI will be used
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  environment:
-                                    type: string
-                                    enum:
-                                    - AzurePublicCloud
-                                    - AzureChinaCloud
-                                    - AzureGermanCloud
-                                    - AzureUSGovernmentCloud
-                                  hostedZoneName:
-                                    type: string
-                                  resourceGroupName:
-                                    type: string
-                                  subscriptionID:
-                                    type: string
-                                  tenantID:
-                                    description: when specifying ClientID and ClientSecret
-                                      then this field is also needed
-                                    type: string
-                              clouddns:
-                                description: ACMEIssuerDNS01ProviderCloudDNS is a structure
-                                  containing the DNS configuration for Google Cloud DNS
-                                type: object
-                                required:
-                                - project
-                                properties:
-                                  project:
-                                    type: string
-                                  serviceAccountSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              cloudflare:
-                                description: ACMEIssuerDNS01ProviderCloudflare is a structure
-                                  containing the DNS configuration for Cloudflare
-                                type: object
-                                required:
-                                - email
-                                properties:
-                                  apiKeySecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  apiTokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  email:
-                                    type: string
-                              cnameStrategy:
-                                description: CNAMEStrategy configures how the DNS01 provider
-                                  should handle CNAME records when found in DNS zones.
-                                type: string
-                                enum:
-                                - None
-                                - Follow
-                              digitalocean:
-                                description: ACMEIssuerDNS01ProviderDigitalOcean is a
-                                  structure containing the DNS configuration for DigitalOcean
-                                  Domains
-                                type: object
-                                required:
-                                - tokenSecretRef
-                                properties:
-                                  tokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              rfc2136:
-                                description: ACMEIssuerDNS01ProviderRFC2136 is a structure
-                                  containing the configuration for RFC2136 DNS
-                                type: object
-                                required:
-                                - nameserver
-                                properties:
-                                  nameserver:
-                                    description: The IP address or hostname of an authoritative
-                                      DNS server supporting RFC2136 in the form host:port.
-                                      If the host is an IPv6 address it must be enclosed
-                                      in square brackets (e.g [2001:db8::1]) ; port is
-                                      optional. This field is required.
-                                    type: string
-                                  tsigAlgorithm:
-                                    description: 'The TSIG Algorithm configured in the
-                                      DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
-                                      and ``tsigKeyName`` are defined. Supported values
-                                      are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
-                                      ``HMACSHA256`` or ``HMACSHA512``.'
-                                    type: string
-                                  tsigKeyName:
-                                    description: The TSIG Key name configured in the DNS.
-                                      If ``tsigSecretSecretRef`` is defined, this field
-                                      is required.
-                                    type: string
-                                  tsigSecretSecretRef:
-                                    description: The name of the secret containing the
-                                      TSIG value. If ``tsigKeyName`` is defined, this
-                                      field is required.
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              route53:
-                                description: ACMEIssuerDNS01ProviderRoute53 is a structure
-                                  containing the Route 53 configuration for AWS
-                                type: object
-                                required:
-                                - region
-                                properties:
-                                  accessKeyID:
-                                    description: 'The AccessKeyID is used for authentication.
-                                      If not set we fall-back to using env vars, shared
-                                      credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                                    type: string
-                                  hostedZoneID:
-                                    description: If set, the provider will manage only
-                                      this zone in Route53 and will not do an lookup using
-                                      the route53:ListHostedZonesByName api call.
-                                    type: string
-                                  region:
-                                    description: Always set the region when using AccessKeyID
-                                      and SecretAccessKey
-                                    type: string
-                                  role:
-                                    description: Role is a Role ARN which the Route53
-                                      provider will assume using either the explicit credentials
-                                      AccessKeyID/SecretAccessKey or the inferred credentials
-                                      from environment variables, shared credentials file
-                                      or AWS Instance metadata
-                                    type: string
-                                  secretAccessKeySecretRef:
-                                    description: The SecretAccessKey is used for authentication.
-                                      If not set we fall-back to using env vars, shared
-                                      credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              webhook:
-                                description: ACMEIssuerDNS01ProviderWebhook specifies
-                                  configuration for a webhook DNS01 provider, including
-                                  where to POST ChallengePayload resources.
-                                type: object
-                                required:
-                                - groupName
-                                - solverName
-                                properties:
-                                  config:
-                                    description: Additional configuration that should
-                                      be passed to the webhook apiserver when challenges
-                                      are processed. This can contain arbitrary JSON data.
-                                      Secret values should not be specified in this stanza.
-                                      If secret values are needed (e.g. credentials for
-                                      a DNS service), you should use a SecretKeySelector
-                                      to reference a Secret resource. For details on the
-                                      schema of this field, consult the webhook provider
-                                      implementation's documentation.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  groupName:
-                                    description: The API group name that should be used
-                                      when POSTing ChallengePayload resources to the webhook
-                                      apiserver. This should be the same as the GroupName
-                                      specified in the webhook provider implementation.
-                                    type: string
-                                  solverName:
-                                    description: The name of the solver to use, as defined
-                                      in the webhook provider implementation. This will
-                                      typically be the name of the provider, e.g. 'cloudflare'.
-                                    type: string
-                          http01:
-                            description: ACMEChallengeSolverHTTP01 contains configuration
-                              detailing how to solve HTTP01 challenges within a Kubernetes
-                              cluster. Typically this is accomplished through creating
-                              'routes' of some description that configure ingress controllers
-                              to direct traffic to 'solver pods', which are responsible
-                              for responding to the ACME server's HTTP requests.
-                            type: object
-                            properties:
-                              ingress:
-                                description: The ingress based HTTP01 challenge solver
-                                  will solve challenges by creating or modifying Ingress
-                                  resources in order to route requests for '/.well-known/acme-challenge/XYZ'
-                                  to 'challenge solver' pods that are provisioned by cert-manager
-                                  for each Challenge to be completed.
-                                type: object
-                                properties:
-                                  class:
-                                    description: The ingress class to use when creating
-                                      Ingress resources to solve ACME challenges that
-                                      use this challenge solver. Only one of 'class' or
-                                      'name' may be specified.
-                                    type: string
-                                  ingressTemplate:
-                                    description: Optional ingress template used to configure
-                                      the ACME challenge solver ingress used for HTTP01
-                                      challenges
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: ObjectMeta overrides for the ingress
-                                          used to solve HTTP01 challenges. Only the 'labels'
-                                          and 'annotations' fields may be set. If labels
-                                          or annotations overlap with in-built values,
-                                          the values here will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added
-                                              to the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to
-                                              the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                  name:
-                                    description: The name of the ingress resource that
-                                      should have ACME challenge solving routes inserted
-                                      into it in order to solve HTTP01 challenges. This
-                                      is typically used in conjunction with ingress controllers
-                                      like ingress-gce, which maintains a 1:1 mapping
-                                      between external IPs and ingress resources.
-                                    type: string
-                                  podTemplate:
-                                    description: Optional pod template used to configure
-                                      the ACME challenge solver pods used for HTTP01 challenges
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: ObjectMeta overrides for the pod
-                                          used to solve HTTP01 challenges. Only the 'labels'
-                                          and 'annotations' fields may be set. If labels
-                                          or annotations overlap with in-built values,
-                                          the values here will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added
-                                              to the create ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to
-                                              the created ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                      spec:
-                                        description: PodSpec defines overrides for the
-                                          HTTP01 challenge solver pod. Only the 'nodeSelector',
-                                          'affinity' and 'tolerations' fields are supported
-                                          currently. All other fields will be ignored.
-                                        type: object
-                                        properties:
-                                          affinity:
-                                            description: If specified, the pod's scheduling
-                                              constraints
-                                            type: object
-                                            properties:
-                                              nodeAffinity:
-                                                description: Describes node affinity scheduling
-                                                  rules for the pod.
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: The scheduler will prefer
-                                                      to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified
-                                                      by this field, but it may choose
-                                                      a node that violates one or more
-                                                      of the expressions. The node that
-                                                      is most preferred is the one with
-                                                      the greatest sum of weights, i.e.
-                                                      for each node that meets all of
-                                                      the scheduling requirements (resource
-                                                      request, requiredDuringScheduling
-                                                      affinity expressions, etc.), compute
-                                                      a sum by iterating through the elements
-                                                      of this field and adding "weight"
-                                                      to the sum if the node matches the
-                                                      corresponding matchExpressions;
-                                                      the node(s) with the highest sum
-                                                      are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: An empty preferred
-                                                        scheduling term matches all objects
-                                                        with implicit weight 0 (i.e. it's
-                                                        a no-op). A null preferred scheduling
-                                                        term matches no objects (i.e.
-                                                        is also a no-op).
-                                                      type: object
-                                                      required:
-                                                      - preference
-                                                      - weight
-                                                      properties:
-                                                        preference:
-                                                          description: A node selector
-                                                            term, associated with the
-                                                            corresponding weight.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchFields:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                        weight:
-                                                          description: Weight associated
-                                                            with matching the corresponding
-                                                            nodeSelectorTerm, in the range
-                                                            1-100.
-                                                          type: integer
-                                                          format: int32
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: If the affinity requirements
-                                                      specified by this field are not
-                                                      met at scheduling time, the pod
-                                                      will not be scheduled onto the node.
-                                                      If the affinity requirements specified
-                                                      by this field cease to be met at
-                                                      some point during pod execution
-                                                      (e.g. due to an update), the system
-                                                      may or may not try to eventually
-                                                      evict the pod from its node.
-                                                    type: object
-                                                    required:
-                                                    - nodeSelectorTerms
-                                                    properties:
-                                                      nodeSelectorTerms:
-                                                        description: Required. A list
-                                                          of node selector terms. The
-                                                          terms are ORed.
-                                                        type: array
-                                                        items:
-                                                          description: A null or empty
-                                                            node selector term matches
-                                                            no objects. The requirements
-                                                            of them are ANDed. The TopologySelectorTerm
-                                                            type implements a subset of
-                                                            the NodeSelectorTerm.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchFields:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                              podAffinity:
-                                                description: Describes pod affinity scheduling
-                                                  rules (e.g. co-locate this pod in the
-                                                  same node, zone, etc. as some other
-                                                  pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: The scheduler will prefer
-                                                      to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified
-                                                      by this field, but it may choose
-                                                      a node that violates one or more
-                                                      of the expressions. The node that
-                                                      is most preferred is the one with
-                                                      the greatest sum of weights, i.e.
-                                                      for each node that meets all of
-                                                      the scheduling requirements (resource
-                                                      request, requiredDuringScheduling
-                                                      affinity expressions, etc.), compute
-                                                      a sum by iterating through the elements
-                                                      of this field and adding "weight"
-                                                      to the sum if the node has pods
-                                                      which matches the corresponding
-                                                      podAffinityTerm; the node(s) with
-                                                      the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all
-                                                        of the matched WeightedPodAffinityTerm
-                                                        fields are added per-node to find
-                                                        the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                      - podAffinityTerm
-                                                      - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod
-                                                            affinity term, associated
-                                                            with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                          - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: A label query
-                                                                over a set of resources,
-                                                                in this case pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions
-                                                                    is a list of label
-                                                                    selector requirements.
-                                                                    The requirements are
-                                                                    ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: A label
-                                                                      selector requirement
-                                                                      is a selector that
-                                                                      contains values,
-                                                                      a key, and an operator
-                                                                      that relates the
-                                                                      key and values.
-                                                                    type: object
-                                                                    required:
-                                                                    - key
-                                                                    - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key
-                                                                          is the label
-                                                                          key that the
-                                                                          selector applies
-                                                                          to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: operator
-                                                                          represents a
-                                                                          key's relationship
-                                                                          to a set of
-                                                                          values. Valid
-                                                                          operators are
-                                                                          In, NotIn, Exists
-                                                                          and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: values
-                                                                          is an array
-                                                                          of string values.
-                                                                          If the operator
-                                                                          is In or NotIn,
-                                                                          the values array
-                                                                          must be non-empty.
-                                                                          If the operator
-                                                                          is Exists or
-                                                                          DoesNotExist,
-                                                                          the values array
-                                                                          must be empty.
-                                                                          This array is
-                                                                          replaced during
-                                                                          a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                matchLabels:
-                                                                  description: matchLabels
-                                                                    is a map of {key,value}
-                                                                    pairs. A single {key,value}
-                                                                    in the matchLabels
-                                                                    map is equivalent
-                                                                    to an element of matchExpressions,
-                                                                    whose key field is
-                                                                    "key", the operator
-                                                                    is "In", and the values
-                                                                    array contains only
-                                                                    "value". The requirements
-                                                                    are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                            namespaces:
-                                                              description: namespaces
-                                                                specifies which namespaces
-                                                                the labelSelector applies
-                                                                to (matches against);
-                                                                null or empty list means
-                                                                "this pod's namespace"
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                            topologyKey:
-                                                              description: This pod should
-                                                                be co-located (affinity)
-                                                                or not co-located (anti-affinity)
-                                                                with the pods matching
-                                                                the labelSelector in the
-                                                                specified namespaces,
-                                                                where co-located is defined
-                                                                as running on a node whose
-                                                                value of the label with
-                                                                key topologyKey matches
-                                                                that of any node on which
-                                                                any of the selected pods
-                                                                is running. Empty topologyKey
-                                                                is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: weight associated
-                                                            with matching the corresponding
-                                                            podAffinityTerm, in the range
-                                                            1-100.
-                                                          type: integer
-                                                          format: int32
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: If the affinity requirements
-                                                      specified by this field are not
-                                                      met at scheduling time, the pod
-                                                      will not be scheduled onto the node.
-                                                      If the affinity requirements specified
-                                                      by this field cease to be met at
-                                                      some point during pod execution
-                                                      (e.g. due to a pod label update),
-                                                      the system may or may not try to
-                                                      eventually evict the pod from its
-                                                      node. When there are multiple elements,
-                                                      the lists of nodes corresponding
-                                                      to each podAffinityTerm are intersected,
-                                                      i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: Defines a set of pods
-                                                        (namely those matching the labelSelector
-                                                        relative to the given namespace(s))
-                                                        that this pod should be co-located
-                                                        (affinity) or not co-located (anti-affinity)
-                                                        with, where co-located is defined
-                                                        as running on a node whose value
-                                                        of the label with key <topologyKey>
-                                                        matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                      - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: A label query over
-                                                            a set of resources, in this
-                                                            case pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions
-                                                                is a list of label selector
-                                                                requirements. The requirements
-                                                                are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: A label selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is
-                                                                      the label key that
-                                                                      the selector applies
-                                                                      to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: operator
-                                                                      represents a key's
-                                                                      relationship to
-                                                                      a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists
-                                                                      and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: values
-                                                                      is an array of string
-                                                                      values. If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchLabels:
-                                                              description: matchLabels
-                                                                is a map of {key,value}
-                                                                pairs. A single {key,value}
-                                                                in the matchLabels map
-                                                                is equivalent to an element
-                                                                of matchExpressions, whose
-                                                                key field is "key", the
-                                                                operator is "In", and
-                                                                the values array contains
-                                                                only "value". The requirements
-                                                                are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                        namespaces:
-                                                          description: namespaces specifies
-                                                            which namespaces the labelSelector
-                                                            applies to (matches against);
-                                                            null or empty list means "this
-                                                            pod's namespace"
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                        topologyKey:
-                                                          description: This pod should
-                                                            be co-located (affinity) or
-                                                            not co-located (anti-affinity)
-                                                            with the pods matching the
-                                                            labelSelector in the specified
-                                                            namespaces, where co-located
-                                                            is defined as running on a
-                                                            node whose value of the label
-                                                            with key topologyKey matches
-                                                            that of any node on which
-                                                            any of the selected pods is
-                                                            running. Empty topologyKey
-                                                            is not allowed.
-                                                          type: string
-                                              podAntiAffinity:
-                                                description: Describes pod anti-affinity
-                                                  scheduling rules (e.g. avoid putting
-                                                  this pod in the same node, zone, etc.
-                                                  as some other pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: The scheduler will prefer
-                                                      to schedule pods to nodes that satisfy
-                                                      the anti-affinity expressions specified
-                                                      by this field, but it may choose
-                                                      a node that violates one or more
-                                                      of the expressions. The node that
-                                                      is most preferred is the one with
-                                                      the greatest sum of weights, i.e.
-                                                      for each node that meets all of
-                                                      the scheduling requirements (resource
-                                                      request, requiredDuringScheduling
-                                                      anti-affinity expressions, etc.),
-                                                      compute a sum by iterating through
-                                                      the elements of this field and adding
-                                                      "weight" to the sum if the node
-                                                      has pods which matches the corresponding
-                                                      podAffinityTerm; the node(s) with
-                                                      the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all
-                                                        of the matched WeightedPodAffinityTerm
-                                                        fields are added per-node to find
-                                                        the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                      - podAffinityTerm
-                                                      - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod
-                                                            affinity term, associated
-                                                            with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                          - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: A label query
-                                                                over a set of resources,
-                                                                in this case pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions
-                                                                    is a list of label
-                                                                    selector requirements.
-                                                                    The requirements are
-                                                                    ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: A label
-                                                                      selector requirement
-                                                                      is a selector that
-                                                                      contains values,
-                                                                      a key, and an operator
-                                                                      that relates the
-                                                                      key and values.
-                                                                    type: object
-                                                                    required:
-                                                                    - key
-                                                                    - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key
-                                                                          is the label
-                                                                          key that the
-                                                                          selector applies
-                                                                          to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: operator
-                                                                          represents a
-                                                                          key's relationship
-                                                                          to a set of
-                                                                          values. Valid
-                                                                          operators are
-                                                                          In, NotIn, Exists
-                                                                          and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: values
-                                                                          is an array
-                                                                          of string values.
-                                                                          If the operator
-                                                                          is In or NotIn,
-                                                                          the values array
-                                                                          must be non-empty.
-                                                                          If the operator
-                                                                          is Exists or
-                                                                          DoesNotExist,
-                                                                          the values array
-                                                                          must be empty.
-                                                                          This array is
-                                                                          replaced during
-                                                                          a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                matchLabels:
-                                                                  description: matchLabels
-                                                                    is a map of {key,value}
-                                                                    pairs. A single {key,value}
-                                                                    in the matchLabels
-                                                                    map is equivalent
-                                                                    to an element of matchExpressions,
-                                                                    whose key field is
-                                                                    "key", the operator
-                                                                    is "In", and the values
-                                                                    array contains only
-                                                                    "value". The requirements
-                                                                    are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                            namespaces:
-                                                              description: namespaces
-                                                                specifies which namespaces
-                                                                the labelSelector applies
-                                                                to (matches against);
-                                                                null or empty list means
-                                                                "this pod's namespace"
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                            topologyKey:
-                                                              description: This pod should
-                                                                be co-located (affinity)
-                                                                or not co-located (anti-affinity)
-                                                                with the pods matching
-                                                                the labelSelector in the
-                                                                specified namespaces,
-                                                                where co-located is defined
-                                                                as running on a node whose
-                                                                value of the label with
-                                                                key topologyKey matches
-                                                                that of any node on which
-                                                                any of the selected pods
-                                                                is running. Empty topologyKey
-                                                                is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: weight associated
-                                                            with matching the corresponding
-                                                            podAffinityTerm, in the range
-                                                            1-100.
