# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: clusterissuers.cert-manager.io
  annotations:
    cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/managed-by: Helm
    helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
  additionalPrinterColumns:
  - JSONPath: .status.conditions[?(@.type=="Ready")].status
    name: Ready
    type: string
  - JSONPath: .status.conditions[?(@.type=="Ready")].message
    name: Status
    priority: 1
    type: string
  - JSONPath: .metadata.creationTimestamp
    description: CreationTimestamp is a timestamp representing the server time when
      this object was created. It is not guaranteed to be set in happens-before order
      across separate operations. Clients may not set this value. It is represented
      in RFC3339 form and is in UTC.
    name: Age
    type: date
  group: cert-manager.io
  preserveUnknownFields: false
  conversion:
    # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
    strategy: Webhook
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
        namespace: '{{ cert_manager_namespace }}'
        name: 'cert-manager-webhook'
        path: /convert
  names:
    kind: ClusterIssuer
    listKind: ClusterIssuerList
    plural: clusterissuers
    singular: clusterissuer
  scope: Cluster
  subresources:
    status: {}
  versions:
  - name: v1alpha2
    served: true
    storage: true
  - name: v1alpha3
    served: true
    storage: false
  "validation":
    "openAPIV3Schema":
      type: object
      properties:
        apiVersion:
          description: 'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
          type: string
        kind:
          description: 'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          description: IssuerSpec is the specification of an Issuer. This includes
            any configuration required for the issuer.
          type: object
          properties:
            acme:
              description: ACMEIssuer contains the specification for an ACME issuer
              type: object
              required:
              - privateKeySecretRef
              - server
              properties:
                email:
                  description: Email is the email for this account
                  type: string
                externalAccountBinding:
                  description: ExternalAccountBinding is a reference to a CA external
                    account of the ACME server.
                  type: object
                  required:
                  - keyAlgorithm
                  - keyID
                  - keySecretRef
                  properties:
                    keyAlgorithm:
                      description: keyAlgorithm is the MAC key algorithm that the
                        key is used for. Valid values are "HS256", "HS384" and "HS512".
                      type: string
                      enum:
                      - HS256
                      - HS384
                      - HS512
                    keyID:
                      description: keyID is the ID of the CA key that the External
                        Account is bound to.
                      type: string
                    keySecretRef:
                      description: keySecretRef is a Secret Key Selector referencing
                        a data item in a Kubernetes Secret which holds the symmetric
                        MAC key of the External Account Binding. The `key` is the
                        index string that is paired with the key data in the Secret
                        and should not be confused with the key data itself, or indeed
                        with the External Account Binding keyID above. The secret
                        key stored in the Secret **must** be un-padded, base64 URL
                        encoded data.
                      type: object
                      required:
                      - name
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                privateKeySecretRef:
                  description: PrivateKey is the name of a secret containing the private
                    key for this user account.
                  type: object
                  required:
                  - name
                  properties:
                    key:
                      description: The key of the secret to select from. Must be a
                        valid secret key.
                      type: string
                    name:
                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                        TODO: Add other useful fields. apiVersion, kind, uid?'
                      type: string
                server:
                  description: Server is the ACME server URL
                  type: string
                skipTLSVerify:
                  description: If true, skip verifying the ACME server TLS certificate
                  type: boolean
                solvers:
                  description: Solvers is a list of challenge solvers that will be
                    used to solve ACME challenges for the matching domains.
                  type: array
                  items:
                    type: object
                    properties:
                      dns01:
                        type: object
                        properties:
                          acmedns:
                            description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
                              containing the configuration for ACME-DNS servers
                            type: object
                            required:
                            - accountSecretRef
                            - host
                            properties:
                              accountSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              host:
                                type: string
                          akamai:
                            description: ACMEIssuerDNS01ProviderAkamai is a structure
                              containing the DNS configuration for Akamai DNS—Zone
                              Record Management API
                            type: object
                            required:
                            - accessTokenSecretRef
                            - clientSecretSecretRef
                            - clientTokenSecretRef
                            - serviceConsumerDomain
                            properties:
                              accessTokenSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              clientSecretSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              clientTokenSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              serviceConsumerDomain:
                                type: string
                          azuredns:
                            description: ACMEIssuerDNS01ProviderAzureDNS is a structure
                              containing the configuration for Azure DNS
                            type: object
                            required:
                            - resourceGroupName
                            - subscriptionID
                            properties:
                              clientID:
                                description: if both this and ClientSecret are left
                                  unset MSI will be used
                                type: string
                              clientSecretSecretRef:
                                description: if both this and ClientID are left unset
                                  MSI will be used
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              environment:
                                type: string
                                enum:
                                - AzurePublicCloud
                                - AzureChinaCloud
                                - AzureGermanCloud
                                - AzureUSGovernmentCloud
                              hostedZoneName:
                                type: string
                              resourceGroupName:
                                type: string
                              subscriptionID:
                                type: string
                              tenantID:
                                description: when specifying ClientID and ClientSecret
                                  then this field is also needed
                                type: string
                          clouddns:
                            description: ACMEIssuerDNS01ProviderCloudDNS is a structure
                              containing the DNS configuration for Google Cloud DNS
                            type: object
                            required:
                            - project
                            properties:
                              project:
                                type: string
                              serviceAccountSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                          cloudflare:
                            description: ACMEIssuerDNS01ProviderCloudflare is a structure
                              containing the DNS configuration for Cloudflare
                            type: object
                            required:
                            - email
                            properties:
                              apiKeySecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              apiTokenSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                              email:
                                type: string
                          cnameStrategy:
                            description: CNAMEStrategy configures how the DNS01 provider
                              should handle CNAME records when found in DNS zones.