-                                                          type: integer
-                                                          format: int32
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: If the anti-affinity
-                                                      requirements specified by this field
-                                                      are not met at scheduling time,
-                                                      the pod will not be scheduled onto
-                                                      the node. If the anti-affinity requirements
-                                                      specified by this field cease to
-                                                      be met at some point during pod
-                                                      execution (e.g. due to a pod label
-                                                      update), the system may or may not
-                                                      try to eventually evict the pod
-                                                      from its node. When there are multiple
-                                                      elements, the lists of nodes corresponding
-                                                      to each podAffinityTerm are intersected,
-                                                      i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: Defines a set of pods
-                                                        (namely those matching the labelSelector
-                                                        relative to the given namespace(s))
-                                                        that this pod should be co-located
-                                                        (affinity) or not co-located (anti-affinity)
-                                                        with, where co-located is defined
-                                                        as running on a node whose value
-                                                        of the label with key <topologyKey>
-                                                        matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                      - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: A label query over
-                                                            a set of resources, in this
-                                                            case pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions
-                                                                is a list of label selector
-                                                                requirements. The requirements
-                                                                are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: A label selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is
-                                                                      the label key that
-                                                                      the selector applies
-                                                                      to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: operator
-                                                                      represents a key's
-                                                                      relationship to
-                                                                      a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists
-                                                                      and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: values
-                                                                      is an array of string
-                                                                      values. If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchLabels:
-                                                              description: matchLabels
-                                                                is a map of {key,value}
-                                                                pairs. A single {key,value}
-                                                                in the matchLabels map
-                                                                is equivalent to an element
-                                                                of matchExpressions, whose
-                                                                key field is "key", the
-                                                                operator is "In", and
-                                                                the values array contains
-                                                                only "value". The requirements
-                                                                are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                        namespaces:
-                                                          description: namespaces specifies
-                                                            which namespaces the labelSelector
-                                                            applies to (matches against);
-                                                            null or empty list means "this
-                                                            pod's namespace"
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                        topologyKey:
-                                                          description: This pod should
-                                                            be co-located (affinity) or
-                                                            not co-located (anti-affinity)
-                                                            with the pods matching the
-                                                            labelSelector in the specified
-                                                            namespaces, where co-located
-                                                            is defined as running on a
-                                                            node whose value of the label
-                                                            with key topologyKey matches
-                                                            that of any node on which
-                                                            any of the selected pods is
-                                                            running. Empty topologyKey
-                                                            is not allowed.
-                                                          type: string
-                                          nodeSelector:
-                                            description: 'NodeSelector is a selector which
-                                              must be true for the pod to fit on a node.
-                                              Selector which must match a node''s labels
-                                              for the pod to be scheduled on that node.
-                                              More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          tolerations:
-                                            description: If specified, the pod's tolerations.
-                                            type: array
-                                            items:
-                                              description: The pod this Toleration is
-                                                attached to tolerates any taint that matches
-                                                the triple <key,value,effect> using the
-                                                matching operator <operator>.
-                                              type: object
-                                              properties:
-                                                effect:
-                                                  description: Effect indicates the taint
-                                                    effect to match. Empty means match
-                                                    all taint effects. When specified,
-                                                    allowed values are NoSchedule, PreferNoSchedule
-                                                    and NoExecute.
-                                                  type: string
-                                                key:
-                                                  description: Key is the taint key that
-                                                    the toleration applies to. Empty means
-                                                    match all taint keys. If the key is
-                                                    empty, operator must be Exists; this
-                                                    combination means to match all values
-                                                    and all keys.
-                                                  type: string
-                                                operator:
-                                                  description: Operator represents a key's
-                                                    relationship to the value. Valid operators
-                                                    are Exists and Equal. Defaults to
-                                                    Equal. Exists is equivalent to wildcard
-                                                    for value, so that a pod can tolerate
-                                                    all taints of a particular category.
-                                                  type: string
-                                                tolerationSeconds:
-                                                  description: TolerationSeconds represents
-                                                    the period of time the toleration
-                                                    (which must be of effect NoExecute,
-                                                    otherwise this field is ignored) tolerates
-                                                    the taint. By default, it is not set,
-                                                    which means tolerate the taint forever
-                                                    (do not evict). Zero and negative
-                                                    values will be treated as 0 (evict
-                                                    immediately) by the system.
-                                                  type: integer
-                                                  format: int64
-                                                value:
-                                                  description: Value is the taint value
-                                                    the toleration matches to. If the
-                                                    operator is Exists, the value should
-                                                    be empty, otherwise just a regular
-                                                    string.
-                                                  type: string
-                                  serviceType:
-                                    description: Optional service type for Kubernetes
-                                      solver service
-                                    type: string
-                          selector:
-                            description: Selector selects a set of DNSNames on the Certificate
-                              resource that should be solved using this challenge solver.
-                            type: object
-                            properties:
-                              dnsNames:
-                                description: List of DNSNames that this solver will be
-                                  used to solve. If specified and a match is found, a
-                                  dnsNames selector will take precedence over a dnsZones
-                                  selector. If multiple solvers match with the same dnsNames
-                                  value, the solver with the most matching labels in matchLabels
-                                  will be selected. If neither has more matches, the solver
-                                  defined earlier in the list will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              dnsZones:
-                                description: List of DNSZones that this solver will be
-                                  used to solve. The most specific DNS zone match specified
-                                  here will take precedence over other DNS zone matches,
-                                  so a solver specifying sys.example.com will be selected
-                                  over one specifying example.com for the domain www.sys.example.com.
-                                  If multiple solvers match with the same dnsZones value,
-                                  the solver with the most matching labels in matchLabels
-                                  will be selected. If neither has more matches, the solver
-                                  defined earlier in the list will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              matchLabels:
-                                description: A label selector that is used to refine the
-                                  set of certificate's that this challenge solver will
-                                  apply to.
-                                type: object
-                                additionalProperties:
-                                  type: string
-                ca:
+                privateKeySecretRef:
+                  description: PrivateKey is the name of a secret containing the private
+                    key for this user account.
                   type: object
                   required:
-                  - secretName
+                  - name
                   properties:
-                    crlDistributionPoints:
-                      description: The CRL distribution points is an X.509 v3 certificate
-                        extension which identifies the location of the CRL from which
-                        the revocation of this certificate can be checked. If not set
-                        certificate will be issued without CDP. Values are strings.
-                      type: array
-                      items:
-                        type: string
-                    secretName:
-                      description: SecretName is the name of the secret used to sign Certificates
-                        issued by this Issuer.
+                    key:
+                      description: The key of the secret to select from. Must be a
+                        valid secret key.
                       type: string
-                selfSigned:
-                  type: object
-                  properties:
-                    crlDistributionPoints:
-                      description: The CRL distribution points is an X.509 v3 certificate
-                        extension which identifies the location of the CRL from which
-                        the revocation of this certificate can be checked. If not set
-                        certificate will be issued without CDP. Values are strings.
-                      type: array
-                      items:
-                        type: string
-                vault:
-                  type: object
-                  required:
-                  - auth
-                  - path
-                  - server
-                  properties:
-                    auth:
-                      description: Vault authentication
-                      type: object
-                      properties:
-                        appRole:
-                          description: This Secret contains a AppRole and Secret
-                          type: object
-                          required:
-                          - path
-                          - roleId
-                          - secretRef
-                          properties:
-                            path:
-                              description: Where the authentication path is mounted in
-                                Vault.
-                              type: string
-                            roleId:
-                              type: string
-                            secretRef:
-                              type: object
-                              required:
-                              - name
-                              properties:
-                                key:
-                                  description: The key of the secret to select from. Must
-                                    be a valid secret key.
-                                  type: string
-                                name:
-                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                    TODO: Add other useful fields. apiVersion, kind, uid?'
-                                  type: string
-                        kubernetes:
-                          description: This contains a Role and Secret with a ServiceAccount
-                            token to authenticate with vault.
-                          type: object
-                          required:
-                          - role
-                          - secretRef
-                          properties:
-                            mountPath:
-                              description: The Vault mountPath here is the mount path
-                                to use when authenticating with Vault. For example, setting
-                                a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
-                                to authenticate with Vault. If unspecified, the default
-                                value "/v1/auth/kubernetes" will be used.
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role
-                                to assume. A Role binds a Kubernetes ServiceAccount with
-                                a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: The required Secret field containing a Kubernetes
-                                ServiceAccount JWT used for authenticating with Vault.
-                                Use of 'ambient credentials' is not supported.
-                              type: object
-                              required:
-                              - name
-                              properties:
-                                key:
-                                  description: The key of the secret to select from. Must
-                                    be a valid secret key.
-                                  type: string
-                                name:
-                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                    TODO: Add other useful fields. apiVersion, kind, uid?'
-                                  type: string
-                        tokenSecretRef:
-                          description: This Secret contains the Vault token key
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            key:
-                              description: The key of the secret to select from. Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                    caBundle:
-                      description: Base64 encoded CA bundle to validate Vault server certificate.
-                        Only used if the Server URL is using HTTPS protocol. This parameter
-                        is ignored for plain HTTP protocol connection. If not set the
-                        system root certificates are used to validate the TLS connection.
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
                       type: string
-                      format: byte
-                    path:
-                      description: Vault URL path to the certificate role
-                      type: string
-                    server:
-                      description: Server is the vault connection address
-                      type: string
-                venafi:
-                  description: VenafiIssuer describes issuer configuration details for
-                    Venafi Cloud.
-                  type: object
-                  required:
-                  - zone
-                  properties:
-                    cloud:
-                      description: Cloud specifies the Venafi cloud configuration settings.
-                        Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                      - apiTokenSecretRef
-                      properties:
-                        apiTokenSecretRef:
-                          description: APITokenSecretRef is a secret key selector for
-                            the Venafi Cloud API token.
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            key:
-                              description: The key of the secret to select from. Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                        url:
-                          description: URL is the base URL for Venafi Cloud
-                          type: string
-                    tpp:
-                      description: TPP specifies Trust Protection Platform configuration
-                        settings. Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                      - credentialsRef
-                      - url
-                      properties:
-                        caBundle:
-                          description: CABundle is a PEM encoded TLS certificate to use
-                            to verify connections to the TPP instance. If specified, system
-                            roots will not be used and the issuing CA for the TPP instance
-                            must be verifiable using the provided root. If not specified,
-                            the connection will be verified using the cert-manager system
-                            root certificates.
-                          type: string
-                          format: byte
-                        credentialsRef:
-                          description: CredentialsRef is a reference to a Secret containing
-                            the username and password for the TPP server. The secret must
-                            contain two keys, 'username' and 'password'.
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                        url:
-                          description: URL is the base URL for the Venafi TPP instance
-                          type: string
-                    zone:
-                      description: Zone is the Venafi Policy Zone to use for this issuer.
-                        All requests made to the Venafi platform will be restricted by
-                        the named zone policy. This field is required.
-                      type: string
-            status:
-              description: IssuerStatus contains status information about an Issuer
-              type: object
-              properties:
-                acme:
-                  type: object
-                  properties:
-                    lastRegisteredEmail:
-                      description: LastRegisteredEmail is the email associated with the
-                        latest registered ACME account, in order to track changes made
-                        to registered account associated with the  Issuer
-                      type: string
-                    uri:
-                      description: URI is the unique account identifier, which can also
-                        be used to retrieve account details from the CA
-                      type: string
-                conditions:
+                server:
+                  description: Server is the ACME server URL
+                  type: string
+                skipTLSVerify:
+                  description: If true, skip verifying the ACME server TLS certificate
+                  type: boolean
+                solvers:
+                  description: Solvers is a list of challenge solvers that will be
+                    used to solve ACME challenges for the matching domains.
                   type: array
                   items:
-                    description: IssuerCondition contains condition information for an
-                      Issuer.
                     type: object
-                    required:
-                    - status
-                    - type
                     properties:
-                      lastTransitionTime:
-                        description: LastTransitionTime is the timestamp corresponding
-                          to the last status change of this condition.
-                        type: string
-                        format: date-time
-                      message:
-                        description: Message is a human readable description of the details
-                          of the last transition, complementing reason.
-                        type: string
-                      reason:
-                        description: Reason is a brief machine readable explanation for
-                          the condition's last transition.
-                        type: string
-                      status:
-                        description: Status of the condition, one of ('True', 'False',
-                          'Unknown').
-                        type: string
-                        enum:
-                        - "True"
-                        - "False"
-                        - Unknown
-                      type:
-                        description: Type of the condition, currently ('Ready').
-                        type: string
\ No newline at end of file
+                      dns01:
+                        type: object
+                        properties:
+                          acmedns:
+                            description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
+                              containing the configuration for ACME-DNS servers
+                            type: object
+                            required:
+                            - accountSecretRef
+                            - host
+                            properties:
+                              accountSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              host:
+                                type: string
+                          akamai:
+                            description: ACMEIssuerDNS01ProviderAkamai is a structure
+                              containing the DNS configuration for Akamai DNS—Zone
+                              Record Management API
+                            type: object
+                            required:
+                            - accessTokenSecretRef
+                            - clientSecretSecretRef
+                            - clientTokenSecretRef
+                            - serviceConsumerDomain
+                            properties:
+                              accessTokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              clientSecretSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              clientTokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              serviceConsumerDomain:
+                                type: string
+                          azuredns:
+                            description: ACMEIssuerDNS01ProviderAzureDNS is a structure
+                              containing the configuration for Azure DNS
+                            type: object
+                            required:
+                            - resourceGroupName
+                            - subscriptionID
+                            properties:
+                              clientID:
+                                description: if both this and ClientSecret are left
+                                  unset MSI will be used
+                                type: string
+                              clientSecretSecretRef:
+                                description: if both this and ClientID are left unset
+                                  MSI will be used
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              environment:
+                                type: string
+                                enum:
+                                - AzurePublicCloud
+                                - AzureChinaCloud
+                                - AzureGermanCloud
+                                - AzureUSGovernmentCloud
+                              hostedZoneName:
+                                type: string
+                              resourceGroupName:
+                                type: string
+                              subscriptionID:
+                                type: string
+                              tenantID:
+                                description: when specifying ClientID and ClientSecret
+                                  then this field is also needed
+                                type: string
+                          clouddns:
+                            description: ACMEIssuerDNS01ProviderCloudDNS is a structure
+                              containing the DNS configuration for Google Cloud DNS
+                            type: object
+                            required:
+                            - project
+                            properties:
+                              project:
+                                type: string
+                              serviceAccountSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          cloudflare:
+                            description: ACMEIssuerDNS01ProviderCloudflare is a structure
+                              containing the DNS configuration for Cloudflare
+                            type: object
+                            required:
+                            - email
+                            properties:
+                              apiKeySecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              apiTokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              email:
+                                type: string
+                          cnameStrategy:
+                            description: CNAMEStrategy configures how the DNS01 provider
+                              should handle CNAME records when found in DNS zones.
+                            type: string
+                            enum:
+                            - None
+                            - Follow
+                          digitalocean:
+                            description: ACMEIssuerDNS01ProviderDigitalOcean is a
+                              structure containing the DNS configuration for DigitalOcean
+                              Domains
+                            type: object
+                            required:
+                            - tokenSecretRef
+                            properties:
+                              tokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          rfc2136:
+                            description: ACMEIssuerDNS01ProviderRFC2136 is a structure
+                              containing the configuration for RFC2136 DNS
+                            type: object
+                            required:
+                            - nameserver
+                            properties:
+                              nameserver:
+                                description: The IP address or hostname of an authoritative
+                                  DNS server supporting RFC2136 in the form host:port.
+                                  If the host is an IPv6 address it must be enclosed
+                                  in square brackets (e.g [2001:db8::1]) ; port is
+                                  optional. This field is required.
+                                type: string
+                              tsigAlgorithm:
+                                description: 'The TSIG Algorithm configured in the
+                                  DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                  and ``tsigKeyName`` are defined. Supported values
+                                  are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+                                  ``HMACSHA256`` or ``HMACSHA512``.'
+                                type: string
+                              tsigKeyName:
+                                description: The TSIG Key name configured in the DNS.
+                                  If ``tsigSecretSecretRef`` is defined, this field
+                                  is required.
+                                type: string
+                              tsigSecretSecretRef:
+                                description: The name of the secret containing the
+                                  TSIG value. If ``tsigKeyName`` is defined, this
+                                  field is required.
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          route53:
+                            description: ACMEIssuerDNS01ProviderRoute53 is a structure
+                              containing the Route 53 configuration for AWS
+                            type: object
+                            required:
+                            - region
+                            properties:
+                              accessKeyID:
+                                description: 'The AccessKeyID is used for authentication.
+                                  If not set we fall-back to using env vars, shared
+                                  credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                type: string
+                              hostedZoneID:
+                                description: If set, the provider will manage only
+                                  this zone in Route53 and will not do an lookup using
+                                  the route53:ListHostedZonesByName api call.
+                                type: string
+                              region:
+                                description: Always set the region when using AccessKeyID
+                                  and SecretAccessKey
+                                type: string
+                              role:
+                                description: Role is a Role ARN which the Route53
+                                  provider will assume using either the explicit credentials
+                                  AccessKeyID/SecretAccessKey or the inferred credentials
+                                  from environment variables, shared credentials file
+                                  or AWS Instance metadata
+                                type: string
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication.
+                                  If not set we fall-back to using env vars, shared
+                                  credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          webhook:
+                            description: ACMEIssuerDNS01ProviderWebhook specifies
+                              configuration for a webhook DNS01 provider, including
+                              where to POST ChallengePayload resources.
+                            type: object
+                            required:
+                            - groupName
+                            - solverName
+                            properties:
+                              config:
+                                description: Additional configuration that should
+                                  be passed to the webhook apiserver when challenges
+                                  are processed. This can contain arbitrary JSON data.
+                                  Secret values should not be specified in this stanza.
+                                  If secret values are needed (e.g. credentials for
+                                  a DNS service), you should use a SecretKeySelector
+                                  to reference a Secret resource. For details on the
+                                  schema of this field, consult the webhook provider
+                                  implementation's documentation.
+                                x-kubernetes-preserve-unknown-fields: true
+                              groupName:
+                                description: The API group name that should be used
+                                  when POSTing ChallengePayload resources to the webhook
+                                  apiserver. This should be the same as the GroupName
+                                  specified in the webhook provider implementation.
+                                type: string
+                              solverName:
+                                description: The name of the solver to use, as defined
+                                  in the webhook provider implementation. This will
+                                  typically be the name of the provider, e.g. 'cloudflare'.
+                                type: string
+                      http01:
+                        description: ACMEChallengeSolverHTTP01 contains configuration
+                          detailing how to solve HTTP01 challenges within a Kubernetes
+                          cluster. Typically this is accomplished through creating
+                          'routes' of some description that configure ingress controllers
+                          to direct traffic to 'solver pods', which are responsible
+                          for responding to the ACME server's HTTP requests.
+                        type: object
+                        properties:
+                          ingress:
+                            description: The ingress based HTTP01 challenge solver
+                              will solve challenges by creating or modifying Ingress
+                              resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                              to 'challenge solver' pods that are provisioned by cert-manager
+                              for each Challenge to be completed.
+                            type: object
+                            properties:
+                              class:
+                                description: The ingress class to use when creating
+                                  Ingress resources to solve ACME challenges that
+                                  use this challenge solver. Only one of 'class' or
+                                  'name' may be specified.
+                                type: string
+                              ingressTemplate:
+                                description: Optional ingress template used to configure
+                                  the ACME challenge solver ingress used for HTTP01
+                                  challenges
+                                type: object
+                                properties:
+                                  metadata:
+                                    description: ObjectMeta overrides for the ingress
+                                      used to solve HTTP01 challenges. Only the 'labels'
+                                      and 'annotations' fields may be set. If labels
+                                      or annotations overlap with in-built values,
+                                      the values here will override the in-built values.
+                                    type: object
+                                    properties:
+                                      annotations:
+                                        description: Annotations that should be added
+                                          to the created ACME HTTP01 solver ingress.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                      labels:
+                                        description: Labels that should be added to
+                                          the created ACME HTTP01 solver ingress.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                              name:
+                                description: The name of the ingress resource that
+                                  should have ACME challenge solving routes inserted
+                                  into it in order to solve HTTP01 challenges. This
+                                  is typically used in conjunction with ingress controllers
+                                  like ingress-gce, which maintains a 1:1 mapping
+                                  between external IPs and ingress resources.
+                                type: string
+                              podTemplate:
+                                description: Optional pod template used to configure
+                                  the ACME challenge solver pods used for HTTP01 challenges
+                                type: object
+                                properties:
+                                  metadata:
+                                    description: ObjectMeta overrides for the pod
+                                      used to solve HTTP01 challenges. Only the 'labels'
+                                      and 'annotations' fields may be set. If labels
+                                      or annotations overlap with in-built values,
+                                      the values here will override the in-built values.
+                                    type: object
+                                    properties:
+                                      annotations:
+                                        description: Annotations that should be added
+                                          to the create ACME HTTP01 solver pods.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                      labels:
+                                        description: Labels that should be added to
+                                          the created ACME HTTP01 solver pods.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                  spec:
+                                    description: PodSpec defines overrides for the
+                                      HTTP01 challenge solver pod. Only the 'nodeSelector',
+                                      'affinity' and 'tolerations' fields are supported
+                                      currently. All other fields will be ignored.
+                                    type: object
+                                    properties:
+                                      affinity:
+                                        description: If specified, the pod's scheduling
+                                          constraints
+                                        type: object
+                                        properties:
+                                          nodeAffinity:
+                                            description: Describes node affinity scheduling
+                                              rules for the pod.
+                                            type: object
+                                            properties:
+                                              preferredDuringSchedulingIgnoredDuringExecution:
+                                                description: The scheduler will prefer
+                                                  to schedule pods to nodes that satisfy
+                                                  the affinity expressions specified
+                                                  by this field, but it may choose
+                                                  a node that violates one or more
+                                                  of the expressions. The node that
+                                                  is most preferred is the one with
+                                                  the greatest sum of weights, i.e.
+                                                  for each node that meets all of
+                                                  the scheduling requirements (resource
+                                                  request, requiredDuringScheduling
+                                                  affinity expressions, etc.), compute
+                                                  a sum by iterating through the elements
+                                                  of this field and adding "weight"
+                                                  to the sum if the node matches the
+                                                  corresponding matchExpressions;
+                                                  the node(s) with the highest sum
+                                                  are the most preferred.
+                                                type: array
+                                                items:
+                                                  description: An empty preferred
+                                                    scheduling term matches all objects
+                                                    with implicit weight 0 (i.e. it's
+                                                    a no-op). A null preferred scheduling
+                                                    term matches no objects (i.e.
+                                                    is also a no-op).
+                                                  type: object
+                                                  required:
+                                                  - preference
+                                                  - weight
+                                                  properties:
+                                                    preference:
+                                                      description: A node selector
+                                                        term, associated with the
+                                                        corresponding weight.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's labels.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchFields:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's fields.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                    weight:
+                                                      description: Weight associated
+                                                        with matching the corresponding
+                                                        nodeSelectorTerm, in the range
+                                                        1-100.
+                                                      type: integer
+                                                      format: int32
+                                              requiredDuringSchedulingIgnoredDuringExecution:
+                                                description: If the affinity requirements
+                                                  specified by this field are not
+                                                  met at scheduling time, the pod
+                                                  will not be scheduled onto the node.
+                                                  If the affinity requirements specified
+                                                  by this field cease to be met at
+                                                  some point during pod execution
+                                                  (e.g. due to an update), the system
+                                                  may or may not try to eventually
+                                                  evict the pod from its node.
+                                                type: object
+                                                required:
+                                                - nodeSelectorTerms
+                                                properties:
+                                                  nodeSelectorTerms:
+                                                    description: Required. A list
+                                                      of node selector terms. The
+                                                      terms are ORed.
+                                                    type: array
+                                                    items:
+                                                      description: A null or empty
+                                                        node selector term matches
+                                                        no objects. The requirements
+                                                        of them are ANDed. The TopologySelectorTerm
+                                                        type implements a subset of
+                                                        the NodeSelectorTerm.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's labels.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchFields:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's fields.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                          podAffinity:
+                                            description: Describes pod affinity scheduling
+                                              rules (e.g. co-locate this pod in the
+                                              same node, zone, etc. as some other
+                                              pod(s)).
+                                            type: object
+                                            properties:
+                                              preferredDuringSchedulingIgnoredDuringExecution:
+                                                description: The scheduler will prefer
+                                                  to schedule pods to nodes that satisfy
+                                                  the affinity expressions specified
+                                                  by this field, but it may choose
+                                                  a node that violates one or more
+                                                  of the expressions. The node that
+                                                  is most preferred is the one with
+                                                  the greatest sum of weights, i.e.
+                                                  for each node that meets all of
+                                                  the scheduling requirements (resource
+                                                  request, requiredDuringScheduling
+                                                  affinity expressions, etc.), compute
+                                                  a sum by iterating through the elements
+                                                  of this field and adding "weight"
+                                                  to the sum if the node has pods
+                                                  which matches the corresponding
+                                                  podAffinityTerm; the node(s) with
+                                                  the highest sum are the most preferred.
+                                                type: array
+                                                items:
+                                                  description: The weights of all
+                                                    of the matched WeightedPodAffinityTerm
+                                                    fields are added per-node to find
+                                                    the most preferred node(s)
+                                                  type: object
+                                                  required:
+                                                  - podAffinityTerm
+                                                  - weight
+                                                  properties:
+                                                    podAffinityTerm:
+                                                      description: Required. A pod
+                                                        affinity term, associated
+                                                        with the corresponding weight.
+                                                      type: object
+                                                      required:
+                                                      - topologyKey
+                                                      properties:
+                                                        labelSelector:
+                                                          description: A label query
+                                                            over a set of resources,
+                                                            in this case pods.
+                                                          type: object
+                                                          properties:
+                                                            matchExpressions:
+                                                              description: matchExpressions
+                                                                is a list of label
+                                                                selector requirements.
+                                                                The requirements are
+                                                                ANDed.
+                                                              type: array
+                                                              items:
+                                                                description: A label
+                                                                  selector requirement
+                                                                  is a selector that
+                                                                  contains values,
+                                                                  a key, and an operator
+                                                                  that relates the
+                                                                  key and values.
+                                                                type: object
+                                                                required:
+                                                                - key
+                                                                - operator
+                                                                properties:
+                                                                  key:
+                                                                    description: key
+                                                                      is the label
+                                                                      key that the
+                                                                      selector applies
+                                                                      to.
+                                                                    type: string
+                                                                  operator:
+                                                                    description: operator
+                                                                      represents a
+                                                                      key's relationship
+                                                                      to a set of
+                                                                      values. Valid
+                                                                      operators are
+                                                                      In, NotIn, Exists
+                                                                      and DoesNotExist.
+                                                                    type: string
+                                                                  values:
+                                                                    description: values
+                                                                      is an array
+                                                                      of string values.
+                                                                      If the operator
+                                                                      is In or NotIn,
+                                                                      the values array
+                                                                      must be non-empty.
+                                                                      If the operator
+                                                                      is Exists or
+                                                                      DoesNotExist,
+                                                                      the values array
+                                                                      must be empty.
+                                                                      This array is
+                                                                      replaced during
+                                                                      a strategic
+                                                                      merge patch.
+                                                                    type: array
+                                                                    items:
+                                                                      type: string
+                                                            matchLabels:
+                                                              description: matchLabels
+                                                                is a map of {key,value}
+                                                                pairs. A single {key,value}
+                                                                in the matchLabels
+                                                                map is equivalent
+                                                                to an element of matchExpressions,
+                                                                whose key field is
+                                                                "key", the operator
+                                                                is "In", and the values
+                                                                array contains only
+                                                                "value". The requirements
+                                                                are ANDed.
+                                                              type: object
+                                                              additionalProperties:
+                                                                type: string
+                                                        namespaces:
+                                                          description: namespaces
+                                                            specifies which namespaces
+                                                            the labelSelector applies
+                                                            to (matches against);
+                                                            null or empty list means
+                                                            "this pod's namespace"
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                        topologyKey:
+                                                          description: This pod should
+                                                            be co-located (affinity)
+                                                            or not co-located (anti-affinity)
+                                                            with the pods matching
+                                                            the labelSelector in the
+                                                            specified namespaces,
+                                                            where co-located is defined
+                                                            as running on a node whose
+                                                            value of the label with
+                                                            key topologyKey matches
+                                                            that of any node on which
+                                                            any of the selected pods
+                                                            is running. Empty topologyKey
+                                                            is not allowed.
+                                                          type: string
+                                                    weight:
+                                                      description: weight associated
+                                                        with matching the corresponding
+                                                        podAffinityTerm, in the range
+                                                        1-100.
+                                                      type: integer
+                                                      format: int32
+                                              requiredDuringSchedulingIgnoredDuringExecution:
+                                                description: If the affinity requirements
+                                                  specified by this field are not
+                                                  met at scheduling time, the pod
+                                                  will not be scheduled onto the node.
+                                                  If the affinity requirements specified
+                                                  by this field cease to be met at
+                                                  some point during pod execution
+                                                  (e.g. due to a pod label update),
+                                                  the system may or may not try to
+                                                  eventually evict the pod from its
+                                                  node. When there are multiple elements,
+                                                  the lists of nodes corresponding
+                                                  to each podAffinityTerm are intersected,
+                                                  i.e. all terms must be satisfied.
+                                                type: array
+                                                items:
+                                                  description: Defines a set of pods
+                                                    (namely those matching the labelSelector
+                                                    relative to the given namespace(s))
+                                                    that this pod should be co-located
+                                                    (affinity) or not co-located (anti-affinity)
+                                                    with, where co-located is defined
+                                                    as running on a node whose value
+                                                    of the label with key <topologyKey>
+                                                    matches that of any node on which
+                                                    a pod of the set of pods is running
+                                                  type: object
+                                                  required:
+                                                  - topologyKey
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          type: array
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchLabels:
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                          additionalProperties:
+                                                            type: string
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      type: array
+                                                      items:
+                                                        type: string
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                          podAntiAffinity:
+                                            description: Describes pod anti-affinity
+                                              scheduling rules (e.g. avoid putting
+                                              this pod in the same node, zone, etc.
+                                              as some other pod(s)).
+                                            type: object
+                                            properties:
+                                              preferredDuringSchedulingIgnoredDuringExecution:
+                                                description: The scheduler will prefer
+                                                  to schedule pods to nodes that satisfy
+                                                  the anti-affinity expressions specified
+                                                  by this field, but it may choose
+                                                  a node that violates one or more
+                                                  of the expressions. The node that
+                                                  is most preferred is the one with
+                                                  the greatest sum of weights, i.e.
+                                                  for each node that meets all of
+                                                  the scheduling requirements (resource
+                                                  request, requiredDuringScheduling
+                                                  anti-affinity expressions, etc.),
+                                                  compute a sum by iterating through
+                                                  the elements of this field and adding
+                                                  "weight" to the sum if the node
+                                                  has pods which matches the corresponding
+                                                  podAffinityTerm; the node(s) with
+                                                  the highest sum are the most preferred.
+                                                type: array
+                                                items:
+                                                  description: The weights of all
+                                                    of the matched WeightedPodAffinityTerm
+                                                    fields are added per-node to find
+                                                    the most preferred node(s)
+                                                  type: object
+                                                  required:
+                                                  - podAffinityTerm
+                                                  - weight
+                                                  properties:
+                                                    podAffinityTerm:
+                                                      description: Required. A pod
+                                                        affinity term, associated
+                                                        with the corresponding weight.
+                                                      type: object
+                                                      required:
+                                                      - topologyKey
+                                                      properties:
+                                                        labelSelector:
+                                                          description: A label query
+                                                            over a set of resources,
+                                                            in this case pods.
+                                                          type: object
+                                                          properties:
+                                                            matchExpressions:
+                                                              description: matchExpressions
+                                                                is a list of label
+                                                                selector requirements.
+                                                                The requirements are
+                                                                ANDed.
+                                                              type: array
+                                                              items:
+                                                                description: A label
+                                                                  selector requirement
+                                                                  is a selector that
+                                                                  contains values,
+                                                                  a key, and an operator
+                                                                  that relates the
+                                                                  key and values.
+                                                                type: object
+                                                                required:
+                                                                - key
+                                                                - operator
+                                                                properties:
+                                                                  key:
+                                                                    description: key
+                                                                      is the label
+                                                                      key that the
+                                                                      selector applies
+                                                                      to.
+                                                                    type: string
+                                                                  operator:
+                                                                    description: operator
+                                                                      represents a
+                                                                      key's relationship
+                                                                      to a set of
+                                                                      values. Valid
+                                                                      operators are
+                                                                      In, NotIn, Exists
+                                                                      and DoesNotExist.
+                                                                    type: string
+                                                                  values:
+                                                                    description: values
+                                                                      is an array
+                                                                      of string values.
+                                                                      If the operator
+                                                                      is In or NotIn,
+                                                                      the values array
+                                                                      must be non-empty.
+                                                                      If the operator
+                                                                      is Exists or
+                                                                      DoesNotExist,
+                                                                      the values array
+                                                                      must be empty.
+                                                                      This array is
+                                                                      replaced during
+                                                                      a strategic
+                                                                      merge patch.
+                                                                    type: array
+                                                                    items:
+                                                                      type: string
+                                                            matchLabels:
+                                                              description: matchLabels
+                                                                is a map of {key,value}
+                                                                pairs. A single {key,value}
+                                                                in the matchLabels
+                                                                map is equivalent
+                                                                to an element of matchExpressions,
+                                                                whose key field is
+                                                                "key", the operator
+                                                                is "In", and the values
+                                                                array contains only
+                                                                "value". The requirements
+                                                                are ANDed.
+                                                              type: object
+                                                              additionalProperties:
+                                                                type: string
+                                                        namespaces:
+                                                          description: namespaces
+                                                            specifies which namespaces
+                                                            the labelSelector applies
+                                                            to (matches against);
+                                                            null or empty list means
+                                                            "this pod's namespace"
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                        topologyKey:
+                                                          description: This pod should
+                                                            be co-located (affinity)
+                                                            or not co-located (anti-affinity)
+                                                            with the pods matching
+                                                            the labelSelector in the
+                                                            specified namespaces,
+                                                            where co-located is defined
+                                                            as running on a node whose
+                                                            value of the label with
+                                                            key topologyKey matches
+                                                            that of any node on which
+                                                            any of the selected pods
+                                                            is running. Empty topologyKey
+                                                            is not allowed.
+                                                          type: string
+                                                    weight:
+                                                      description: weight associated
+                                                        with matching the corresponding
+                                                        podAffinityTerm, in the range
+                                                        1-100.
+                                                      type: integer
+                                                      format: int32
+                                              requiredDuringSchedulingIgnoredDuringExecution:
+                                                description: If the anti-affinity
+                                                  requirements specified by this field
+                                                  are not met at scheduling time,
+                                                  the pod will not be scheduled onto
+                                                  the node. If the anti-affinity requirements
+                                                  specified by this field cease to
+                                                  be met at some point during pod
+                                                  execution (e.g. due to a pod label
+                                                  update), the system may or may not
+                                                  try to eventually evict the pod
+                                                  from its node. When there are multiple
+                                                  elements, the lists of nodes corresponding
+                                                  to each podAffinityTerm are intersected,
+                                                  i.e. all terms must be satisfied.
+                                                type: array
+                                                items:
+                                                  description: Defines a set of pods
+                                                    (namely those matching the labelSelector
+                                                    relative to the given namespace(s))
+                                                    that this pod should be co-located
+                                                    (affinity) or not co-located (anti-affinity)
+                                                    with, where co-located is defined
+                                                    as running on a node whose value
+                                                    of the label with key <topologyKey>
+                                                    matches that of any node on which
+                                                    a pod of the set of pods is running
+                                                  type: object
+                                                  required:
+                                                  - topologyKey
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          type: array
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchLabels:
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                          additionalProperties:
+                                                            type: string
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      type: array
+                                                      items:
+                                                        type: string
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                      nodeSelector:
+                                        description: 'NodeSelector is a selector which
+                                          must be true for the pod to fit on a node.
+                                          Selector which must match a node''s labels
+                                          for the pod to be scheduled on that node.
+                                          More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                      tolerations:
+                                        description: If specified, the pod's tolerations.
+                                        type: array
+                                        items:
+                                          description: The pod this Toleration is
+                                            attached to tolerates any taint that matches
+                                            the triple <key,value,effect> using the
+                                            matching operator <operator>.
+                                          type: object
+                                          properties:
+                                            effect:
+                                              description: Effect indicates the taint
+                                                effect to match. Empty means match
+                                                all taint effects. When specified,
+                                                allowed values are NoSchedule, PreferNoSchedule
+                                                and NoExecute.
+                                              type: string
+                                            key:
+                                              description: Key is the taint key that
+                                                the toleration applies to. Empty means
+                                                match all taint keys. If the key is
+                                                empty, operator must be Exists; this
+                                                combination means to match all values
+                                                and all keys.
+                                              type: string
+                                            operator:
+                                              description: Operator represents a key's
+                                                relationship to the value. Valid operators
+                                                are Exists and Equal. Defaults to
+                                                Equal. Exists is equivalent to wildcard
+                                                for value, so that a pod can tolerate
+                                                all taints of a particular category.
+                                              type: string
+                                            tolerationSeconds:
+                                              description: TolerationSeconds represents
+                                                the period of time the toleration
+                                                (which must be of effect NoExecute,
+                                                otherwise this field is ignored) tolerates
+                                                the taint. By default, it is not set,
+                                                which means tolerate the taint forever
+                                                (do not evict). Zero and negative
+                                                values will be treated as 0 (evict
+                                                immediately) by the system.