                            type: string
                            enum:
                            - None
                            - Follow
                          digitalocean:
                            description: ACMEIssuerDNS01ProviderDigitalOcean is a
                              structure containing the DNS configuration for DigitalOcean
                              Domains
                            type: object
                            required:
                            - tokenSecretRef
                            properties:
                              tokenSecretRef:
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                          rfc2136:
                            description: ACMEIssuerDNS01ProviderRFC2136 is a structure
                              containing the configuration for RFC2136 DNS
                            type: object
                            required:
                            - nameserver
                            properties:
                              nameserver:
                                description: The IP address or hostname of an authoritative
                                  DNS server supporting RFC2136 in the form host:port.
                                  If the host is an IPv6 address it must be enclosed
                                  in square brackets (e.g [2001:db8::1]) ; port is
                                  optional. This field is required.
                                type: string
                              tsigAlgorithm:
                                description: 'The TSIG Algorithm configured in the
                                  DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
                                  and ``tsigKeyName`` are defined. Supported values
                                  are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
                                  ``HMACSHA256`` or ``HMACSHA512``.'
                                type: string
                              tsigKeyName:
                                description: The TSIG Key name configured in the DNS.
                                  If ``tsigSecretSecretRef`` is defined, this field
                                  is required.
                                type: string
                              tsigSecretSecretRef:
                                description: The name of the secret containing the
                                  TSIG value. If ``tsigKeyName`` is defined, this
                                  field is required.
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                          route53:
                            description: ACMEIssuerDNS01ProviderRoute53 is a structure
                              containing the Route 53 configuration for AWS
                            type: object
                            required:
                            - region
                            properties:
                              accessKeyID:
                                description: 'The AccessKeyID is used for authentication.
                                  If not set we fall-back to using env vars, shared
                                  credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                type: string
                              hostedZoneID:
                                description: If set, the provider will manage only
                                  this zone in Route53 and will not do an lookup using
                                  the route53:ListHostedZonesByName api call.
                                type: string
                              region:
                                description: Always set the region when using AccessKeyID
                                  and SecretAccessKey
                                type: string
                              role:
                                description: Role is a Role ARN which the Route53
                                  provider will assume using either the explicit credentials
                                  AccessKeyID/SecretAccessKey or the inferred credentials
                                  from environment variables, shared credentials file
                                  or AWS Instance metadata
                                type: string
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication.
                                  If not set we fall-back to using env vars, shared
                                  credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                                type: object
                                required:
                                - name
                                properties:
                                  key:
                                    description: The key of the secret to select from.
                                      Must be a valid secret key.
                                    type: string
                                  name:
                                    description: 'Name of the referent. More info:
                                      https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                      TODO: Add other useful fields. apiVersion, kind,
                                      uid?'
                                    type: string
                          webhook:
                            description: ACMEIssuerDNS01ProviderWebhook specifies
                              configuration for a webhook DNS01 provider, including
                              where to POST ChallengePayload resources.
                            type: object
                            required:
                            - groupName
                            - solverName
                            properties:
                              config:
                                description: Additional configuration that should
                                  be passed to the webhook apiserver when challenges
                                  are processed. This can contain arbitrary JSON data.
                                  Secret values should not be specified in this stanza.
                                  If secret values are needed (e.g. credentials for
                                  a DNS service), you should use a SecretKeySelector
                                  to reference a Secret resource. For details on the
                                  schema of this field, consult the webhook provider
                                  implementation's documentation.
                                x-kubernetes-preserve-unknown-fields: true
                              groupName:
                                description: The API group name that should be used
                                  when POSTing ChallengePayload resources to the webhook
                                  apiserver. This should be the same as the GroupName
                                  specified in the webhook provider implementation.
                                type: string
                              solverName:
                                description: The name of the solver to use, as defined
                                  in the webhook provider implementation. This will
                                  typically be the name of the provider, e.g. 'cloudflare'.
                                type: string
                      http01:
                        description: ACMEChallengeSolverHTTP01 contains configuration
                          detailing how to solve HTTP01 challenges within a Kubernetes
                          cluster. Typically this is accomplished through creating
                          'routes' of some description that configure ingress controllers
                          to direct traffic to 'solver pods', which are responsible
                          for responding to the ACME server's HTTP requests.
                        type: object
                        properties:
                          ingress:
                            description: The ingress based HTTP01 challenge solver
                              will solve challenges by creating or modifying Ingress
                              resources in order to route requests for '/.well-known/acme-challenge/XYZ'
                              to 'challenge solver' pods that are provisioned by cert-manager
                              for each Challenge to be completed.
                            type: object
                            properties:
                              class:
                                description: The ingress class to use when creating
                                  Ingress resources to solve ACME challenges that
                                  use this challenge solver. Only one of 'class' or
                                  'name' may be specified.
                                type: string
                              ingressTemplate:
                                description: Optional ingress template used to configure
                                  the ACME challenge solver ingress used for HTTP01
                                  challenges
                                type: object
                                properties:
                                  metadata:
                                    description: ObjectMeta overrides for the ingress
                                      used to solve HTTP01 challenges. Only the 'labels'
                                      and 'annotations' fields may be set. If labels
                                      or annotations overlap with in-built values,
                                      the values here will override the in-built values.
                                    type: object
                                    properties:
                                      annotations:
                                        description: Annotations that should be added
                                          to the created ACME HTTP01 solver ingress.
                                        type: object
                                        additionalProperties:
                                          type: string
                                      labels:
                                        description: Labels that should be added to
                                          the created ACME HTTP01 solver ingress.
                                        type: object
                                        additionalProperties:
                                          type: string
                              name:
                                description: The name of the ingress resource that
                                  should have ACME challenge solving routes inserted
                                  into it in order to solve HTTP01 challenges. This
                                  is typically used in conjunction with ingress controllers
                                  like ingress-gce, which maintains a 1:1 mapping
                                  between external IPs and ingress resources.
                                type: string
                              podTemplate:
                                description: Optional pod template used to configure
                                  the ACME challenge solver pods used for HTTP01 challenges
                                type: object
                                properties:
                                  metadata:
                                    description: ObjectMeta overrides for the pod
                                      used to solve HTTP01 challenges. Only the 'labels'
                                      and 'annotations' fields may be set. If labels
                                      or annotations overlap with in-built values,
                                      the values here will override the in-built values.
                                    type: object
                                    properties:
                                      annotations:
                                        description: Annotations that should be added
                                          to the create ACME HTTP01 solver pods.
                                        type: object
                                        additionalProperties:
                                          type: string
                                      labels:
                                        description: Labels that should be added to
                                          the created ACME HTTP01 solver pods.
                                        type: object
                                        additionalProperties:
                                          type: string
                                  spec:
                                    description: PodSpec defines overrides for the
                                      HTTP01 challenge solver pod. Only the 'nodeSelector',
                                      'affinity' and 'tolerations' fields are supported
                                      currently. All other fields will be ignored.
                                    type: object
                                    properties:
                                      affinity:
                                        description: If specified, the pod's scheduling
                                          constraints
                                        type: object
                                        properties:
                                          nodeAffinity:
                                            description: Describes node affinity scheduling
                                              rules for the pod.
                                            type: object
                                            properties:
                                              preferredDuringSchedulingIgnoredDuringExecution:
                                                description: The scheduler will prefer
                                                  to schedule pods to nodes that satisfy
                                                  the affinity expressions specified
                                                  by this field, but it may choose
                                                  a node that violates one or more
                                                  of the expressions. The node that
                                                  is most preferred is the one with
                                                  the greatest sum of weights, i.e.
                                                  for each node that meets all of
                                                  the scheduling requirements (resource
                                                  request, requiredDuringScheduling
                                                  affinity expressions, etc.), compute
                                                  a sum by iterating through the elements
                                                  of this field and adding "weight"
                                                  to the sum if the node matches the
                                                  corresponding matchExpressions;
                                                  the node(s) with the highest sum
                                                  are the most preferred.
                                                type: array
                                                items:
                                                  description: An empty preferred
                                                    scheduling term matches all objects
                                                    with implicit weight 0 (i.e. it's
                                                    a no-op). A null preferred scheduling
                                                    term matches no objects (i.e.
                                                    is also a no-op).
                                                  type: object
                                                  required:
                                                  - preference
                                                  - weight
                                                  properties:
                                                    preference:
                                                      description: A node selector
                                                        term, associated with the
                                                        corresponding weight.
                                                      type: object
                                                      properties:
                                                        matchExpressions:
                                                          description: A list of node
                                                            selector requirements
                                                            by node's labels.
                                                          type: array
                                                          items:
                                                            description: A node selector
                                                              requirement is a selector
                                                              that contains values,
                                                              a key, and an operator
                                                              that relates the key
                                                              and values.
                                                            type: object
                                                            required:
                                                            - key
                                                            - operator
                                                            properties:
                                                              key:
                                                                description: The label
                                                                  key that the selector
                                                                  applies to.
                                                                type: string
                                                              operator:
                                                                description: Represents
                                                                  a key's relationship
                                                                  to a set of values.
                                                                  Valid operators
                                                                  are In, NotIn, Exists,
                                                                  DoesNotExist. Gt,
                                                                  and Lt.
                                                                type: string
                                                              values:
                                                                description: An array
                                                                  of string values.
                                                                  If the operator
                                                                  is In or NotIn,
                                                                  the values array
                                                                  must be non-empty.
                                                                  If the operator
                                                                  is Exists or DoesNotExist,
                                                                  the values array
                                                                  must be empty. If
                                                                  the operator is
                                                                  Gt or Lt, the values
                                                                  array must have
                                                                  a single element,
                                                                  which will be interpreted
                                                                  as an integer. This
                                                                  array is replaced
                                                                  during a strategic
                                                                  merge patch.
                                                                type: array
                                                                items:
                                                                  type: string
                                                        matchFields:
                                                          description: A list of node
                                                            selector requirements
                                                            by node's fields.
                                                          type: array
                                                          items:
                                                            description: A node selector
                                                              requirement is a selector
                                                              that contains values,
                                                              a key, and an operator
                                                              that relates the key
                                                              and values.
                                                            type: object
                                                            required:
                                                            - key
                                                            - operator
                                                            properties:
                                                              key:
                                                                description: The label
                                                                  key that the selector
                                                                  applies to.
                                                                type: string
                                                              operator:
                                                                description: Represents
                                                                  a key's relationship
                                                                  to a set of values.
                                                                  Valid operators
                                                                  are In, NotIn, Exists,
                                                                  DoesNotExist. Gt,
                                                                  and Lt.
                                                                type: string
                                                              values:
                                                                description: An array
                                                                  of string values.
                                                                  If the operator
                                                                  is In or NotIn,
                                                                  the values array
                                                                  must be non-empty.
                                                                  If the operator
                                                                  is Exists or DoesNotExist,
                                                                  the values array
                                                                  must be empty. If
                                                                  the operator is
                                                                  Gt or Lt, the values
                                                                  array must have
                                                                  a single element,
                                                                  which will be interpreted
                                                                  as an integer. This
                                                                  array is replaced
                                                                  during a strategic
                                                                  merge patch.
                                                                type: array
                                                                items:
                                                                  type: string
                                                    weight:
                                                      description: Weight associated
                                                        with matching the corresponding
                                                        nodeSelectorTerm, in the range
                                                        1-100.
                                                      type: integer
                                                      format: int32
                                              requiredDuringSchedulingIgnoredDuringExecution:
                                                description: If the affinity requirements
                                                  specified by this field are not
                                                  met at scheduling time, the pod
                                                  will not be scheduled onto the node.