+                                              type: integer
+                                              format: int64
+                                            value:
+                                              description: Value is the taint value
+                                                the toleration matches to. If the
+                                                operator is Exists, the value should
+                                                be empty, otherwise just a regular
+                                                string.
+                                              type: string
+                              serviceType:
+                                description: Optional service type for Kubernetes
+                                  solver service
+                                type: string
+                      selector:
+                        description: Selector selects a set of DNSNames on the Certificate
+                          resource that should be solved using this challenge solver.
+                        type: object
+                        properties:
+                          dnsNames:
+                            description: List of DNSNames that this solver will be
+                              used to solve. If specified and a match is found, a
+                              dnsNames selector will take precedence over a dnsZones
+                              selector. If multiple solvers match with the same dnsNames
+                              value, the solver with the most matching labels in matchLabels
+                              will be selected. If neither has more matches, the solver
+                              defined earlier in the list will be selected.
+                            type: array
+                            items:
+                              type: string
+                          dnsZones:
+                            description: List of DNSZones that this solver will be
+                              used to solve. The most specific DNS zone match specified
+                              here will take precedence over other DNS zone matches,
+                              so a solver specifying sys.example.com will be selected
+                              over one specifying example.com for the domain www.sys.example.com.
+                              If multiple solvers match with the same dnsZones value,
+                              the solver with the most matching labels in matchLabels
+                              will be selected. If neither has more matches, the solver
+                              defined earlier in the list will be selected.
+                            type: array
+                            items:
+                              type: string
+                          matchLabels:
+                            description: A label selector that is used to refine the
+                              set of certificate's that this challenge solver will
+                              apply to.
+                            type: object
+                            additionalProperties:
+                              type: string
+            ca:
+              type: object
+              required:
+              - secretName
+              properties:
+                crlDistributionPoints:
+                  description: The CRL distribution points is an X.509 v3 certificate
+                    extension which identifies the location of the CRL from which
+                    the revocation of this certificate can be checked. If not set
+                    certificate will be issued without CDP. Values are strings.
+                  type: array
+                  items:
+                    type: string
+                secretName:
+                  description: SecretName is the name of the secret used to sign Certificates
+                    issued by this Issuer.
+                  type: string
+            selfSigned:
+              type: object
+              properties:
+                crlDistributionPoints:
+                  description: The CRL distribution points is an X.509 v3 certificate
+                    extension which identifies the location of the CRL from which
+                    the revocation of this certificate can be checked. If not set
+                    certificate will be issued without CDP. Values are strings.
+                  type: array
+                  items:
+                    type: string
+            vault:
+              type: object
+              required:
+              - auth
+              - path
+              - server
+              properties:
+                auth:
+                  description: Vault authentication
+                  type: object
+                  properties:
+                    appRole:
+                      description: This Secret contains a AppRole and Secret
+                      type: object
+                      required:
+                      - path
+                      - roleId
+                      - secretRef
+                      properties:
+                        path:
+                          description: Where the authentication path is mounted in
+                            Vault.
+                          type: string
+                        roleId:
+                          type: string
+                        secretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    kubernetes:
+                      description: This contains a Role and Secret with a ServiceAccount
+                        token to authenticate with vault.
+                      type: object
+                      required:
+                      - role
+                      - secretRef
+                      properties:
+                        mountPath:
+                          description: The Vault mountPath here is the mount path
+                            to use when authenticating with Vault. For example, setting
+                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+                            to authenticate with Vault. If unspecified, the default
+                            value "/v1/auth/kubernetes" will be used.
+                          type: string
+                        role:
+                          description: A required field containing the Vault Role
+                            to assume. A Role binds a Kubernetes ServiceAccount with
+                            a set of Vault policies.
+                          type: string
+                        secretRef:
+                          description: The required Secret field containing a Kubernetes
+                            ServiceAccount JWT used for authenticating with Vault.
+                            Use of 'ambient credentials' is not supported.
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    tokenSecretRef:
+                      description: This Secret contains the Vault token key
+                      type: object
+                      required:
+                      - name
+                      properties:
+                        key:
+                          description: The key of the secret to select from. Must
+                            be a valid secret key.
+                          type: string
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                caBundle:
+                  description: Base64 encoded CA bundle to validate Vault server certificate.
+                    Only used if the Server URL is using HTTPS protocol. This parameter
+                    is ignored for plain HTTP protocol connection. If not set the
+                    system root certificates are used to validate the TLS connection.
+                  type: string
+                  format: byte
+                path:
+                  description: Vault URL path to the certificate role
+                  type: string
+                server:
+                  description: Server is the vault connection address
+                  type: string
+            venafi:
+              description: VenafiIssuer describes issuer configuration details for
+                Venafi Cloud.
+              type: object
+              required:
+              - zone
+              properties:
+                cloud:
+                  description: Cloud specifies the Venafi cloud configuration settings.
+                    Only one of TPP or Cloud may be specified.
+                  type: object
+                  required:
+                  - apiTokenSecretRef
+                  properties:
+                    apiTokenSecretRef:
+                      description: APITokenSecretRef is a secret key selector for
+                        the Venafi Cloud API token.
+                      type: object
+                      required:
+                      - name
+                      properties:
+                        key:
+                          description: The key of the secret to select from. Must
+                            be a valid secret key.
+                          type: string
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                    url:
+                      description: URL is the base URL for Venafi Cloud
+                      type: string
+                tpp:
+                  description: TPP specifies Trust Protection Platform configuration
+                    settings. Only one of TPP or Cloud may be specified.
+                  type: object
+                  required:
+                  - credentialsRef
+                  - url
+                  properties:
+                    caBundle:
+                      description: CABundle is a PEM encoded TLS certificate to use
+                        to verify connections to the TPP instance. If specified, system
+                        roots will not be used and the issuing CA for the TPP instance
+                        must be verifiable using the provided root. If not specified,
+                        the connection will be verified using the cert-manager system
+                        root certificates.
+                      type: string
+                      format: byte
+                    credentialsRef:
+                      description: CredentialsRef is a reference to a Secret containing
+                        the username and password for the TPP server. The secret must
+                        contain two keys, 'username' and 'password'.
+                      type: object
+                      required:
+                      - name
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                    url:
+                      description: URL is the base URL for the Venafi TPP instance
+                      type: string
+                zone:
+                  description: Zone is the Venafi Policy Zone to use for this issuer.
+                    All requests made to the Venafi platform will be restricted by
+                    the named zone policy. This field is required.
+                  type: string
+        status:
+          description: IssuerStatus contains status information about an Issuer
+          type: object
+          properties:
+            acme:
+              type: object
+              properties:
+                lastRegisteredEmail:
+                  description: LastRegisteredEmail is the email associated with the
+                    latest registered ACME account, in order to track changes made
+                    to registered account associated with the  Issuer
+                  type: string
+                uri:
+                  description: URI is the unique account identifier, which can also
+                    be used to retrieve account details from the CA
+                  type: string
+            conditions:
+              type: array
+              items:
+                description: IssuerCondition contains condition information for an
+                  Issuer.
+                type: object
+                required:
+                - status
+                - type
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    type: string
+                    format: date-time
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    type: string
+                    enum:
+                    - "True"
+                    - "False"
+                    - Unknown
+                  type:
+                    description: Type of the condition, currently ('Ready').
+                    type: string
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
index f393168ff..f7f5b5823 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
@@ -1,1774 +1,1820 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 ---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: issuers.certmanager.k8s.io
+  name: issuers.cert-manager.io
   annotations:
-    "helm.sh/hook": crd-install
-    "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
   labels:
     app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
-  group: certmanager.k8s.io
-  scope: Namespaced
+  additionalPrinterColumns:
+  - JSONPath: .status.conditions[?(@.type=="Ready")].status
+    name: Ready
+    type: string
+  - JSONPath: .status.conditions[?(@.type=="Ready")].message
+    name: Status
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: cert-manager.io
+  preserveUnknownFields: false
+  conversion:
+    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+    strategy: Webhook
+    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+    webhookClientConfig:
+      service:
+        namespace: '{{ cert_manager_namespace }}'
+        name: 'cert-manager-webhook'
+        path: /convert
   names:
     kind: Issuer
+    listKind: IssuerList
     plural: issuers
+    singular: issuer
+  scope: Namespaced
+  subresources:
+    status: {}
   versions:
-  - name: v1alpha1
+  - name: v1alpha2
     served: true
     storage: true
-    schema:
-      openAPIV3Schema:
+  - name: v1alpha3
+    served: true
+    storage: false
+  "validation":
+    "openAPIV3Schema":
+      type: object
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: IssuerSpec is the specification of an Issuer. This includes
+            any configuration required for the issuer.
           type: object
           properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation
-                of an object. Servers should convert recognized schemas to the latest
-                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this
-                object represents. Servers may infer this from the endpoint the client
-                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: IssuerSpec is the specification of an Issuer. This includes
-                any configuration required for the issuer.
+            acme:
+              description: ACMEIssuer contains the specification for an ACME issuer
               type: object
+              required:
+              - privateKeySecretRef
+              - server
               properties:
-                acme:
-                  description: ACMEIssuer contains the specification for an ACME issuer
+                email:
+                  description: Email is the email for this account
+                  type: string
+                externalAccountBinding:
+                  description: ExternalAccountBinding is a reference to a CA external
+                    account of the ACME server.
                   type: object
                   required:
-                  - privateKeySecretRef
-                  - server
+                  - keyAlgorithm
+                  - keyID
+                  - keySecretRef
                   properties:
-                    email:
-                      description: Email is the email for this account
+                    keyAlgorithm:
+                      description: keyAlgorithm is the MAC key algorithm that the
+                        key is used for. Valid values are "HS256", "HS384" and "HS512".
                       type: string
-                    externalAccountBinding:
-                      description: ExternalAccountBinding is a reference to a CA external
-                        account of the ACME server.
-                      type: object
-                      required:
-                      - keyAlgorithm
-                      - keyID
-                      - keySecretRef
-                      properties:
-                        keyAlgorithm:
-                          description: keyAlgorithm is the MAC key algorithm that the
-                            key is used for. Valid values are "HS256", "HS384" and "HS512".
-                          type: string
-                          enum:
-                          - HS256
-                          - HS384
-                          - HS512
-                        keyID:
-                          description: keyID is the ID of the CA key that the External
-                            Account is bound to.
-                          type: string
-                        keySecretRef:
-                          description: keySecretRef is a Secret Key Selector referencing
-                            a data item in a Kubernetes Secret which holds the symmetric
-                            MAC key of the External Account Binding. The `key` is the
-                            index string that is paired with the key data in the Secret
-                            and should not be confused with the key data itself, or indeed
-                            with the External Account Binding keyID above. The secret
-                            key stored in the Secret **must** be un-padded, base64 URL
-                            encoded data.
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            key:
-                              description: The key of the secret to select from. Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                    privateKeySecretRef:
-                      description: PrivateKey is the name of a secret containing the private
-                        key for this user account.
+                      enum:
+                      - HS256
+                      - HS384
+                      - HS512
+                    keyID:
+                      description: keyID is the ID of the CA key that the External
+                        Account is bound to.
+                      type: string
+                    keySecretRef:
+                      description: keySecretRef is a Secret Key Selector referencing
+                        a data item in a Kubernetes Secret which holds the symmetric
+                        MAC key of the External Account Binding. The `key` is the
+                        index string that is paired with the key data in the Secret
+                        and should not be confused with the key data itself, or indeed
+                        with the External Account Binding keyID above. The secret
+                        key stored in the Secret **must** be un-padded, base64 URL
+                        encoded data.
                       type: object
                       required:
                       - name
                       properties:
                         key:
-                          description: The key of the secret to select from. Must be a
-                            valid secret key.
+                          description: The key of the secret to select from. Must
+                            be a valid secret key.
                           type: string
                         name:
                           description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                             TODO: Add other useful fields. apiVersion, kind, uid?'
                           type: string
-                    server:
-                      description: Server is the ACME server URL
-                      type: string
-                    skipTLSVerify:
-                      description: If true, skip verifying the ACME server TLS certificate
-                      type: boolean
-                    solvers:
-                      description: Solvers is a list of challenge solvers that will be
-                        used to solve ACME challenges for the matching domains.
-                      type: array
-                      items:
-                        type: object
-                        properties:
-                          dns01:
-                            type: object
-                            properties:
-                              acmedns:
-                                description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
-                                  containing the configuration for ACME-DNS servers
-                                type: object
-                                required:
-                                - accountSecretRef
-                                - host
-                                properties:
-                                  accountSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  host:
-                                    type: string
-                              akamai:
-                                description: ACMEIssuerDNS01ProviderAkamai is a structure
-                                  containing the DNS configuration for Akamai DNS—Zone
-                                  Record Management API
-                                type: object
-                                required:
-                                - accessTokenSecretRef
-                                - clientSecretSecretRef
-                                - clientTokenSecretRef
-                                - serviceConsumerDomain
-                                properties:
-                                  accessTokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  clientSecretSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  clientTokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  serviceConsumerDomain:
-                                    type: string
-                              azuredns:
-                                description: ACMEIssuerDNS01ProviderAzureDNS is a structure
-                                  containing the configuration for Azure DNS
-                                type: object
-                                required:
-                                - resourceGroupName
-                                - subscriptionID
-                                properties:
-                                  clientID:
-                                    description: if both this and ClientSecret are left
-                                      unset MSI will be used
-                                    type: string
-                                  clientSecretSecretRef:
-                                    description: if both this and ClientID are left unset
-                                      MSI will be used
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  environment:
-                                    type: string
-                                    enum:
-                                    - AzurePublicCloud
-                                    - AzureChinaCloud
-                                    - AzureGermanCloud
-                                    - AzureUSGovernmentCloud
-                                  hostedZoneName:
-                                    type: string
-                                  resourceGroupName:
-                                    type: string
-                                  subscriptionID:
-                                    type: string
-                                  tenantID:
-                                    description: when specifying ClientID and ClientSecret
-                                      then this field is also needed
-                                    type: string
-                              clouddns:
-                                description: ACMEIssuerDNS01ProviderCloudDNS is a structure
-                                  containing the DNS configuration for Google Cloud DNS
-                                type: object
-                                required:
-                                - project
-                                properties:
-                                  project:
-                                    type: string
-                                  serviceAccountSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              cloudflare:
-                                description: ACMEIssuerDNS01ProviderCloudflare is a structure
-                                  containing the DNS configuration for Cloudflare
-                                type: object
-                                required:
-                                - email
-                                properties:
-                                  apiKeySecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  apiTokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                                  email:
-                                    type: string
-                              cnameStrategy:
-                                description: CNAMEStrategy configures how the DNS01 provider
-                                  should handle CNAME records when found in DNS zones.
-                                type: string
-                                enum:
-                                - None
-                                - Follow
-                              digitalocean:
-                                description: ACMEIssuerDNS01ProviderDigitalOcean is a
-                                  structure containing the DNS configuration for DigitalOcean
-                                  Domains
-                                type: object
-                                required:
-                                - tokenSecretRef
-                                properties:
-                                  tokenSecretRef:
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              rfc2136:
-                                description: ACMEIssuerDNS01ProviderRFC2136 is a structure
-                                  containing the configuration for RFC2136 DNS
-                                type: object
-                                required:
-                                - nameserver
-                                properties:
-                                  nameserver:
-                                    description: The IP address or hostname of an authoritative
-                                      DNS server supporting RFC2136 in the form host:port.
-                                      If the host is an IPv6 address it must be enclosed
-                                      in square brackets (e.g [2001:db8::1]) ; port is
-                                      optional. This field is required.
-                                    type: string
-                                  tsigAlgorithm:
-                                    description: 'The TSIG Algorithm configured in the
-                                      DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
-                                      and ``tsigKeyName`` are defined. Supported values
-                                      are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
-                                      ``HMACSHA256`` or ``HMACSHA512``.'
-                                    type: string
-                                  tsigKeyName:
-                                    description: The TSIG Key name configured in the DNS.
-                                      If ``tsigSecretSecretRef`` is defined, this field
-                                      is required.
-                                    type: string
-                                  tsigSecretSecretRef:
-                                    description: The name of the secret containing the
-                                      TSIG value. If ``tsigKeyName`` is defined, this
-                                      field is required.
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              route53:
-                                description: ACMEIssuerDNS01ProviderRoute53 is a structure
-                                  containing the Route 53 configuration for AWS
-                                type: object
-                                required:
-                                - region
-                                properties:
-                                  accessKeyID:
-                                    description: 'The AccessKeyID is used for authentication.
-                                      If not set we fall-back to using env vars, shared
-                                      credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                                    type: string
-                                  hostedZoneID:
-                                    description: If set, the provider will manage only
-                                      this zone in Route53 and will not do an lookup using
-                                      the route53:ListHostedZonesByName api call.
-                                    type: string
-                                  region:
-                                    description: Always set the region when using AccessKeyID
-                                      and SecretAccessKey
-                                    type: string
-                                  role:
-                                    description: Role is a Role ARN which the Route53
-                                      provider will assume using either the explicit credentials
-                                      AccessKeyID/SecretAccessKey or the inferred credentials
-                                      from environment variables, shared credentials file
-                                      or AWS Instance metadata
-                                    type: string
-                                  secretAccessKeySecretRef:
-                                    description: The SecretAccessKey is used for authentication.
-                                      If not set we fall-back to using env vars, shared
-                                      credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: object
-                                    required:
-                                    - name
-                                    properties:
-                                      key:
-                                        description: The key of the secret to select from.
-                                          Must be a valid secret key.
-                                        type: string
-                                      name:
-                                        description: 'Name of the referent. More info:
-                                          https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                          TODO: Add other useful fields. apiVersion, kind,
-                                          uid?'
-                                        type: string
-                              webhook:
-                                description: ACMEIssuerDNS01ProviderWebhook specifies
-                                  configuration for a webhook DNS01 provider, including
-                                  where to POST ChallengePayload resources.
-                                type: object
-                                required:
-                                - groupName
-                                - solverName
-                                properties:
-                                  config:
-                                    description: Additional configuration that should
-                                      be passed to the webhook apiserver when challenges
-                                      are processed. This can contain arbitrary JSON data.
-                                      Secret values should not be specified in this stanza.
-                                      If secret values are needed (e.g. credentials for
-                                      a DNS service), you should use a SecretKeySelector
-                                      to reference a Secret resource. For details on the
-                                      schema of this field, consult the webhook provider
-                                      implementation's documentation.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  groupName:
-                                    description: The API group name that should be used
-                                      when POSTing ChallengePayload resources to the webhook
-                                      apiserver. This should be the same as the GroupName
-                                      specified in the webhook provider implementation.
-                                    type: string
-                                  solverName:
-                                    description: The name of the solver to use, as defined
-                                      in the webhook provider implementation. This will
-                                      typically be the name of the provider, e.g. 'cloudflare'.
-                                    type: string
-                          http01:
-                            description: ACMEChallengeSolverHTTP01 contains configuration
-                              detailing how to solve HTTP01 challenges within a Kubernetes
-                              cluster. Typically this is accomplished through creating
-                              'routes' of some description that configure ingress controllers
-                              to direct traffic to 'solver pods', which are responsible
-                              for responding to the ACME server's HTTP requests.