                                                  If the affinity requirements specified
                                                  by this field cease to be met at
                                                  some point during pod execution
                                                  (e.g. due to an update), the system
                                                  may or may not try to eventually
                                                  evict the pod from its node.
                                                type: object
                                                required:
                                                - nodeSelectorTerms
                                                properties:
                                                  nodeSelectorTerms:
                                                    description: Required. A list
                                                      of node selector terms. The
                                                      terms are ORed.
                                                    type: array
                                                    items:
                                                      description: A null or empty
                                                        node selector term matches
                                                        no objects. The requirements
                                                        of them are ANDed. The TopologySelectorTerm
                                                        type implements a subset of
                                                        the NodeSelectorTerm.
                                                      type: object
                                                      properties:
                                                        matchExpressions:
                                                          description: A list of node
                                                            selector requirements
                                                            by node's labels.
                                                          type: array
                                                          items:
                                                            description: A node selector
                                                              requirement is a selector
                                                              that contains values,
                                                              a key, and an operator
                                                              that relates the key
                                                              and values.
                                                            type: object
                                                            required:
                                                            - key
                                                            - operator
                                                            properties:
                                                              key:
                                                                description: The label
                                                                  key that the selector
                                                                  applies to.
                                                                type: string
                                                              operator:
                                                                description: Represents
                                                                  a key's relationship
                                                                  to a set of values.
                                                                  Valid operators
                                                                  are In, NotIn, Exists,
                                                                  DoesNotExist. Gt,
                                                                  and Lt.
                                                                type: string
                                                              values:
                                                                description: An array
                                                                  of string values.
                                                                  If the operator
                                                                  is In or NotIn,
                                                                  the values array
                                                                  must be non-empty.
                                                                  If the operator
                                                                  is Exists or DoesNotExist,
                                                                  the values array
                                                                  must be empty. If
                                                                  the operator is
                                                                  Gt or Lt, the values
                                                                  array must have
                                                                  a single element,
                                                                  which will be interpreted
                                                                  as an integer. This
                                                                  array is replaced
                                                                  during a strategic
                                                                  merge patch.
                                                                type: array
                                                                items:
                                                                  type: string
                                                        matchFields:
                                                          description: A list of node
                                                            selector requirements
                                                            by node's fields.
                                                          type: array
                                                          items:
                                                            description: A node selector
                                                              requirement is a selector
                                                              that contains values,
                                                              a key, and an operator
                                                              that relates the key
                                                              and values.
                                                            type: object
                                                            required:
                                                            - key
                                                            - operator
                                                            properties:
                                                              key:
                                                                description: The label
                                                                  key that the selector
                                                                  applies to.
                                                                type: string
                                                              operator:
                                                                description: Represents
                                                                  a key's relationship
                                                                  to a set of values.
                                                                  Valid operators
                                                                  are In, NotIn, Exists,
                                                                  DoesNotExist. Gt,
                                                                  and Lt.
                                                                type: string
                                                              values:
                                                                description: An array
                                                                  of string values.
                                                                  If the operator
                                                                  is In or NotIn,
                                                                  the values array
                                                                  must be non-empty.
                                                                  If the operator
                                                                  is Exists or DoesNotExist,
                                                                  the values array
                                                                  must be empty. If
                                                                  the operator is
                                                                  Gt or Lt, the values
                                                                  array must have
                                                                  a single element,
                                                                  which will be interpreted
                                                                  as an integer. This
                                                                  array is replaced
                                                                  during a strategic
                                                                  merge patch.
                                                                type: array
                                                                items:
                                                                  type: string
                                          podAffinity:
                                            description: Describes pod affinity scheduling
                                              rules (e.g. co-locate this pod in the
                                              same node, zone, etc. as some other
                                              pod(s)).
                                            type: object
                                            properties:
                                              preferredDuringSchedulingIgnoredDuringExecution:
                                                description: The scheduler will prefer
                                                  to schedule pods to nodes that satisfy
                                                  the affinity expressions specified
                                                  by this field, but it may choose
                                                  a node that violates one or more
                                                  of the expressions. The node that
                                                  is most preferred is the one with
                                                  the greatest sum of weights, i.e.
                                                  for each node that meets all of
                                                  the scheduling requirements (resource
                                                  request, requiredDuringScheduling
                                                  affinity expressions, etc.), compute
                                                  a sum by iterating through the elements
                                                  of this field and adding "weight"
                                                  to the sum if the node has pods
                                                  which matches the corresponding
                                                  podAffinityTerm; the node(s) with
                                                  the highest sum are the most preferred.
                                                type: array
                                                items:
                                                  description: The weights of all
                                                    of the matched WeightedPodAffinityTerm
                                                    fields are added per-node to find
                                                    the most preferred node(s)
                                                  type: object
                                                  required:
                                                  - podAffinityTerm
                                                  - weight
                                                  properties:
                                                    podAffinityTerm:
                                                      description: Required. A pod
                                                        affinity term, associated
                                                        with the corresponding weight.
                                                      type: object
                                                      required:
                                                      - topologyKey
                                                      properties:
                                                        labelSelector:
                                                          description: A label query
                                                            over a set of resources,
                                                            in this case pods.
                                                          type: object
                                                          properties:
                                                            matchExpressions:
                                                              description: matchExpressions
                                                                is a list of label
                                                                selector requirements.
                                                                The requirements are
                                                                ANDed.
                                                              type: array
                                                              items:
                                                                description: A label
                                                                  selector requirement
                                                                  is a selector that
                                                                  contains values,
                                                                  a key, and an operator
                                                                  that relates the
                                                                  key and values.
                                                                type: object
                                                                required:
                                                                - key
                                                                - operator
                                                                properties:
                                                                  key:
                                                                    description: key
                                                                      is the label
                                                                      key that the
                                                                      selector applies
                                                                      to.
                                                                    type: string
                                                                  operator:
                                                                    description: operator
                                                                      represents a
                                                                      key's relationship
                                                                      to a set of
                                                                      values. Valid
                                                                      operators are
                                                                      In, NotIn, Exists
                                                                      and DoesNotExist.
                                                                    type: string
                                                                  values:
                                                                    description: values
                                                                      is an array
                                                                      of string values.
                                                                      If the operator
                                                                      is In or NotIn,
                                                                      the values array
                                                                      must be non-empty.
                                                                      If the operator
                                                                      is Exists or
                                                                      DoesNotExist,
                                                                      the values array
                                                                      must be empty.
                                                                      This array is
                                                                      replaced during
                                                                      a strategic
                                                                      merge patch.
                                                                    type: array
                                                                    items:
                                                                      type: string
                                                            matchLabels:
                                                              description: matchLabels
                                                                is a map of {key,value}
                                                                pairs. A single {key,value}
                                                                in the matchLabels
                                                                map is equivalent
                                                                to an element of matchExpressions,
                                                                whose key field is
                                                                "key", the operator
                                                                is "In", and the values
                                                                array contains only
                                                                "value". The requirements
                                                                are ANDed.
                                                              type: object
                                                              additionalProperties:
                                                                type: string
                                                        namespaces:
                                                          description: namespaces
                                                            specifies which namespaces
                                                            the labelSelector applies
                                                            to (matches against);
                                                            null or empty list means
                                                            "this pod's namespace"
                                                          type: array
                                                          items:
                                                            type: string
                                                        topologyKey:
                                                          description: This pod should
                                                            be co-located (affinity)
                                                            or not co-located (anti-affinity)
                                                            with the pods matching
                                                            the labelSelector in the
                                                            specified namespaces,
                                                            where co-located is defined
                                                            as running on a node whose
                                                            value of the label with
                                                            key topologyKey matches
                                                            that of any node on which
                                                            any of the selected pods
                                                            is running. Empty topologyKey
                                                            is not allowed.
                                                          type: string
                                                    weight:
                                                      description: weight associated
                                                        with matching the corresponding
                                                        podAffinityTerm, in the range
                                                        1-100.
                                                      type: integer
                                                      format: int32
                                              requiredDuringSchedulingIgnoredDuringExecution:
                                                description: If the affinity requirements
                                                  specified by this field are not
                                                  met at scheduling time, the pod
                                                  will not be scheduled onto the node.
                                                  If the affinity requirements specified
                                                  by this field cease to be met at
                                                  some point during pod execution
                                                  (e.g. due to a pod label update),
                                                  the system may or may not try to
                                                  eventually evict the pod from its
                                                  node. When there are multiple elements,
                                                  the lists of nodes corresponding
                                                  to each podAffinityTerm are intersected,
                                                  i.e. all terms must be satisfied.
                                                type: array
                                                items:
                                                  description: Defines a set of pods
                                                    (namely those matching the labelSelector
                                                    relative to the given namespace(s))
                                                    that this pod should be co-located
                                                    (affinity) or not co-located (anti-affinity)
                                                    with, where co-located is defined
                                                    as running on a node whose value
                                                    of the label with key <topologyKey>
                                                    matches that of any node on which
                                                    a pod of the set of pods is running
                                                  type: object
                                                  required:
                                                  - topologyKey
                                                  properties:
                                                    labelSelector:
                                                      description: A label query over
                                                        a set of resources, in this
                                                        case pods.
                                                      type: object
                                                      properties:
                                                        matchExpressions:
                                                          description: matchExpressions
                                                            is a list of label selector
                                                            requirements. The requirements
                                                            are ANDed.
                                                          type: array
                                                          items:
                                                            description: A label selector
                                                              requirement is a selector
                                                              that contains values,
                                                              a key, and an operator
                                                              that relates the key
                                                              and values.
                                                            type: object
                                                            required:
                                                            - key
                                                            - operator
                                                            properties:
                                                              key:
                                                                description: key is
                                                                  the label key that
                                                                  the selector applies
                                                                  to.
                                                                type: string
                                                              operator:
                                                                description: operator
                                                                  represents a key's
                                                                  relationship to
                                                                  a set of values.
                                                                  Valid operators
                                                                  are In, NotIn, Exists
                                                                  and DoesNotExist.
                                                                type: string
                                                              values:
                                                                description: values
                                                                  is an array of string
                                                                  values. If the operator
                                                                  is In or NotIn,
                                                                  the values array
                                                                  must be non-empty.
                                                                  If the operator
                                                                  is Exists or DoesNotExist,
                                                                  the values array
                                                                  must be empty. This
                                                                  array is replaced
                                                                  during a strategic
                                                                  merge patch.
                                                                type: array
                                                                items:
                                                                  type: string
                                                        matchLabels:
                                                          description: matchLabels
                                                            is a map of {key,value}
                                                            pairs. A single {key,value}
                                                            in the matchLabels map
                                                            is equivalent to an element
                                                            of matchExpressions, whose
                                                            key field is "key", the
                                                            operator is "In", and
                                                            the values array contains
                                                            only "value". The requirements
                                                            are ANDed.
                                                          type: object
                                                          additionalProperties:
                                                            type: string
                                                    namespaces:
                                                      description: namespaces specifies
                                                        which namespaces the labelSelector
                                                        applies to (matches against);
                                                        null or empty list means "this
                                                        pod's namespace"
                                                      type: array
                                                      items:
                                                        type: string
                                                    topologyKey:
                                                      description: This pod should
                                                        be co-located (affinity) or
                                                        not co-located (anti-affinity)
                                                        with the pods matching the
                                                        labelSelector in the specified
                                                        namespaces, where co-located
                                                        is defined as running on a
                                                        node whose value of the label
                                                        with key topologyKey matches
                                                        that of any node on which
                                                        any of the selected pods is
                                                        running. Empty topologyKey
                                                        is not allowed.