-                            type: object
-                            properties:
-                              ingress:
-                                description: The ingress based HTTP01 challenge solver
-                                  will solve challenges by creating or modifying Ingress
-                                  resources in order to route requests for '/.well-known/acme-challenge/XYZ'
-                                  to 'challenge solver' pods that are provisioned by cert-manager
-                                  for each Challenge to be completed.
-                                type: object
-                                properties:
-                                  class:
-                                    description: The ingress class to use when creating
-                                      Ingress resources to solve ACME challenges that
-                                      use this challenge solver. Only one of 'class' or
-                                      'name' may be specified.
-                                    type: string
-                                  ingressTemplate:
-                                    description: Optional ingress template used to configure
-                                      the ACME challenge solver ingress used for HTTP01
-                                      challenges
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: ObjectMeta overrides for the ingress
-                                          used to solve HTTP01 challenges. Only the 'labels'
-                                          and 'annotations' fields may be set. If labels
-                                          or annotations overlap with in-built values,
-                                          the values here will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added
-                                              to the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to
-                                              the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                  name:
-                                    description: The name of the ingress resource that
-                                      should have ACME challenge solving routes inserted
-                                      into it in order to solve HTTP01 challenges. This
-                                      is typically used in conjunction with ingress controllers
-                                      like ingress-gce, which maintains a 1:1 mapping
-                                      between external IPs and ingress resources.
-                                    type: string
-                                  podTemplate:
-                                    description: Optional pod template used to configure
-                                      the ACME challenge solver pods used for HTTP01 challenges
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: ObjectMeta overrides for the pod
-                                          used to solve HTTP01 challenges. Only the 'labels'
-                                          and 'annotations' fields may be set. If labels
-                                          or annotations overlap with in-built values,
-                                          the values here will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added
-                                              to the create ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to
-                                              the created ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                      spec:
-                                        description: PodSpec defines overrides for the
-                                          HTTP01 challenge solver pod. Only the 'nodeSelector',
-                                          'affinity' and 'tolerations' fields are supported
-                                          currently. All other fields will be ignored.
-                                        type: object
-                                        properties:
-                                          affinity:
-                                            description: If specified, the pod's scheduling
-                                              constraints
-                                            type: object
-                                            properties:
-                                              nodeAffinity:
-                                                description: Describes node affinity scheduling
-                                                  rules for the pod.
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: The scheduler will prefer
-                                                      to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified
-                                                      by this field, but it may choose
-                                                      a node that violates one or more
-                                                      of the expressions. The node that
-                                                      is most preferred is the one with
-                                                      the greatest sum of weights, i.e.
-                                                      for each node that meets all of
-                                                      the scheduling requirements (resource
-                                                      request, requiredDuringScheduling
-                                                      affinity expressions, etc.), compute
-                                                      a sum by iterating through the elements
-                                                      of this field and adding "weight"
-                                                      to the sum if the node matches the
-                                                      corresponding matchExpressions;
-                                                      the node(s) with the highest sum
-                                                      are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: An empty preferred
-                                                        scheduling term matches all objects
-                                                        with implicit weight 0 (i.e. it's
-                                                        a no-op). A null preferred scheduling
-                                                        term matches no objects (i.e.
-                                                        is also a no-op).
-                                                      type: object
-                                                      required:
-                                                      - preference
-                                                      - weight
-                                                      properties:
-                                                        preference:
-                                                          description: A node selector
-                                                            term, associated with the
-                                                            corresponding weight.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchFields:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                        weight:
-                                                          description: Weight associated
-                                                            with matching the corresponding
-                                                            nodeSelectorTerm, in the range
-                                                            1-100.
-                                                          type: integer
-                                                          format: int32
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: If the affinity requirements
-                                                      specified by this field are not
-                                                      met at scheduling time, the pod
-                                                      will not be scheduled onto the node.
-                                                      If the affinity requirements specified
-                                                      by this field cease to be met at
-                                                      some point during pod execution
-                                                      (e.g. due to an update), the system
-                                                      may or may not try to eventually
-                                                      evict the pod from its node.
-                                                    type: object
-                                                    required:
-                                                    - nodeSelectorTerms
-                                                    properties:
-                                                      nodeSelectorTerms:
-                                                        description: Required. A list
-                                                          of node selector terms. The
-                                                          terms are ORed.
-                                                        type: array
-                                                        items:
-                                                          description: A null or empty
-                                                            node selector term matches
-                                                            no objects. The requirements
-                                                            of them are ANDed. The TopologySelectorTerm
-                                                            type implements a subset of
-                                                            the NodeSelectorTerm.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchFields:
-                                                              description: A list of node
-                                                                selector requirements
-                                                                by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: A node selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label
-                                                                      key that the selector
-                                                                      applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: Represents
-                                                                      a key's relationship
-                                                                      to a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists,
-                                                                      DoesNotExist. Gt,
-                                                                      and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: An array
-                                                                      of string values.
-                                                                      If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. If
-                                                                      the operator is
-                                                                      Gt or Lt, the values
-                                                                      array must have
-                                                                      a single element,
-                                                                      which will be interpreted
-                                                                      as an integer. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                              podAffinity:
-                                                description: Describes pod affinity scheduling
-                                                  rules (e.g. co-locate this pod in the
-                                                  same node, zone, etc. as some other
-                                                  pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: The scheduler will prefer
-                                                      to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified
-                                                      by this field, but it may choose
-                                                      a node that violates one or more
-                                                      of the expressions. The node that
-                                                      is most preferred is the one with
-                                                      the greatest sum of weights, i.e.
-                                                      for each node that meets all of
-                                                      the scheduling requirements (resource
-                                                      request, requiredDuringScheduling
-                                                      affinity expressions, etc.), compute
-                                                      a sum by iterating through the elements
-                                                      of this field and adding "weight"
-                                                      to the sum if the node has pods
-                                                      which matches the corresponding
-                                                      podAffinityTerm; the node(s) with
-                                                      the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all
-                                                        of the matched WeightedPodAffinityTerm
-                                                        fields are added per-node to find
-                                                        the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                      - podAffinityTerm
-                                                      - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod
-                                                            affinity term, associated
-                                                            with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                          - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: A label query
-                                                                over a set of resources,
-                                                                in this case pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions
-                                                                    is a list of label
-                                                                    selector requirements.
-                                                                    The requirements are
-                                                                    ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: A label
-                                                                      selector requirement
-                                                                      is a selector that
-                                                                      contains values,
-                                                                      a key, and an operator
-                                                                      that relates the
-                                                                      key and values.
-                                                                    type: object
-                                                                    required:
-                                                                    - key
-                                                                    - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key
-                                                                          is the label
-                                                                          key that the
-                                                                          selector applies
-                                                                          to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: operator
-                                                                          represents a
-                                                                          key's relationship
-                                                                          to a set of
-                                                                          values. Valid
-                                                                          operators are
-                                                                          In, NotIn, Exists
-                                                                          and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: values
-                                                                          is an array
-                                                                          of string values.
-                                                                          If the operator
-                                                                          is In or NotIn,
-                                                                          the values array
-                                                                          must be non-empty.
-                                                                          If the operator
-                                                                          is Exists or
-                                                                          DoesNotExist,
-                                                                          the values array
-                                                                          must be empty.
-                                                                          This array is
-                                                                          replaced during
-                                                                          a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                matchLabels:
-                                                                  description: matchLabels
-                                                                    is a map of {key,value}
-                                                                    pairs. A single {key,value}
-                                                                    in the matchLabels
-                                                                    map is equivalent
-                                                                    to an element of matchExpressions,
-                                                                    whose key field is
-                                                                    "key", the operator
-                                                                    is "In", and the values
-                                                                    array contains only
-                                                                    "value". The requirements
-                                                                    are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                            namespaces:
-                                                              description: namespaces
-                                                                specifies which namespaces
-                                                                the labelSelector applies
-                                                                to (matches against);
-                                                                null or empty list means
-                                                                "this pod's namespace"
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                            topologyKey:
-                                                              description: This pod should
-                                                                be co-located (affinity)
-                                                                or not co-located (anti-affinity)
-                                                                with the pods matching
-                                                                the labelSelector in the
-                                                                specified namespaces,
-                                                                where co-located is defined
-                                                                as running on a node whose
-                                                                value of the label with
-                                                                key topologyKey matches
-                                                                that of any node on which
-                                                                any of the selected pods
-                                                                is running. Empty topologyKey
-                                                                is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: weight associated
-                                                            with matching the corresponding
-                                                            podAffinityTerm, in the range
-                                                            1-100.
-                                                          type: integer
-                                                          format: int32
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: If the affinity requirements
-                                                      specified by this field are not
-                                                      met at scheduling time, the pod
-                                                      will not be scheduled onto the node.
-                                                      If the affinity requirements specified
-                                                      by this field cease to be met at
-                                                      some point during pod execution
-                                                      (e.g. due to a pod label update),
-                                                      the system may or may not try to
-                                                      eventually evict the pod from its
-                                                      node. When there are multiple elements,
-                                                      the lists of nodes corresponding
-                                                      to each podAffinityTerm are intersected,
-                                                      i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: Defines a set of pods
-                                                        (namely those matching the labelSelector
-                                                        relative to the given namespace(s))
-                                                        that this pod should be co-located
-                                                        (affinity) or not co-located (anti-affinity)
-                                                        with, where co-located is defined
-                                                        as running on a node whose value
-                                                        of the label with key <topologyKey>
-                                                        matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                      - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: A label query over
-                                                            a set of resources, in this
-                                                            case pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions
-                                                                is a list of label selector
-                                                                requirements. The requirements
-                                                                are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: A label selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is
-                                                                      the label key that
-                                                                      the selector applies
-                                                                      to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: operator
-                                                                      represents a key's
-                                                                      relationship to
-                                                                      a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists
-                                                                      and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: values
-                                                                      is an array of string
-                                                                      values. If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchLabels:
-                                                              description: matchLabels
-                                                                is a map of {key,value}
-                                                                pairs. A single {key,value}
-                                                                in the matchLabels map
-                                                                is equivalent to an element
-                                                                of matchExpressions, whose
-                                                                key field is "key", the
-                                                                operator is "In", and
-                                                                the values array contains
-                                                                only "value". The requirements
-                                                                are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                        namespaces:
-                                                          description: namespaces specifies
-                                                            which namespaces the labelSelector
-                                                            applies to (matches against);
-                                                            null or empty list means "this
-                                                            pod's namespace"
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                        topologyKey:
-                                                          description: This pod should
-                                                            be co-located (affinity) or
-                                                            not co-located (anti-affinity)
-                                                            with the pods matching the
-                                                            labelSelector in the specified
-                                                            namespaces, where co-located
-                                                            is defined as running on a
-                                                            node whose value of the label
-                                                            with key topologyKey matches
-                                                            that of any node on which
-                                                            any of the selected pods is
-                                                            running. Empty topologyKey
-                                                            is not allowed.
-                                                          type: string
-                                              podAntiAffinity:
-                                                description: Describes pod anti-affinity
-                                                  scheduling rules (e.g. avoid putting
-                                                  this pod in the same node, zone, etc.
-                                                  as some other pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: The scheduler will prefer
-                                                      to schedule pods to nodes that satisfy
-                                                      the anti-affinity expressions specified
-                                                      by this field, but it may choose
-                                                      a node that violates one or more
-                                                      of the expressions. The node that
-                                                      is most preferred is the one with
-                                                      the greatest sum of weights, i.e.
-                                                      for each node that meets all of
-                                                      the scheduling requirements (resource
-                                                      request, requiredDuringScheduling
-                                                      anti-affinity expressions, etc.),
-                                                      compute a sum by iterating through
-                                                      the elements of this field and adding
-                                                      "weight" to the sum if the node
-                                                      has pods which matches the corresponding
-                                                      podAffinityTerm; the node(s) with
-                                                      the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all
-                                                        of the matched WeightedPodAffinityTerm
-                                                        fields are added per-node to find
-                                                        the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                      - podAffinityTerm
-                                                      - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod
-                                                            affinity term, associated
-                                                            with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                          - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: A label query
-                                                                over a set of resources,
-                                                                in this case pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions
-                                                                    is a list of label
-                                                                    selector requirements.
-                                                                    The requirements are
-                                                                    ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: A label
-                                                                      selector requirement
-                                                                      is a selector that
-                                                                      contains values,
-                                                                      a key, and an operator
-                                                                      that relates the
-                                                                      key and values.
-                                                                    type: object
-                                                                    required:
-                                                                    - key
-                                                                    - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key
-                                                                          is the label
-                                                                          key that the
-                                                                          selector applies
-                                                                          to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: operator
-                                                                          represents a
-                                                                          key's relationship
-                                                                          to a set of
-                                                                          values. Valid
-                                                                          operators are
-                                                                          In, NotIn, Exists
-                                                                          and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: values
-                                                                          is an array
-                                                                          of string values.
-                                                                          If the operator
-                                                                          is In or NotIn,
-                                                                          the values array
-                                                                          must be non-empty.
-                                                                          If the operator
-                                                                          is Exists or
-                                                                          DoesNotExist,
-                                                                          the values array
-                                                                          must be empty.
-                                                                          This array is
-                                                                          replaced during
-                                                                          a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                matchLabels:
-                                                                  description: matchLabels
-                                                                    is a map of {key,value}
-                                                                    pairs. A single {key,value}
-                                                                    in the matchLabels
-                                                                    map is equivalent
-                                                                    to an element of matchExpressions,
-                                                                    whose key field is
-                                                                    "key", the operator
-                                                                    is "In", and the values
-                                                                    array contains only
-                                                                    "value". The requirements
-                                                                    are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                            namespaces:
-                                                              description: namespaces
-                                                                specifies which namespaces
-                                                                the labelSelector applies
-                                                                to (matches against);
-                                                                null or empty list means
-                                                                "this pod's namespace"
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                            topologyKey:
-                                                              description: This pod should
-                                                                be co-located (affinity)
-                                                                or not co-located (anti-affinity)
-                                                                with the pods matching
-                                                                the labelSelector in the
-                                                                specified namespaces,
-                                                                where co-located is defined
-                                                                as running on a node whose
-                                                                value of the label with
-                                                                key topologyKey matches
-                                                                that of any node on which
-                                                                any of the selected pods
-                                                                is running. Empty topologyKey
-                                                                is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: weight associated
-                                                            with matching the corresponding
-                                                            podAffinityTerm, in the range
-                                                            1-100.
-                                                          type: integer
-                                                          format: int32
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: If the anti-affinity
-                                                      requirements specified by this field
-                                                      are not met at scheduling time,
-                                                      the pod will not be scheduled onto
-                                                      the node. If the anti-affinity requirements
-                                                      specified by this field cease to
-                                                      be met at some point during pod
-                                                      execution (e.g. due to a pod label
-                                                      update), the system may or may not
-                                                      try to eventually evict the pod
-                                                      from its node. When there are multiple
-                                                      elements, the lists of nodes corresponding
-                                                      to each podAffinityTerm are intersected,
-                                                      i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: Defines a set of pods
-                                                        (namely those matching the labelSelector
-                                                        relative to the given namespace(s))
-                                                        that this pod should be co-located
-                                                        (affinity) or not co-located (anti-affinity)
-                                                        with, where co-located is defined
-                                                        as running on a node whose value
-                                                        of the label with key <topologyKey>
-                                                        matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                      - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: A label query over
-                                                            a set of resources, in this
-                                                            case pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions
-                                                                is a list of label selector
-                                                                requirements. The requirements
-                                                                are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: A label selector
-                                                                  requirement is a selector
-                                                                  that contains values,
-                                                                  a key, and an operator
-                                                                  that relates the key
-                                                                  and values.
-                                                                type: object
-                                                                required:
-                                                                - key
-                                                                - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is
-                                                                      the label key that
-                                                                      the selector applies
-                                                                      to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: operator
-                                                                      represents a key's
-                                                                      relationship to
-                                                                      a set of values.
-                                                                      Valid operators
-                                                                      are In, NotIn, Exists
-                                                                      and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: values
-                                                                      is an array of string
-                                                                      values. If the operator
-                                                                      is In or NotIn,
-                                                                      the values array
-                                                                      must be non-empty.
-                                                                      If the operator
-                                                                      is Exists or DoesNotExist,
-                                                                      the values array
-                                                                      must be empty. This
-                                                                      array is replaced
-                                                                      during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                            matchLabels:
-                                                              description: matchLabels
-                                                                is a map of {key,value}
-                                                                pairs. A single {key,value}
-                                                                in the matchLabels map
-                                                                is equivalent to an element
-                                                                of matchExpressions, whose
-                                                                key field is "key", the
-                                                                operator is "In", and
-                                                                the values array contains
-                                                                only "value". The requirements
-                                                                are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                        namespaces:
-                                                          description: namespaces specifies
-                                                            which namespaces the labelSelector
-                                                            applies to (matches against);
-                                                            null or empty list means "this
-                                                            pod's namespace"
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                        topologyKey:
-                                                          description: This pod should
-                                                            be co-located (affinity) or
-                                                            not co-located (anti-affinity)
-                                                            with the pods matching the
-                                                            labelSelector in the specified
-                                                            namespaces, where co-located
-                                                            is defined as running on a
-                                                            node whose value of the label
-                                                            with key topologyKey matches
-                                                            that of any node on which
-                                                            any of the selected pods is
-                                                            running. Empty topologyKey
-                                                            is not allowed.
-                                                          type: string
-                                          nodeSelector:
-                                            description: 'NodeSelector is a selector which
-                                              must be true for the pod to fit on a node.
-                                              Selector which must match a node''s labels
-                                              for the pod to be scheduled on that node.
-                                              More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          tolerations:
-                                            description: If specified, the pod's tolerations.
-                                            type: array
-                                            items:
-                                              description: The pod this Toleration is
-                                                attached to tolerates any taint that matches
-                                                the triple <key,value,effect> using the
-                                                matching operator <operator>.
-                                              type: object
-                                              properties:
-                                                effect:
-                                                  description: Effect indicates the taint
-                                                    effect to match. Empty means match
-                                                    all taint effects. When specified,
-                                                    allowed values are NoSchedule, PreferNoSchedule
-                                                    and NoExecute.
-                                                  type: string
-                                                key:
-                                                  description: Key is the taint key that
-                                                    the toleration applies to. Empty means
-                                                    match all taint keys. If the key is
-                                                    empty, operator must be Exists; this
-                                                    combination means to match all values
-                                                    and all keys.
-                                                  type: string
-                                                operator:
-                                                  description: Operator represents a key's
-                                                    relationship to the value. Valid operators
-                                                    are Exists and Equal. Defaults to
-                                                    Equal. Exists is equivalent to wildcard
-                                                    for value, so that a pod can tolerate
-                                                    all taints of a particular category.