                                                      type: string
                                          podAntiAffinity:
                                            description: Describes pod anti-affinity
                                              scheduling rules (e.g. avoid putting
                                              this pod in the same node, zone, etc.
                                              as some other pod(s)).
                                            type: object
                                            properties:
                                              preferredDuringSchedulingIgnoredDuringExecution:
                                                description: The scheduler will prefer
                                                  to schedule pods to nodes that satisfy
                                                  the anti-affinity expressions specified
                                                  by this field, but it may choose
                                                  a node that violates one or more
                                                  of the expressions. The node that
                                                  is most preferred is the one with
                                                  the greatest sum of weights, i.e.
                                                  for each node that meets all of
                                                  the scheduling requirements (resource
                                                  request, requiredDuringScheduling
                                                  anti-affinity expressions, etc.),
                                                  compute a sum by iterating through
                                                  the elements of this field and adding
                                                  "weight" to the sum if the node
                                                  has pods which matches the corresponding
                                                  podAffinityTerm; the node(s) with
                                                  the highest sum are the most preferred.
                                                type: array
                                                items:
                                                  description: The weights of all
                                                    of the matched WeightedPodAffinityTerm
                                                    fields are added per-node to find
                                                    the most preferred node(s)
                                                  type: object
                                                  required:
                                                  - podAffinityTerm
                                                  - weight
                                                  properties:
                                                    podAffinityTerm:
                                                      description: Required. A pod
                                                        affinity term, associated
                                                        with the corresponding weight.
                                                      type: object
                                                      required:
                                                      - topologyKey
                                                      properties:
                                                        labelSelector:
                                                          description: A label query
                                                            over a set of resources,
                                                            in this case pods.
                                                          type: object
                                                          properties:
                                                            matchExpressions:
                                                              description: matchExpressions
                                                                is a list of label
                                                                selector requirements.
                                                                The requirements are
                                                                ANDed.
                                                              type: array
                                                              items:
                                                                description: A label
                                                                  selector requirement
                                                                  is a selector that
                                                                  contains values,
                                                                  a key, and an operator
                                                                  that relates the
                                                                  key and values.
                                                                type: object
                                                                required:
                                                                - key
                                                                - operator
                                                                properties:
                                                                  key:
                                                                    description: key
                                                                      is the label
                                                                      key that the
                                                                      selector applies
                                                                      to.
                                                                    type: string
                                                                  operator:
                                                                    description: operator
                                                                      represents a
                                                                      key's relationship
                                                                      to a set of
                                                                      values. Valid
                                                                      operators are
                                                                      In, NotIn, Exists
                                                                      and DoesNotExist.
                                                                    type: string
                                                                  values:
                                                                    description: values
                                                                      is an array
                                                                      of string values.
                                                                      If the operator
                                                                      is In or NotIn,
                                                                      the values array
                                                                      must be non-empty.
                                                                      If the operator
                                                                      is Exists or
                                                                      DoesNotExist,
                                                                      the values array
                                                                      must be empty.
                                                                      This array is
                                                                      replaced during
                                                                      a strategic
                                                                      merge patch.
                                                                    type: array
                                                                    items:
                                                                      type: string
                                                            matchLabels:
                                                              description: matchLabels
                                                                is a map of {key,value}
                                                                pairs. A single {key,value}
                                                                in the matchLabels
                                                                map is equivalent
                                                                to an element of matchExpressions,
                                                                whose key field is
                                                                "key", the operator
                                                                is "In", and the values
                                                                array contains only
                                                                "value". The requirements
                                                                are ANDed.
                                                              type: object
                                                              additionalProperties:
                                                                type: string
                                                        namespaces:
                                                          description: namespaces
                                                            specifies which namespaces
                                                            the labelSelector applies
                                                            to (matches against);
                                                            null or empty list means
                                                            "this pod's namespace"
                                                          type: array
                                                          items:
                                                            type: string
                                                        topologyKey:
                                                          description: This pod should
                                                            be co-located (affinity)
                                                            or not co-located (anti-affinity)
                                                            with the pods matching
                                                            the labelSelector in the
                                                            specified namespaces,
                                                            where co-located is defined
                                                            as running on a node whose
                                                            value of the label with
                                                            key topologyKey matches
                                                            that of any node on which
                                                            any of the selected pods
                                                            is running. Empty topologyKey
                                                            is not allowed.
                                                          type: string
                                                    weight:
                                                      description: weight associated
                                                        with matching the corresponding
                                                        podAffinityTerm, in the range
                                                        1-100.
                                                      type: integer
                                                      format: int32
                                              requiredDuringSchedulingIgnoredDuringExecution:
                                                description: If the anti-affinity
                                                  requirements specified by this field
                                                  are not met at scheduling time,
                                                  the pod will not be scheduled onto
                                                  the node. If the anti-affinity requirements
                                                  specified by this field cease to
                                                  be met at some point during pod
                                                  execution (e.g. due to a pod label
                                                  update), the system may or may not
                                                  try to eventually evict the pod
                                                  from its node. When there are multiple
                                                  elements, the lists of nodes corresponding
                                                  to each podAffinityTerm are intersected,
                                                  i.e. all terms must be satisfied.
                                                type: array
                                                items:
                                                  description: Defines a set of pods
                                                    (namely those matching the labelSelector
                                                    relative to the given namespace(s))
                                                    that this pod should be co-located
                                                    (affinity) or not co-located (anti-affinity)
                                                    with, where co-located is defined
                                                    as running on a node whose value
                                                    of the label with key <topologyKey>
                                                    matches that of any node on which
                                                    a pod of the set of pods is running
                                                  type: object
                                                  required:
                                                  - topologyKey
                                                  properties:
                                                    labelSelector:
                                                      description: A label query over
                                                        a set of resources, in this
                                                        case pods.