-                                                  type: string
-                                                tolerationSeconds:
-                                                  description: TolerationSeconds represents
-                                                    the period of time the toleration
-                                                    (which must be of effect NoExecute,
-                                                    otherwise this field is ignored) tolerates
-                                                    the taint. By default, it is not set,
-                                                    which means tolerate the taint forever
-                                                    (do not evict). Zero and negative
-                                                    values will be treated as 0 (evict
-                                                    immediately) by the system.
-                                                  type: integer
-                                                  format: int64
-                                                value:
-                                                  description: Value is the taint value
-                                                    the toleration matches to. If the
-                                                    operator is Exists, the value should
-                                                    be empty, otherwise just a regular
-                                                    string.
-                                                  type: string
-                                  serviceType:
-                                    description: Optional service type for Kubernetes
-                                      solver service
-                                    type: string
-                          selector:
-                            description: Selector selects a set of DNSNames on the Certificate
-                              resource that should be solved using this challenge solver.
-                            type: object
-                            properties:
-                              dnsNames:
-                                description: List of DNSNames that this solver will be
-                                  used to solve. If specified and a match is found, a
-                                  dnsNames selector will take precedence over a dnsZones
-                                  selector. If multiple solvers match with the same dnsNames
-                                  value, the solver with the most matching labels in matchLabels
-                                  will be selected. If neither has more matches, the solver
-                                  defined earlier in the list will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              dnsZones:
-                                description: List of DNSZones that this solver will be
-                                  used to solve. The most specific DNS zone match specified
-                                  here will take precedence over other DNS zone matches,
-                                  so a solver specifying sys.example.com will be selected
-                                  over one specifying example.com for the domain www.sys.example.com.
-                                  If multiple solvers match with the same dnsZones value,
-                                  the solver with the most matching labels in matchLabels
-                                  will be selected. If neither has more matches, the solver
-                                  defined earlier in the list will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              matchLabels:
-                                description: A label selector that is used to refine the
-                                  set of certificate's that this challenge solver will
-                                  apply to.
-                                type: object
-                                additionalProperties:
-                                  type: string
-                ca:
+                privateKeySecretRef:
+                  description: PrivateKey is the name of a secret containing the private
+                    key for this user account.
                   type: object
                   required:
-                  - secretName
+                  - name
                   properties:
-                    crlDistributionPoints:
-                      description: The CRL distribution points is an X.509 v3 certificate
-                        extension which identifies the location of the CRL from which
-                        the revocation of this certificate can be checked. If not set
-                        certificate will be issued without CDP. Values are strings.
-                      type: array
-                      items:
-                        type: string
-                    secretName:
-                      description: SecretName is the name of the secret used to sign Certificates
-                        issued by this Issuer.
+                    key:
+                      description: The key of the secret to select from. Must be a
+                        valid secret key.
                       type: string
-                selfSigned:
-                  type: object
-                  properties:
-                    crlDistributionPoints:
-                      description: The CRL distribution points is an X.509 v3 certificate
-                        extension which identifies the location of the CRL from which
-                        the revocation of this certificate can be checked. If not set
-                        certificate will be issued without CDP. Values are strings.
-                      type: array
-                      items:
-                        type: string
-                vault:
-                  type: object
-                  required:
-                  - auth
-                  - path
-                  - server
-                  properties:
-                    auth:
-                      description: Vault authentication
-                      type: object
-                      properties:
-                        appRole:
-                          description: This Secret contains a AppRole and Secret
-                          type: object
-                          required:
-                          - path
-                          - roleId
-                          - secretRef
-                          properties:
-                            path:
-                              description: Where the authentication path is mounted in
-                                Vault.
-                              type: string
-                            roleId:
-                              type: string
-                            secretRef:
-                              type: object
-                              required:
-                              - name
-                              properties:
-                                key:
-                                  description: The key of the secret to select from. Must
-                                    be a valid secret key.
-                                  type: string
-                                name:
-                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                    TODO: Add other useful fields. apiVersion, kind, uid?'
-                                  type: string
-                        kubernetes:
-                          description: This contains a Role and Secret with a ServiceAccount
-                            token to authenticate with vault.
-                          type: object
-                          required:
-                          - role
-                          - secretRef
-                          properties:
-                            mountPath:
-                              description: The Vault mountPath here is the mount path
-                                to use when authenticating with Vault. For example, setting
-                                a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
-                                to authenticate with Vault. If unspecified, the default
-                                value "/v1/auth/kubernetes" will be used.
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role
-                                to assume. A Role binds a Kubernetes ServiceAccount with
-                                a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: The required Secret field containing a Kubernetes
-                                ServiceAccount JWT used for authenticating with Vault.
-                                Use of 'ambient credentials' is not supported.
-                              type: object
-                              required:
-                              - name
-                              properties:
-                                key:
-                                  description: The key of the secret to select from. Must
-                                    be a valid secret key.
-                                  type: string
-                                name:
-                                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                    TODO: Add other useful fields. apiVersion, kind, uid?'
-                                  type: string
-                        tokenSecretRef:
-                          description: This Secret contains the Vault token key
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            key:
-                              description: The key of the secret to select from. Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                    caBundle:
-                      description: Base64 encoded CA bundle to validate Vault server certificate.
-                        Only used if the Server URL is using HTTPS protocol. This parameter
-                        is ignored for plain HTTP protocol connection. If not set the
-                        system root certificates are used to validate the TLS connection.
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
                       type: string
-                      format: byte
-                    path:
-                      description: Vault URL path to the certificate role
-                      type: string
-                    server:
-                      description: Server is the vault connection address
-                      type: string
-                venafi:
-                  description: VenafiIssuer describes issuer configuration details for
-                    Venafi Cloud.
-                  type: object
-                  required:
-                  - zone
-                  properties:
-                    cloud:
-                      description: Cloud specifies the Venafi cloud configuration settings.
-                        Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                      - apiTokenSecretRef
-                      properties:
-                        apiTokenSecretRef:
-                          description: APITokenSecretRef is a secret key selector for
-                            the Venafi Cloud API token.
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            key:
-                              description: The key of the secret to select from. Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                        url:
-                          description: URL is the base URL for Venafi Cloud
-                          type: string
-                    tpp:
-                      description: TPP specifies Trust Protection Platform configuration
-                        settings. Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                      - credentialsRef
-                      - url
-                      properties:
-                        caBundle:
-                          description: CABundle is a PEM encoded TLS certificate to use
-                            to verify connections to the TPP instance. If specified, system
-                            roots will not be used and the issuing CA for the TPP instance
-                            must be verifiable using the provided root. If not specified,
-                            the connection will be verified using the cert-manager system
-                            root certificates.
-                          type: string
-                          format: byte
-                        credentialsRef:
-                          description: CredentialsRef is a reference to a Secret containing
-                            the username and password for the TPP server. The secret must
-                            contain two keys, 'username' and 'password'.
-                          type: object
-                          required:
-                          - name
-                          properties:
-                            name:
-                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?'
-                              type: string
-                        url:
-                          description: URL is the base URL for the Venafi TPP instance
-                          type: string
-                    zone:
-                      description: Zone is the Venafi Policy Zone to use for this issuer.
-                        All requests made to the Venafi platform will be restricted by
-                        the named zone policy. This field is required.
-                      type: string
-            status:
-              description: IssuerStatus contains status information about an Issuer
-              type: object
-              properties:
-                acme:
-                  type: object
-                  properties:
-                    lastRegisteredEmail:
-                      description: LastRegisteredEmail is the email associated with the
-                        latest registered ACME account, in order to track changes made
-                        to registered account associated with the  Issuer
-                      type: string
-                    uri:
-                      description: URI is the unique account identifier, which can also
-                        be used to retrieve account details from the CA
-                      type: string
-                conditions:
+                server:
+                  description: Server is the ACME server URL
+                  type: string
+                skipTLSVerify:
+                  description: If true, skip verifying the ACME server TLS certificate
+                  type: boolean
+                solvers:
+                  description: Solvers is a list of challenge solvers that will be
+                    used to solve ACME challenges for the matching domains.
                   type: array
                   items:
-                    description: IssuerCondition contains condition information for an
-                      Issuer.
                     type: object
-                    required:
-                    - status
-                    - type
                     properties:
-                      lastTransitionTime:
-                        description: LastTransitionTime is the timestamp corresponding
-                          to the last status change of this condition.
-                        type: string
-                        format: date-time
-                      message:
-                        description: Message is a human readable description of the details
-                          of the last transition, complementing reason.
-                        type: string
-                      reason:
-                        description: Reason is a brief machine readable explanation for
-                          the condition's last transition.
-                        type: string
-                      status:
-                        description: Status of the condition, one of ('True', 'False',
-                          'Unknown').
-                        type: string
-                        enum:
-                        - "True"
-                        - "False"
-                        - Unknown
-                      type:
-                        description: Type of the condition, currently ('Ready').
-                        type: string
\ No newline at end of file
+                      dns01:
+                        type: object
+                        properties:
+                          acmedns:
+                            description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
+                              containing the configuration for ACME-DNS servers
+                            type: object
+                            required:
+                            - accountSecretRef
+                            - host
+                            properties:
+                              accountSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              host:
+                                type: string
+                          akamai:
+                            description: ACMEIssuerDNS01ProviderAkamai is a structure
+                              containing the DNS configuration for Akamai DNS—Zone
+                              Record Management API
+                            type: object
+                            required:
+                            - accessTokenSecretRef
+                            - clientSecretSecretRef
+                            - clientTokenSecretRef
+                            - serviceConsumerDomain
+                            properties:
+                              accessTokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              clientSecretSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              clientTokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              serviceConsumerDomain:
+                                type: string
+                          azuredns:
+                            description: ACMEIssuerDNS01ProviderAzureDNS is a structure
+                              containing the configuration for Azure DNS
+                            type: object
+                            required:
+                            - resourceGroupName
+                            - subscriptionID
+                            properties:
+                              clientID:
+                                description: if both this and ClientSecret are left
+                                  unset MSI will be used
+                                type: string
+                              clientSecretSecretRef:
+                                description: if both this and ClientID are left unset
+                                  MSI will be used
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              environment:
+                                type: string
+                                enum:
+                                - AzurePublicCloud
+                                - AzureChinaCloud
+                                - AzureGermanCloud
+                                - AzureUSGovernmentCloud
+                              hostedZoneName:
+                                type: string
+                              resourceGroupName:
+                                type: string
+                              subscriptionID:
+                                type: string
+                              tenantID:
+                                description: when specifying ClientID and ClientSecret
+                                  then this field is also needed
+                                type: string
+                          clouddns:
+                            description: ACMEIssuerDNS01ProviderCloudDNS is a structure
+                              containing the DNS configuration for Google Cloud DNS
+                            type: object
+                            required:
+                            - project
+                            properties:
+                              project:
+                                type: string
+                              serviceAccountSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          cloudflare:
+                            description: ACMEIssuerDNS01ProviderCloudflare is a structure
+                              containing the DNS configuration for Cloudflare
+                            type: object
+                            required:
+                            - email
+                            properties:
+                              apiKeySecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              apiTokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                              email:
+                                type: string
+                          cnameStrategy:
+                            description: CNAMEStrategy configures how the DNS01 provider
+                              should handle CNAME records when found in DNS zones.
+                            type: string
+                            enum:
+                            - None
+                            - Follow
+                          digitalocean:
+                            description: ACMEIssuerDNS01ProviderDigitalOcean is a
+                              structure containing the DNS configuration for DigitalOcean
+                              Domains
+                            type: object
+                            required:
+                            - tokenSecretRef
+                            properties:
+                              tokenSecretRef:
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          rfc2136:
+                            description: ACMEIssuerDNS01ProviderRFC2136 is a structure
+                              containing the configuration for RFC2136 DNS
+                            type: object
+                            required:
+                            - nameserver
+                            properties:
+                              nameserver:
+                                description: The IP address or hostname of an authoritative
+                                  DNS server supporting RFC2136 in the form host:port.
+                                  If the host is an IPv6 address it must be enclosed
+                                  in square brackets (e.g [2001:db8::1]) ; port is
+                                  optional. This field is required.
+                                type: string
+                              tsigAlgorithm:
+                                description: 'The TSIG Algorithm configured in the
+                                  DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+                                  and ``tsigKeyName`` are defined. Supported values
+                                  are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+                                  ``HMACSHA256`` or ``HMACSHA512``.'
+                                type: string
+                              tsigKeyName:
+                                description: The TSIG Key name configured in the DNS.
+                                  If ``tsigSecretSecretRef`` is defined, this field
+                                  is required.
+                                type: string
+                              tsigSecretSecretRef:
+                                description: The name of the secret containing the
+                                  TSIG value. If ``tsigKeyName`` is defined, this
+                                  field is required.
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          route53:
+                            description: ACMEIssuerDNS01ProviderRoute53 is a structure
+                              containing the Route 53 configuration for AWS
+                            type: object
+                            required:
+                            - region
+                            properties:
+                              accessKeyID:
+                                description: 'The AccessKeyID is used for authentication.
+                                  If not set we fall-back to using env vars, shared
+                                  credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                type: string
+                              hostedZoneID:
+                                description: If set, the provider will manage only
+                                  this zone in Route53 and will not do an lookup using
+                                  the route53:ListHostedZonesByName api call.
+                                type: string
+                              region:
+                                description: Always set the region when using AccessKeyID
+                                  and SecretAccessKey
+                                type: string
+                              role:
+                                description: Role is a Role ARN which the Route53
+                                  provider will assume using either the explicit credentials
+                                  AccessKeyID/SecretAccessKey or the inferred credentials
+                                  from environment variables, shared credentials file
+                                  or AWS Instance metadata
+                                type: string
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication.
+                                  If not set we fall-back to using env vars, shared
+                                  credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                type: object
+                                required:
+                                - name
+                                properties:
+                                  key:
+                                    description: The key of the secret to select from.
+                                      Must be a valid secret key.
+                                    type: string
+                                  name:
+                                    description: 'Name of the referent. More info:
+                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      TODO: Add other useful fields. apiVersion, kind,
+                                      uid?'
+                                    type: string
+                          webhook:
+                            description: ACMEIssuerDNS01ProviderWebhook specifies
+                              configuration for a webhook DNS01 provider, including
+                              where to POST ChallengePayload resources.
+                            type: object
+                            required:
+                            - groupName
+                            - solverName
+                            properties:
+                              config:
+                                description: Additional configuration that should
+                                  be passed to the webhook apiserver when challenges
+                                  are processed. This can contain arbitrary JSON data.
+                                  Secret values should not be specified in this stanza.
+                                  If secret values are needed (e.g. credentials for
+                                  a DNS service), you should use a SecretKeySelector
+                                  to reference a Secret resource. For details on the
+                                  schema of this field, consult the webhook provider
+                                  implementation's documentation.
+                                x-kubernetes-preserve-unknown-fields: true
+                              groupName:
+                                description: The API group name that should be used
+                                  when POSTing ChallengePayload resources to the webhook
+                                  apiserver. This should be the same as the GroupName
+                                  specified in the webhook provider implementation.
+                                type: string
+                              solverName:
+                                description: The name of the solver to use, as defined
+                                  in the webhook provider implementation. This will
+                                  typically be the name of the provider, e.g. 'cloudflare'.
+                                type: string
+                      http01:
+                        description: ACMEChallengeSolverHTTP01 contains configuration
+                          detailing how to solve HTTP01 challenges within a Kubernetes
+                          cluster. Typically this is accomplished through creating
+                          'routes' of some description that configure ingress controllers
+                          to direct traffic to 'solver pods', which are responsible
+                          for responding to the ACME server's HTTP requests.
+                        type: object
+                        properties:
+                          ingress:
+                            description: The ingress based HTTP01 challenge solver
+                              will solve challenges by creating or modifying Ingress
+                              resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+                              to 'challenge solver' pods that are provisioned by cert-manager
+                              for each Challenge to be completed.
+                            type: object
+                            properties:
+                              class:
+                                description: The ingress class to use when creating
+                                  Ingress resources to solve ACME challenges that
+                                  use this challenge solver. Only one of 'class' or
+                                  'name' may be specified.
+                                type: string
+                              ingressTemplate:
+                                description: Optional ingress template used to configure
+                                  the ACME challenge solver ingress used for HTTP01
+                                  challenges
+                                type: object
+                                properties:
+                                  metadata:
+                                    description: ObjectMeta overrides for the ingress
+                                      used to solve HTTP01 challenges. Only the 'labels'
+                                      and 'annotations' fields may be set. If labels
+                                      or annotations overlap with in-built values,
+                                      the values here will override the in-built values.
+                                    type: object
+                                    properties:
+                                      annotations:
+                                        description: Annotations that should be added
+                                          to the created ACME HTTP01 solver ingress.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                      labels:
+                                        description: Labels that should be added to
+                                          the created ACME HTTP01 solver ingress.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                              name:
+                                description: The name of the ingress resource that
+                                  should have ACME challenge solving routes inserted
+                                  into it in order to solve HTTP01 challenges. This
+                                  is typically used in conjunction with ingress controllers
+                                  like ingress-gce, which maintains a 1:1 mapping
+                                  between external IPs and ingress resources.
+                                type: string
+                              podTemplate:
+                                description: Optional pod template used to configure
+                                  the ACME challenge solver pods used for HTTP01 challenges
+                                type: object
+                                properties:
+                                  metadata:
+                                    description: ObjectMeta overrides for the pod
+                                      used to solve HTTP01 challenges. Only the 'labels'
+                                      and 'annotations' fields may be set. If labels
+                                      or annotations overlap with in-built values,
+                                      the values here will override the in-built values.
+                                    type: object
+                                    properties:
+                                      annotations:
+                                        description: Annotations that should be added
+                                          to the create ACME HTTP01 solver pods.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                      labels:
+                                        description: Labels that should be added to
+                                          the created ACME HTTP01 solver pods.
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                  spec:
+                                    description: PodSpec defines overrides for the
+                                      HTTP01 challenge solver pod. Only the 'nodeSelector',
+                                      'affinity' and 'tolerations' fields are supported
+                                      currently. All other fields will be ignored.
+                                    type: object
+                                    properties:
+                                      affinity:
+                                        description: If specified, the pod's scheduling
+                                          constraints
+                                        type: object
+                                        properties:
+                                          nodeAffinity:
+                                            description: Describes node affinity scheduling
+                                              rules for the pod.
+                                            type: object
+                                            properties:
+                                              preferredDuringSchedulingIgnoredDuringExecution:
+                                                description: The scheduler will prefer
+                                                  to schedule pods to nodes that satisfy
+                                                  the affinity expressions specified
+                                                  by this field, but it may choose
+                                                  a node that violates one or more
+                                                  of the expressions. The node that
+                                                  is most preferred is the one with
+                                                  the greatest sum of weights, i.e.
+                                                  for each node that meets all of
+                                                  the scheduling requirements (resource
+                                                  request, requiredDuringScheduling
+                                                  affinity expressions, etc.), compute
+                                                  a sum by iterating through the elements
+                                                  of this field and adding "weight"
+                                                  to the sum if the node matches the
+                                                  corresponding matchExpressions;
+                                                  the node(s) with the highest sum
+                                                  are the most preferred.
+                                                type: array
+                                                items:
+                                                  description: An empty preferred
+                                                    scheduling term matches all objects
+                                                    with implicit weight 0 (i.e. it's
+                                                    a no-op). A null preferred scheduling
+                                                    term matches no objects (i.e.
+                                                    is also a no-op).
+                                                  type: object
+                                                  required:
+                                                  - preference
+                                                  - weight
+                                                  properties:
+                                                    preference:
+                                                      description: A node selector
+                                                        term, associated with the
+                                                        corresponding weight.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's labels.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchFields:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's fields.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                    weight:
+                                                      description: Weight associated
+                                                        with matching the corresponding
+                                                        nodeSelectorTerm, in the range
+                                                        1-100.
+                                                      type: integer
+                                                      format: int32
+                                              requiredDuringSchedulingIgnoredDuringExecution:
+                                                description: If the affinity requirements
+                                                  specified by this field are not
+                                                  met at scheduling time, the pod
+                                                  will not be scheduled onto the node.
+                                                  If the affinity requirements specified
+                                                  by this field cease to be met at
+                                                  some point during pod execution
+                                                  (e.g. due to an update), the system
+                                                  may or may not try to eventually
+                                                  evict the pod from its node.
+                                                type: object
+                                                required:
+                                                - nodeSelectorTerms
+                                                properties:
+                                                  nodeSelectorTerms:
+                                                    description: Required. A list
+                                                      of node selector terms. The
+                                                      terms are ORed.
+                                                    type: array
+                                                    items:
+                                                      description: A null or empty
+                                                        node selector term matches
+                                                        no objects. The requirements
+                                                        of them are ANDed. The TopologySelectorTerm
+                                                        type implements a subset of
+                                                        the NodeSelectorTerm.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's labels.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchFields:
+                                                          description: A list of node
+                                                            selector requirements
+                                                            by node's fields.
+                                                          type: array
+                                                          items:
+                                                            description: A node selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: The label
+                                                                  key that the selector
+                                                                  applies to.
+                                                                type: string
+                                                              operator:
+                                                                description: Represents
+                                                                  a key's relationship
+                                                                  to a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists,
+                                                                  DoesNotExist. Gt,
+                                                                  and Lt.
+                                                                type: string
+                                                              values:
+                                                                description: An array
+                                                                  of string values.
+                                                                  If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. If
+                                                                  the operator is
+                                                                  Gt or Lt, the values
+                                                                  array must have
+                                                                  a single element,
+                                                                  which will be interpreted
+                                                                  as an integer. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                          podAffinity:
+                                            description: Describes pod affinity scheduling
+                                              rules (e.g. co-locate this pod in the
+                                              same node, zone, etc. as some other
+                                              pod(s)).
+                                            type: object
+                                            properties:
+                                              preferredDuringSchedulingIgnoredDuringExecution:
+                                                description: The scheduler will prefer
+                                                  to schedule pods to nodes that satisfy
+                                                  the affinity expressions specified
+                                                  by this field, but it may choose
+                                                  a node that violates one or more
+                                                  of the expressions. The node that
+                                                  is most preferred is the one with
+                                                  the greatest sum of weights, i.e.
+                                                  for each node that meets all of
+                                                  the scheduling requirements (resource
+                                                  request, requiredDuringScheduling
+                                                  affinity expressions, etc.), compute
+                                                  a sum by iterating through the elements
+                                                  of this field and adding "weight"
+                                                  to the sum if the node has pods
+                                                  which matches the corresponding
+                                                  podAffinityTerm; the node(s) with
+                                                  the highest sum are the most preferred.
+                                                type: array
+                                                items:
+                                                  description: The weights of all
+                                                    of the matched WeightedPodAffinityTerm
+                                                    fields are added per-node to find
+                                                    the most preferred node(s)
+                                                  type: object
+                                                  required:
+                                                  - podAffinityTerm
+                                                  - weight
+                                                  properties:
+                                                    podAffinityTerm:
+                                                      description: Required. A pod
+                                                        affinity term, associated
+                                                        with the corresponding weight.
+                                                      type: object
+                                                      required:
+                                                      - topologyKey
+                                                      properties:
+                                                        labelSelector:
+                                                          description: A label query
+                                                            over a set of resources,
+                                                            in this case pods.
+                                                          type: object
+                                                          properties:
+                                                            matchExpressions:
+                                                              description: matchExpressions
+                                                                is a list of label
+                                                                selector requirements.
+                                                                The requirements are
+                                                                ANDed.
+                                                              type: array
+                                                              items:
+                                                                description: A label
+                                                                  selector requirement
+                                                                  is a selector that
+                                                                  contains values,
+                                                                  a key, and an operator
+                                                                  that relates the
+                                                                  key and values.
+                                                                type: object
+                                                                required:
+                                                                - key
+                                                                - operator
+                                                                properties:
+                                                                  key:
+                                                                    description: key
+                                                                      is the label
+                                                                      key that the
+                                                                      selector applies
+                                                                      to.
+                                                                    type: string
+                                                                  operator:
+                                                                    description: operator
+                                                                      represents a
+                                                                      key's relationship
+                                                                      to a set of
+                                                                      values. Valid
+                                                                      operators are
+                                                                      In, NotIn, Exists
+                                                                      and DoesNotExist.
+                                                                    type: string
+                                                                  values:
+                                                                    description: values
+                                                                      is an array
+                                                                      of string values.
+                                                                      If the operator
+                                                                      is In or NotIn,
+                                                                      the values array
+                                                                      must be non-empty.
+                                                                      If the operator
+                                                                      is Exists or
+                                                                      DoesNotExist,
+                                                                      the values array
+                                                                      must be empty.
+                                                                      This array is
+                                                                      replaced during
+                                                                      a strategic
+                                                                      merge patch.
+                                                                    type: array
+                                                                    items:
+                                                                      type: string
+                                                            matchLabels:
+                                                              description: matchLabels
+                                                                is a map of {key,value}
+                                                                pairs. A single {key,value}
+                                                                in the matchLabels
+                                                                map is equivalent
+                                                                to an element of matchExpressions,
+                                                                whose key field is
+                                                                "key", the operator
+                                                                is "In", and the values
+                                                                array contains only
+                                                                "value". The requirements
+                                                                are ANDed.
+                                                              type: object
+                                                              additionalProperties:
+                                                                type: string
+                                                        namespaces:
+                                                          description: namespaces
+                                                            specifies which namespaces
+                                                            the labelSelector applies
+                                                            to (matches against);
+                                                            null or empty list means
+                                                            "this pod's namespace"
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                        topologyKey:
+                                                          description: This pod should
+                                                            be co-located (affinity)
+                                                            or not co-located (anti-affinity)
+                                                            with the pods matching
+                                                            the labelSelector in the
+                                                            specified namespaces,
+                                                            where co-located is defined
+                                                            as running on a node whose
+                                                            value of the label with
+                                                            key topologyKey matches
+                                                            that of any node on which
+                                                            any of the selected pods
+                                                            is running. Empty topologyKey
+                                                            is not allowed.
+                                                          type: string
+                                                    weight:
+                                                      description: weight associated
+                                                        with matching the corresponding
+                                                        podAffinityTerm, in the range
+                                                        1-100.
+                                                      type: integer
+                                                      format: int32
+                                              requiredDuringSchedulingIgnoredDuringExecution:
+                                                description: If the affinity requirements
+                                                  specified by this field are not
+                                                  met at scheduling time, the pod
+                                                  will not be scheduled onto the node.
+                                                  If the affinity requirements specified
+                                                  by this field cease to be met at
+                                                  some point during pod execution
+                                                  (e.g. due to a pod label update),
+                                                  the system may or may not try to
+                                                  eventually evict the pod from its
+                                                  node. When there are multiple elements,
+                                                  the lists of nodes corresponding
+                                                  to each podAffinityTerm are intersected,
+                                                  i.e. all terms must be satisfied.
+                                                type: array
+                                                items:
+                                                  description: Defines a set of pods
+                                                    (namely those matching the labelSelector
+                                                    relative to the given namespace(s))
+                                                    that this pod should be co-located
+                                                    (affinity) or not co-located (anti-affinity)
+                                                    with, where co-located is defined
+                                                    as running on a node whose value
+                                                    of the label with key <topologyKey>
+                                                    matches that of any node on which
+                                                    a pod of the set of pods is running
+                                                  type: object
+                                                  required:
+                                                  - topologyKey
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          type: array
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchLabels:
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                          additionalProperties:
+                                                            type: string
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      type: array
+                                                      items:
+                                                        type: string
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                          podAntiAffinity:
+                                            description: Describes pod anti-affinity
+                                              scheduling rules (e.g. avoid putting
+                                              this pod in the same node, zone, etc.
+                                              as some other pod(s)).
+                                            type: object
+                                            properties:
+                                              preferredDuringSchedulingIgnoredDuringExecution:
+                                                description: The scheduler will prefer
+                                                  to schedule pods to nodes that satisfy
+                                                  the anti-affinity expressions specified
+                                                  by this field, but it may choose
+                                                  a node that violates one or more
+                                                  of the expressions. The node that
+                                                  is most preferred is the one with
+                                                  the greatest sum of weights, i.e.
+                                                  for each node that meets all of
+                                                  the scheduling requirements (resource
+                                                  request, requiredDuringScheduling
+                                                  anti-affinity expressions, etc.),
+                                                  compute a sum by iterating through
+                                                  the elements of this field and adding
+                                                  "weight" to the sum if the node
+                                                  has pods which matches the corresponding
+                                                  podAffinityTerm; the node(s) with
+                                                  the highest sum are the most preferred.
+                                                type: array
+                                                items:
+                                                  description: The weights of all
+                                                    of the matched WeightedPodAffinityTerm
+                                                    fields are added per-node to find
+                                                    the most preferred node(s)
+                                                  type: object
+                                                  required:
+                                                  - podAffinityTerm
+                                                  - weight
+                                                  properties:
+                                                    podAffinityTerm:
+                                                      description: Required. A pod
+                                                        affinity term, associated
+                                                        with the corresponding weight.
+                                                      type: object
+                                                      required:
+                                                      - topologyKey
+                                                      properties:
+                                                        labelSelector:
+                                                          description: A label query
+                                                            over a set of resources,
+                                                            in this case pods.
+                                                          type: object
+                                                          properties:
+                                                            matchExpressions:
+                                                              description: matchExpressions
+                                                                is a list of label
+                                                                selector requirements.
+                                                                The requirements are
+                                                                ANDed.
+                                                              type: array
+                                                              items:
+                                                                description: A label
+                                                                  selector requirement
+                                                                  is a selector that
+                                                                  contains values,
+                                                                  a key, and an operator
+                                                                  that relates the
+                                                                  key and values.
+                                                                type: object
+                                                                required:
+                                                                - key
+                                                                - operator
+                                                                properties:
+                                                                  key:
+                                                                    description: key
+                                                                      is the label
+                                                                      key that the
+                                                                      selector applies
+                                                                      to.
+                                                                    type: string
+                                                                  operator:
+                                                                    description: operator
+                                                                      represents a
+                                                                      key's relationship
+                                                                      to a set of
+                                                                      values. Valid
+                                                                      operators are
+                                                                      In, NotIn, Exists
+                                                                      and DoesNotExist.
+                                                                    type: string
+                                                                  values:
+                                                                    description: values
+                                                                      is an array
+                                                                      of string values.
+                                                                      If the operator
+                                                                      is In or NotIn,
+                                                                      the values array
+                                                                      must be non-empty.
+                                                                      If the operator
+                                                                      is Exists or
+                                                                      DoesNotExist,
+                                                                      the values array
+                                                                      must be empty.
+                                                                      This array is
+                                                                      replaced during
+                                                                      a strategic
+                                                                      merge patch.
+                                                                    type: array
+                                                                    items:
+                                                                      type: string
+                                                            matchLabels:
+                                                              description: matchLabels
+                                                                is a map of {key,value}
+                                                                pairs. A single {key,value}
+                                                                in the matchLabels
+                                                                map is equivalent
+                                                                to an element of matchExpressions,
+                                                                whose key field is
+                                                                "key", the operator
+                                                                is "In", and the values
+                                                                array contains only
+                                                                "value". The requirements
+                                                                are ANDed.
+                                                              type: object
+                                                              additionalProperties:
+                                                                type: string
+                                                        namespaces:
+                                                          description: namespaces
+                                                            specifies which namespaces
+                                                            the labelSelector applies
+                                                            to (matches against);
+                                                            null or empty list means
+                                                            "this pod's namespace"
+                                                          type: array
+                                                          items:
+                                                            type: string
+                                                        topologyKey:
+                                                          description: This pod should
+                                                            be co-located (affinity)
+                                                            or not co-located (anti-affinity)
+                                                            with the pods matching
+                                                            the labelSelector in the
+                                                            specified namespaces,
+                                                            where co-located is defined
+                                                            as running on a node whose
+                                                            value of the label with
+                                                            key topologyKey matches
+                                                            that of any node on which
+                                                            any of the selected pods
+                                                            is running. Empty topologyKey
+                                                            is not allowed.
+                                                          type: string
+                                                    weight:
+                                                      description: weight associated
+                                                        with matching the corresponding
+                                                        podAffinityTerm, in the range
+                                                        1-100.
+                                                      type: integer
+                                                      format: int32
+                                              requiredDuringSchedulingIgnoredDuringExecution:
+                                                description: If the anti-affinity
+                                                  requirements specified by this field
+                                                  are not met at scheduling time,
+                                                  the pod will not be scheduled onto
+                                                  the node. If the anti-affinity requirements
+                                                  specified by this field cease to
+                                                  be met at some point during pod
+                                                  execution (e.g. due to a pod label
+                                                  update), the system may or may not
+                                                  try to eventually evict the pod
+                                                  from its node. When there are multiple
+                                                  elements, the lists of nodes corresponding
+                                                  to each podAffinityTerm are intersected,
+                                                  i.e. all terms must be satisfied.
+                                                type: array
+                                                items:
+                                                  description: Defines a set of pods
+                                                    (namely those matching the labelSelector
+                                                    relative to the given namespace(s))
+                                                    that this pod should be co-located
+                                                    (affinity) or not co-located (anti-affinity)
+                                                    with, where co-located is defined
+                                                    as running on a node whose value
+                                                    of the label with key <topologyKey>
+                                                    matches that of any node on which
+                                                    a pod of the set of pods is running
+                                                  type: object
+                                                  required:
+                                                  - topologyKey
+                                                  properties:
+                                                    labelSelector:
+                                                      description: A label query over
+                                                        a set of resources, in this
+                                                        case pods.
+                                                      type: object
+                                                      properties:
+                                                        matchExpressions:
+                                                          description: matchExpressions
+                                                            is a list of label selector
+                                                            requirements. The requirements
+                                                            are ANDed.
+                                                          type: array
+                                                          items:
+                                                            description: A label selector
+                                                              requirement is a selector
+                                                              that contains values,
+                                                              a key, and an operator
+                                                              that relates the key
+                                                              and values.
+                                                            type: object
+                                                            required:
+                                                            - key
+                                                            - operator
+                                                            properties:
+                                                              key:
+                                                                description: key is
+                                                                  the label key that
+                                                                  the selector applies
+                                                                  to.
+                                                                type: string
+                                                              operator:
+                                                                description: operator
+                                                                  represents a key's
+                                                                  relationship to
+                                                                  a set of values.
+                                                                  Valid operators
+                                                                  are In, NotIn, Exists
+                                                                  and DoesNotExist.
+                                                                type: string
+                                                              values:
+                                                                description: values
+                                                                  is an array of string
+                                                                  values. If the operator
+                                                                  is In or NotIn,
+                                                                  the values array
+                                                                  must be non-empty.
+                                                                  If the operator
+                                                                  is Exists or DoesNotExist,
+                                                                  the values array
+                                                                  must be empty. This
+                                                                  array is replaced
+                                                                  during a strategic
+                                                                  merge patch.
+                                                                type: array
+                                                                items:
+                                                                  type: string
+                                                        matchLabels:
+                                                          description: matchLabels
+                                                            is a map of {key,value}
+                                                            pairs. A single {key,value}
+                                                            in the matchLabels map
+                                                            is equivalent to an element
+                                                            of matchExpressions, whose
+                                                            key field is "key", the
+                                                            operator is "In", and
+                                                            the values array contains
+                                                            only "value". The requirements
+                                                            are ANDed.
+                                                          type: object
+                                                          additionalProperties:
+                                                            type: string
+                                                    namespaces:
+                                                      description: namespaces specifies
+                                                        which namespaces the labelSelector
+                                                        applies to (matches against);
+                                                        null or empty list means "this
+                                                        pod's namespace"
+                                                      type: array
+                                                      items:
+                                                        type: string
+                                                    topologyKey:
+                                                      description: This pod should
+                                                        be co-located (affinity) or
+                                                        not co-located (anti-affinity)
+                                                        with the pods matching the
+                                                        labelSelector in the specified
+                                                        namespaces, where co-located
+                                                        is defined as running on a
+                                                        node whose value of the label
+                                                        with key topologyKey matches
+                                                        that of any node on which
+                                                        any of the selected pods is
+                                                        running. Empty topologyKey
+                                                        is not allowed.
+                                                      type: string
+                                      nodeSelector:
+                                        description: 'NodeSelector is a selector which
+                                          must be true for the pod to fit on a node.
+                                          Selector which must match a node''s labels
+                                          for the pod to be scheduled on that node.
+                                          More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                        type: object
+                                        additionalProperties:
+                                          type: string
+                                      tolerations:
+                                        description: If specified, the pod's tolerations.
+                                        type: array
+                                        items:
+                                          description: The pod this Toleration is
+                                            attached to tolerates any taint that matches
+                                            the triple <key,value,effect> using the
+                                            matching operator <operator>.
+                                          type: object
+                                          properties:
+                                            effect:
+                                              description: Effect indicates the taint
+                                                effect to match. Empty means match
+                                                all taint effects. When specified,
+                                                allowed values are NoSchedule, PreferNoSchedule
+                                                and NoExecute.
+                                              type: string
+                                            key:
+                                              description: Key is the taint key that
+                                                the toleration applies to. Empty means
+                                                match all taint keys. If the key is
+                                                empty, operator must be Exists; this
+                                                combination means to match all values
+                                                and all keys.
+                                              type: string
+                                            operator:
+                                              description: Operator represents a key's
+                                                relationship to the value. Valid operators
+                                                are Exists and Equal. Defaults to
+                                                Equal. Exists is equivalent to wildcard
+                                                for value, so that a pod can tolerate
+                                                all taints of a particular category.
+                                              type: string
+                                            tolerationSeconds:
+                                              description: TolerationSeconds represents
+                                                the period of time the toleration
+                                                (which must be of effect NoExecute,
+                                                otherwise this field is ignored) tolerates
+                                                the taint. By default, it is not set,
+                                                which means tolerate the taint forever
+                                                (do not evict). Zero and negative
+                                                values will be treated as 0 (evict
+                                                immediately) by the system.
+                                              type: integer
+                                              format: int64
+                                            value:
+                                              description: Value is the taint value
+                                                the toleration matches to. If the
+                                                operator is Exists, the value should
+                                                be empty, otherwise just a regular
+                                                string.