                                                      type: object
                                                      properties:
                                                        matchExpressions:
                                                          description: matchExpressions
                                                            is a list of label selector
                                                            requirements. The requirements
                                                            are ANDed.
                                                          type: array
                                                          items:
                                                            description: A label selector
                                                              requirement is a selector
                                                              that contains values,
                                                              a key, and an operator
                                                              that relates the key
                                                              and values.
                                                            type: object
                                                            required:
                                                            - key
                                                            - operator
                                                            properties:
                                                              key:
                                                                description: key is
                                                                  the label key that
                                                                  the selector applies
                                                                  to.
                                                                type: string
                                                              operator:
                                                                description: operator
                                                                  represents a key's
                                                                  relationship to
                                                                  a set of values.
                                                                  Valid operators
                                                                  are In, NotIn, Exists
                                                                  and DoesNotExist.
                                                                type: string
                                                              values:
                                                                description: values
                                                                  is an array of string
                                                                  values. If the operator
                                                                  is In or NotIn,
                                                                  the values array
                                                                  must be non-empty.
                                                                  If the operator
                                                                  is Exists or DoesNotExist,
                                                                  the values array
                                                                  must be empty. This
                                                                  array is replaced
                                                                  during a strategic
                                                                  merge patch.
                                                                type: array
                                                                items:
                                                                  type: string
                                                        matchLabels:
                                                          description: matchLabels
                                                            is a map of {key,value}
                                                            pairs. A single {key,value}
                                                            in the matchLabels map
                                                            is equivalent to an element
                                                            of matchExpressions, whose
                                                            key field is "key", the
                                                            operator is "In", and
                                                            the values array contains
                                                            only "value". The requirements
                                                            are ANDed.
                                                          type: object
                                                          additionalProperties:
                                                            type: string
                                                    namespaces:
                                                      description: namespaces specifies
                                                        which namespaces the labelSelector
                                                        applies to (matches against);
                                                        null or empty list means "this
                                                        pod's namespace"
                                                      type: array
                                                      items:
                                                        type: string
                                                    topologyKey:
                                                      description: This pod should
                                                        be co-located (affinity) or
                                                        not co-located (anti-affinity)
                                                        with the pods matching the
                                                        labelSelector in the specified
                                                        namespaces, where co-located
                                                        is defined as running on a
                                                        node whose value of the label
                                                        with key topologyKey matches
                                                        that of any node on which
                                                        any of the selected pods is
                                                        running. Empty topologyKey
                                                        is not allowed.
                                                      type: string
                                      nodeSelector:
                                        description: 'NodeSelector is a selector which
                                          must be true for the pod to fit on a node.
                                          Selector which must match a node''s labels
                                          for the pod to be scheduled on that node.
                                          More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
                                        type: object
                                        additionalProperties:
                                          type: string
                                      tolerations:
                                        description: If specified, the pod's tolerations.
                                        type: array
                                        items:
                                          description: The pod this Toleration is
                                            attached to tolerates any taint that matches
                                            the triple <key,value,effect> using the
                                            matching operator <operator>.
                                          type: object
                                          properties:
                                            effect:
                                              description: Effect indicates the taint
                                                effect to match. Empty means match
                                                all taint effects. When specified,
                                                allowed values are NoSchedule, PreferNoSchedule
                                                and NoExecute.
                                              type: string
                                            key:
                                              description: Key is the taint key that
                                                the toleration applies to. Empty means
                                                match all taint keys. If the key is
                                                empty, operator must be Exists; this
                                                combination means to match all values
                                                and all keys.
                                              type: string
                                            operator:
                                              description: Operator represents a key's
                                                relationship to the value. Valid operators
                                                are Exists and Equal. Defaults to
                                                Equal. Exists is equivalent to wildcard
                                                for value, so that a pod can tolerate
                                                all taints of a particular category.
                                              type: string
                                            tolerationSeconds:
                                              description: TolerationSeconds represents
                                                the period of time the toleration
                                                (which must be of effect NoExecute,
                                                otherwise this field is ignored) tolerates
                                                the taint. By default, it is not set,
                                                which means tolerate the taint forever
                                                (do not evict). Zero and negative
                                                values will be treated as 0 (evict
                                                immediately) by the system.
                                              type: integer
                                              format: int64
                                            value:
                                              description: Value is the taint value
                                                the toleration matches to. If the
                                                operator is Exists, the value should
                                                be empty, otherwise just a regular
                                                string.
                                              type: string
                              serviceType:
                                description: Optional service type for Kubernetes
                                  solver service
                                type: string
                      selector:
                        description: Selector selects a set of DNSNames on the Certificate
                          resource that should be solved using this challenge solver.
                        type: object
                        properties:
                          dnsNames:
                            description: List of DNSNames that this solver will be
                              used to solve. If specified and a match is found, a
                              dnsNames selector will take precedence over a dnsZones
                              selector. If multiple solvers match with the same dnsNames
                              value, the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            type: array
                            items:
                              type: string
                          dnsZones:
                            description: List of DNSZones that this solver will be
                              used to solve. The most specific DNS zone match specified
                              here will take precedence over other DNS zone matches,
                              so a solver specifying sys.example.com will be selected
                              over one specifying example.com for the domain www.sys.example.com.
                              If multiple solvers match with the same dnsZones value,
                              the solver with the most matching labels in matchLabels
                              will be selected. If neither has more matches, the solver
                              defined earlier in the list will be selected.
                            type: array
                            items:
                              type: string
                          matchLabels:
                            description: A label selector that is used to refine the
                              set of certificate's that this challenge solver will
                              apply to.
                            type: object
                            additionalProperties:
                              type: string
            ca:
              type: object
              required:
              - secretName
              properties:
                crlDistributionPoints:
                  description: The CRL distribution points is an X.509 v3 certificate
                    extension which identifies the location of the CRL from which
                    the revocation of this certificate can be checked. If not set
                    certificate will be issued without CDP. Values are strings.
                  type: array
                  items:
                    type: string
                secretName:
                  description: SecretName is the name of the secret used to sign Certificates
                    issued by this Issuer.
                  type: string
            selfSigned:
              type: object
              properties:
                crlDistributionPoints:
                  description: The CRL distribution points is an X.509 v3 certificate
                    extension which identifies the location of the CRL from which
                    the revocation of this certificate can be checked. If not set
                    certificate will be issued without CDP. Values are strings.
                  type: array
                  items:
                    type: string
            vault:
              type: object
              required:
              - auth
              - path
              - server
              properties:
                auth:
                  description: Vault authentication
                  type: object
                  properties:
                    appRole:
                      description: This Secret contains a AppRole and Secret
                      type: object
                      required:
                      - path
                      - roleId
                      - secretRef
                      properties:
                        path:
                          description: Where the authentication path is mounted in
                            Vault.
                          type: string
                        roleId:
                          type: string
                        secretRef:
                          type: object
                          required:
                          - name
                          properties:
                            key:
                              description: The key of the secret to select from. Must
                                be a valid secret key.
                              type: string
                            name:
                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?'
                              type: string
                    kubernetes:
                      description: This contains a Role and Secret with a ServiceAccount
                        token to authenticate with vault.
                      type: object
                      required:
                      - role
                      - secretRef
                      properties:
                        mountPath:
                          description: The Vault mountPath here is the mount path
                            to use when authenticating with Vault. For example, setting
                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
                            to authenticate with Vault. If unspecified, the default
                            value "/v1/auth/kubernetes" will be used.
                          type: string
                        role:
                          description: A required field containing the Vault Role
                            to assume. A Role binds a Kubernetes ServiceAccount with
                            a set of Vault policies.
                          type: string
                        secretRef:
                          description: The required Secret field containing a Kubernetes
                            ServiceAccount JWT used for authenticating with Vault.
                            Use of 'ambient credentials' is not supported.
                          type: object
                          required:
                          - name
                          properties:
                            key:
                              description: The key of the secret to select from. Must
                                be a valid secret key.
                              type: string
                            name:
                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                                TODO: Add other useful fields. apiVersion, kind, uid?'
                              type: string
                    tokenSecretRef:
                      description: This Secret contains the Vault token key
                      type: object
                      required:
                      - name
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                caBundle:
                  description: Base64 encoded CA bundle to validate Vault server certificate.
                    Only used if the Server URL is using HTTPS protocol. This parameter
                    is ignored for plain HTTP protocol connection. If not set the
                    system root certificates are used to validate the TLS connection.
                  type: string
                  format: byte
                path:
                  description: Vault URL path to the certificate role
                  type: string
                server:
                  description: Server is the vault connection address
                  type: string
            venafi:
              description: VenafiIssuer describes issuer configuration details for
                Venafi Cloud.
              type: object
              required:
              - zone
              properties:
                cloud:
                  description: Cloud specifies the Venafi cloud configuration settings.
                    Only one of TPP or Cloud may be specified.
                  type: object
                  required:
                  - apiTokenSecretRef
                  properties:
                    apiTokenSecretRef:
                      description: APITokenSecretRef is a secret key selector for
                        the Venafi Cloud API token.
                      type: object
                      required:
                      - name
                      properties:
                        key:
                          description: The key of the secret to select from. Must
                            be a valid secret key.
                          type: string
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                    url:
                      description: URL is the base URL for Venafi Cloud
                      type: string
                tpp:
                  description: TPP specifies Trust Protection Platform configuration
                    settings. Only one of TPP or Cloud may be specified.
                  type: object
                  required:
                  - credentialsRef
                  - url
                  properties:
                    caBundle:
                      description: CABundle is a PEM encoded TLS certificate to use
                        to verify connections to the TPP instance. If specified, system
                        roots will not be used and the issuing CA for the TPP instance
                        must be verifiable using the provided root. If not specified,
                        the connection will be verified using the cert-manager system
                        root certificates.
                      type: string
                      format: byte
                    credentialsRef:
                      description: CredentialsRef is a reference to a Secret containing
                        the username and password for the TPP server. The secret must
                        contain two keys, 'username' and 'password'.
                      type: object
                      required:
                      - name
                      properties:
                        name:
                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                            TODO: Add other useful fields. apiVersion, kind, uid?'
                          type: string
                    url:
                      description: URL is the base URL for the Venafi TPP instance
                      type: string
                zone:
                  description: Zone is the Venafi Policy Zone to use for this issuer.
                    All requests made to the Venafi platform will be restricted by
                    the named zone policy. This field is required.
                  type: string
        status:
          description: IssuerStatus contains status information about an Issuer
          type: object
          properties:
            acme:
              type: object
              properties:
                lastRegisteredEmail:
                  description: LastRegisteredEmail is the email associated with the
                    latest registered ACME account, in order to track changes made
                    to registered account associated with the  Issuer
                  type: string
                uri:
                  description: URI is the unique account identifier, which can also
                    be used to retrieve account details from the CA
                  type: string
            conditions:
              type: array
              items:
                description: IssuerCondition contains condition information for an
                  Issuer.
                type: object
                required:
                - status
                - type
                properties:
                  lastTransitionTime:
                    description: LastTransitionTime is the timestamp corresponding
                      to the last status change of this condition.
                    type: string
                    format: date-time
                  message:
                    description: Message is a human readable description of the details
                      of the last transition, complementing reason.
                    type: string
                  reason:
                    description: Reason is a brief machine readable explanation for
                      the condition's last transition.
                    type: string
                  status:
                    description: Status of the condition, one of ('True', 'False',
                      'Unknown').
                    type: string
                    enum:
                    - "True"
                    - "False"
                    - Unknown
                  type:
                    description: Type of the condition, currently ('Ready').
                    type: string