+                                              type: string
+                              serviceType:
+                                description: Optional service type for Kubernetes
+                                  solver service
+                                type: string
+                      selector:
+                        description: Selector selects a set of DNSNames on the Certificate
+                          resource that should be solved using this challenge solver.
+                        type: object
+                        properties:
+                          dnsNames:
+                            description: List of DNSNames that this solver will be
+                              used to solve. If specified and a match is found, a
+                              dnsNames selector will take precedence over a dnsZones
+                              selector. If multiple solvers match with the same dnsNames
+                              value, the solver with the most matching labels in matchLabels
+                              will be selected. If neither has more matches, the solver
+                              defined earlier in the list will be selected.
+                            type: array
+                            items:
+                              type: string
+                          dnsZones:
+                            description: List of DNSZones that this solver will be
+                              used to solve. The most specific DNS zone match specified
+                              here will take precedence over other DNS zone matches,
+                              so a solver specifying sys.example.com will be selected
+                              over one specifying example.com for the domain www.sys.example.com.
+                              If multiple solvers match with the same dnsZones value,
+                              the solver with the most matching labels in matchLabels
+                              will be selected. If neither has more matches, the solver
+                              defined earlier in the list will be selected.
+                            type: array
+                            items:
+                              type: string
+                          matchLabels:
+                            description: A label selector that is used to refine the
+                              set of certificate's that this challenge solver will
+                              apply to.
+                            type: object
+                            additionalProperties:
+                              type: string
+            ca:
+              type: object
+              required:
+              - secretName
+              properties:
+                crlDistributionPoints:
+                  description: The CRL distribution points is an X.509 v3 certificate
+                    extension which identifies the location of the CRL from which
+                    the revocation of this certificate can be checked. If not set
+                    certificate will be issued without CDP. Values are strings.
+                  type: array
+                  items:
+                    type: string
+                secretName:
+                  description: SecretName is the name of the secret used to sign Certificates
+                    issued by this Issuer.
+                  type: string
+            selfSigned:
+              type: object
+              properties:
+                crlDistributionPoints:
+                  description: The CRL distribution points is an X.509 v3 certificate
+                    extension which identifies the location of the CRL from which
+                    the revocation of this certificate can be checked. If not set
+                    certificate will be issued without CDP. Values are strings.
+                  type: array
+                  items:
+                    type: string
+            vault:
+              type: object
+              required:
+              - auth
+              - path
+              - server
+              properties:
+                auth:
+                  description: Vault authentication
+                  type: object
+                  properties:
+                    appRole:
+                      description: This Secret contains a AppRole and Secret
+                      type: object
+                      required:
+                      - path
+                      - roleId
+                      - secretRef
+                      properties:
+                        path:
+                          description: Where the authentication path is mounted in
+                            Vault.
+                          type: string
+                        roleId:
+                          type: string
+                        secretRef:
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    kubernetes:
+                      description: This contains a Role and Secret with a ServiceAccount
+                        token to authenticate with vault.
+                      type: object
+                      required:
+                      - role
+                      - secretRef
+                      properties:
+                        mountPath:
+                          description: The Vault mountPath here is the mount path
+                            to use when authenticating with Vault. For example, setting
+                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+                            to authenticate with Vault. If unspecified, the default
+                            value "/v1/auth/kubernetes" will be used.
+                          type: string
+                        role:
+                          description: A required field containing the Vault Role
+                            to assume. A Role binds a Kubernetes ServiceAccount with
+                            a set of Vault policies.
+                          type: string
+                        secretRef:
+                          description: The required Secret field containing a Kubernetes
+                            ServiceAccount JWT used for authenticating with Vault.
+                            Use of 'ambient credentials' is not supported.
+                          type: object
+                          required:
+                          - name
+                          properties:
+                            key:
+                              description: The key of the secret to select from. Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                    tokenSecretRef:
+                      description: This Secret contains the Vault token key
+                      type: object
+                      required:
+                      - name
+                      properties:
+                        key:
+                          description: The key of the secret to select from. Must
+                            be a valid secret key.
+                          type: string
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                caBundle:
+                  description: Base64 encoded CA bundle to validate Vault server certificate.
+                    Only used if the Server URL is using HTTPS protocol. This parameter
+                    is ignored for plain HTTP protocol connection. If not set the
+                    system root certificates are used to validate the TLS connection.
+                  type: string
+                  format: byte
+                path:
+                  description: Vault URL path to the certificate role
+                  type: string
+                server:
+                  description: Server is the vault connection address
+                  type: string
+            venafi:
+              description: VenafiIssuer describes issuer configuration details for
+                Venafi Cloud.
+              type: object
+              required:
+              - zone
+              properties:
+                cloud:
+                  description: Cloud specifies the Venafi cloud configuration settings.
+                    Only one of TPP or Cloud may be specified.
+                  type: object
+                  required:
+                  - apiTokenSecretRef
+                  properties:
+                    apiTokenSecretRef:
+                      description: APITokenSecretRef is a secret key selector for
+                        the Venafi Cloud API token.
+                      type: object
+                      required:
+                      - name
+                      properties:
+                        key:
+                          description: The key of the secret to select from. Must
+                            be a valid secret key.
+                          type: string
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                    url:
+                      description: URL is the base URL for Venafi Cloud
+                      type: string
+                tpp:
+                  description: TPP specifies Trust Protection Platform configuration
+                    settings. Only one of TPP or Cloud may be specified.
+                  type: object
+                  required:
+                  - credentialsRef
+                  - url
+                  properties:
+                    caBundle:
+                      description: CABundle is a PEM encoded TLS certificate to use
+                        to verify connections to the TPP instance. If specified, system
+                        roots will not be used and the issuing CA for the TPP instance
+                        must be verifiable using the provided root. If not specified,
+                        the connection will be verified using the cert-manager system
+                        root certificates.
+                      type: string
+                      format: byte
+                    credentialsRef:
+                      description: CredentialsRef is a reference to a Secret containing
+                        the username and password for the TPP server. The secret must
+                        contain two keys, 'username' and 'password'.
+                      type: object
+                      required:
+                      - name
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                    url:
+                      description: URL is the base URL for the Venafi TPP instance
+                      type: string
+                zone:
+                  description: Zone is the Venafi Policy Zone to use for this issuer.
+                    All requests made to the Venafi platform will be restricted by
+                    the named zone policy. This field is required.
+                  type: string
+        status:
+          description: IssuerStatus contains status information about an Issuer
+          type: object
+          properties:
+            acme:
+              type: object
+              properties:
+                lastRegisteredEmail:
+                  description: LastRegisteredEmail is the email associated with the
+                    latest registered ACME account, in order to track changes made
+                    to registered account associated with the  Issuer
+                  type: string
+                uri:
+                  description: URI is the unique account identifier, which can also
+                    be used to retrieve account details from the CA
+                  type: string
+            conditions:
+              type: array
+              items:
+                description: IssuerCondition contains condition information for an
+                  Issuer.
+                type: object
+                required:
+                - status
+                - type
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    type: string
+                    format: date-time
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    type: string
+                    enum:
+                    - "True"
+                    - "False"
+                    - Unknown
+                  type:
+                    description: Type of the condition, currently ('Ready').
+                    type: string
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
new file mode 100644
index 000000000..c0dc137ac
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
@@ -0,0 +1,253 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: orders.acme.cert-manager.io
+  annotations:
+    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  additionalPrinterColumns:
+  - JSONPath: .status.state
+    name: State
+    type: string
+  - JSONPath: .spec.issuerRef.name
+    name: Issuer
+    priority: 1
+    type: string
+  - JSONPath: .status.reason
+    name: Reason
+    priority: 1
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: CreationTimestamp is a timestamp representing the server time when
+      this object was created. It is not guaranteed to be set in happens-before order
+      across separate operations. Clients may not set this value. It is represented
+      in RFC3339 form and is in UTC.
+    name: Age
+    type: date
+  group: acme.cert-manager.io
+  preserveUnknownFields: false
+  conversion:
+    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+    strategy: Webhook
+    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+    webhookClientConfig:
+      service:
+        namespace: '{{ cert_manager_namespace }}'
+        name: 'cert-manager-webhook'
+        path: /convert
+  names:
+    kind: Order
+    listKind: OrderList
+    plural: orders
+    singular: order
+  scope: Namespaced
+  subresources:
+    status: {}
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+  - name: v1alpha3
+    served: true
+    storage: false
+  "validation":
+    "openAPIV3Schema":
+      description: Order is a type to represent an Order with an ACME server
+      type: object
+      required:
+      - metadata
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          type: object
+          required:
+          - csr
+          - issuerRef
+          properties:
+            commonName:
+              description: CommonName is the common name as specified on the DER encoded
+                CSR. If CommonName is not specified, the first DNSName specified will
+                be used as the CommonName. At least one of CommonName or a DNSNames
+                must be set. This field must match the corresponding field on the
+                DER encoded CSR.
+              type: string
+            csr:
+              description: Certificate signing request bytes in DER encoding. This
+                will be used when finalizing the order. This field must be set on
+                the order.
+              type: string
+              format: byte
+            dnsNames:
+              description: DNSNames is a list of DNS names that should be included
+                as part of the Order validation process. If CommonName is not specified,
+                the first DNSName specified will be used as the CommonName. At least
+                one of CommonName or a DNSNames must be set. This field must match
+                the corresponding field on the DER encoded CSR.
+              type: array
+              items:
+                type: string
+            issuerRef:
+              description: IssuerRef references a properly configured ACME-type Issuer
+                which should be used to create this Order. If the Issuer does not
+                exist, processing will be retried. If the Issuer is not an 'ACME'
+                Issuer, an error will be returned and the Order will be marked as
+                failed.
+              type: object
+              required:
+              - name
+              properties:
+                group:
+                  type: string
+                kind:
+                  type: string
+                name:
+                  type: string
+        status:
+          type: object
+          properties:
+            authorizations:
+              description: Authorizations contains data returned from the ACME server
+                on what authorizations must be completed in order to validate the
+                DNS names specified on the Order.
+              type: array
+              items:
+                description: ACMEAuthorization contains data returned from the ACME
+                  server on an authorization that must be completed in order validate
+                  a DNS name on an ACME Order resource.
+                type: object
+                required:
+                - url
+                properties:
+                  challenges:
+                    description: Challenges specifies the challenge types offered
+                      by the ACME server. One of these challenge types will be selected
+                      when validating the DNS name and an appropriate Challenge resource
+                      will be created to perform the ACME challenge process.
+                    type: array
+                    items:
+                      description: Challenge specifies a challenge offered by the
+                        ACME server for an Order. An appropriate Challenge resource
+                        can be created to perform the ACME challenge process.
+                      type: object
+                      required:
+                      - token
+                      - type
+                      - url
+                      properties:
+                        token:
+                          description: Token is the token that must be presented for
+                            this challenge. This is used to compute the 'key' that
+                            must also be presented.
+                          type: string
+                        type:
+                          description: Type is the type of challenge being offered,
+                            e.g. http-01, dns-01
+                          type: string
+                        url:
+                          description: URL is the URL of this challenge. It can be
+                            used to retrieve additional metadata about the Challenge
+                            from the ACME server.
+                          type: string
+                  identifier:
+                    description: Identifier is the DNS name to be validated as part
+                      of this authorization
+                    type: string
+                  initialState:
+                    description: InitialState is the initial state of the ACME authorization
+                      when first fetched from the ACME server. If an Authorization
+                      is already 'valid', the Order controller will not create a Challenge
+                      resource for the authorization. This will occur when working
+                      with an ACME server that enables 'authz reuse' (such as Let's
+                      Encrypt's production endpoint). If not set and 'identifier'
+                      is set, the state is assumed to be pending and a Challenge will
+                      be created.
+                    type: string
+                    enum:
+                    - valid
+                    - ready
+                    - pending
+                    - processing
+                    - invalid
+                    - expired
+                    - errored
+                  url:
+                    description: URL is the URL of the Authorization that must be
+                      completed
+                    type: string
+                  wildcard:
+                    description: Wildcard will be true if this authorization is for
+                      a wildcard DNS name. If this is true, the identifier will be
+                      the *non-wildcard* version of the DNS name. For example, if
+                      '*.example.com' is the DNS name being validated, this field
+                      will be 'true' and the 'identifier' field will be 'example.com'.
+                    type: boolean
+            certificate:
+              description: Certificate is a copy of the PEM encoded certificate for
+                this Order. This field will be populated after the order has been
+                successfully finalized with the ACME server, and the order has transitioned
+                to the 'valid' state.
+              type: string
+              format: byte
+            failureTime:
+              description: FailureTime stores the time that this order failed. This
+                is used to influence garbage collection and back-off.
+              type: string
+              format: date-time
+            finalizeURL:
+              description: FinalizeURL of the Order. This is used to obtain certificates
+                for this order once it has been completed.
+              type: string
+            reason:
+              description: Reason optionally provides more information about a why
+                the order is in the current state.
+              type: string
+            state:
+              description: State contains the current state of this Order resource.
+                States 'success' and 'expired' are 'final'
+              type: string
+              enum:
+              - valid
+              - ready
+              - pending
+              - processing
+              - invalid
+              - expired
+              - errored
+            url:
+              description: URL of the Order. This will initially be empty when the
+                resource is first created. The Order controller will populate this
+                field when the Order is first processed. This field will be immutable
+                after it is initially set.
+              type: string
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
index 383dab5d3..fcf1890fb 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
@@ -1,3 +1,62 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: cainjector
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cainjector
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: cainjector
+  template:
+    metadata:
+      labels:
+        app: cainjector
+        app.kubernetes.io/name: cainjector
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: cainjector
+        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    spec:
+      serviceAccountName: cert-manager-cainjector
+      containers:
+        - name: cert-manager
+          image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          args:
+          - --v=2
+          - --leader-election-namespace=kube-system
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+            {}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -6,39 +65,113 @@ metadata:
   namespace: {{ cert_manager_namespace }}
   labels:
     app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: cert-manager
-      release: cert-manager
+      app.kubernetes.io/name: cert-manager
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
   template:
     metadata:
       labels:
         app: cert-manager
-        release: cert-manager
+        app.kubernetes.io/name: cert-manager
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/managed-by: Helm
+        helm.sh/chart: cert-manager-{{ cert_manager_version }}
       annotations:
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
     spec:
-      priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
       serviceAccountName: cert-manager
       containers:
         - name: cert-manager
-          image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
+          image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
           imagePullPolicy: {{ k8s_image_pull_policy }}
           args:
-            - --cluster-resource-namespace=$(POD_NAMESPACE)
-            - --leader-election-namespace=$(POD_NAMESPACE)
+          - --v=2
+          - --cluster-resource-namespace=$(POD_NAMESPACE)
+          - --leader-election-namespace=kube-system
+          ports:
+          - containerPort: 9402
+            protocol: TCP
           env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
           resources:
-            requests:
-              cpu: 10m
-              memory: 32Mi
-          securityContext:
-            runAsUser: {{ cert_manager_user }}
+            {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: webhook
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: webhook
+  template:
+    metadata:
+      labels:
+        app: webhook
+        app.kubernetes.io/name: webhook
+        app.kubernetes.io/instance: cert-manager
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: webhook
+        helm.sh/chart: cert-manager-{{ cert_manager_version }}
+    spec:
+      serviceAccountName: cert-manager-webhook
+      containers:
+        - name: cert-manager
+          image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          args:
+          - --v=2
+          - --secure-port=10250
+          - --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }}
+          - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
+          - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+          ports:
+          - name: https
+            containerPort: 10250
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 6080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 6080
+              scheme: HTTP
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          resources:
+            {}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
new file mode 100644
index 000000000..0c9208c83
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
@@ -0,0 +1,85 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: cainjector
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  # Used for leader election by the controller
+  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
+  #   see cmd/cainjector/start.go#L113
+  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
+  #   see cmd/cainjector/start.go#L137
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: cert-manager:leaderelection
+  namespace: kube-system
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+  # Used for leader election by the controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["cert-manager-controller"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: cert-manager-webhook:dynamic-serving
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames:
+  - 'cert-manager-webhook-ca'
+  verbs: ["get", "list", "watch", "update"]
+# It's not possible to grant CREATE permission on a single resourceName.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
new file mode 100644
index 000000000..cffb81903
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
@@ -0,0 +1,79 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: cert-manager-cainjector:leaderelection
+  namespace: kube-system
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: cainjector
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-cainjector:leaderelection
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-cainjector
+    namespace: {{ cert_manager_namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: cert-manager:leaderelection
+  namespace: kube-system
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager:leaderelection
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager
+    namespace: {{ cert_manager_namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook:dynamic-serving
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook:dynamic-serving
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
index 6380634a7..126aa49b1 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
@@ -1,3 +1,30 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-cainjector
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: cainjector
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -6,6 +33,21 @@ metadata:
   namespace: {{ cert_manager_namespace }}
   labels:
     app: cert-manager
-    chart: cert-manager-v0.5.2
-    release: cert-manager
-    heritage: Tiller
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
new file mode 100644
index 000000000..c9785f43e
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-key-pair
+  namespace: {{ cert_manager_namespace }}
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
new file mode 100644
index 000000000..0ee3ff352
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
@@ -0,0 +1,60 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 9402
+      targetPort: 9402
+  selector:
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-webhook
+  namespace: {{ cert_manager_namespace }}
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: https
+    port: 443
+    targetPort: 10250
+  selector:
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: webhook
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
new file mode 100644
index 000000000..843ac320a
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
@@ -0,0 +1,96 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cert-manager-webhook
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+  annotations:
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+  - name: webhook.cert-manager.io
+    rules:
+      - apiGroups:
+          - "cert-manager.io"
+          - "acme.cert-manager.io"
+        apiVersions:
+          - v1alpha2
+          - v1alpha3
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - "*/*"
+    failurePolicy: Fail
+    # Only include 'sideEffects' field in Kubernetes 1.12+
+    sideEffects: None
+    clientConfig:
+      service:
+        name: cert-manager-webhook
+        namespace: {{ cert_manager_namespace }}
+        path: /mutate
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: cert-manager-webhook
+  labels:
+    app: webhook
+    app.kubernetes.io/name: webhook
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: webhook
+    helm.sh/chart: cert-manager-{{ cert_manager_version }}
+  annotations:
+    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+  - name: webhook.cert-manager.io
+    namespaceSelector:
+      matchExpressions:
+      - key: "cert-manager.io/disable-validation"
+        operator: "NotIn"
+        values:
+        - "true"
+      - key: "name"
+        operator: "NotIn"
+        values:
+        - cert-manager
+    rules:
+      - apiGroups:
+          - "cert-manager.io"
+          - "acme.cert-manager.io"
+        apiVersions:
+          - v1alpha2
+          - v1alpha3
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - "*/*"
+    failurePolicy: Fail
+    # Only include 'sideEffects' field in Kubernetes 1.12+
+    sideEffects: None
+    clientConfig:
+      service:
+        name: cert-manager-webhook
+        namespace: {{ cert_manager_namespace }}
+        path: /validate