7943 lines
542 KiB
Django/Jinja
7943 lines
542 KiB
Django/Jinja
# Copyright YEAR The Jetstack cert-manager contributors.
|
||
#
|
||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||
# you may not use this file except in compliance with the License.
|
||
# You may obtain a copy of the License at
|
||
#
|
||
# http://www.apache.org/licenses/LICENSE-2.0
|
||
#
|
||
# Unless required by applicable law or agreed to in writing, software
|
||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
# See the License for the specific language governing permissions and
|
||
# limitations under the License.
|
||
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||
labels:
|
||
app: cert-manager
|
||
app.kubernetes.io/instance: cert-manager
|
||
app.kubernetes.io/name: cert-manager
|
||
name: clusterissuers.cert-manager.io
|
||
spec:
|
||
conversion:
|
||
strategy: Webhook
|
||
webhook:
|
||
clientConfig:
|
||
service:
|
||
name: cert-manager-webhook
|
||
namespace: {{ cert_manager_namespace }}
|
||
path: /convert
|
||
conversionReviewVersions:
|
||
- v1
|
||
- v1beta1
|
||
group: cert-manager.io
|
||
names:
|
||
kind: ClusterIssuer
|
||
listKind: ClusterIssuerList
|
||
plural: clusterissuers
|
||
singular: clusterissuer
|
||
scope: Cluster
|
||
versions:
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
||
name: Ready
|
||
type: string
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
||
name: Status
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1alpha2
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: A ClusterIssuer represents a certificate issuing authority which
|
||
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
||
however it is cluster-scoped and therefore can be referenced by resources
|
||
that exist in *any* namespace, not just the same namespace as the referent.
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: Desired state of the ClusterIssuer resource.
|
||
properties:
|
||
acme:
|
||
description: ACME configures this issuer to communicate with a RFC8555
|
||
(ACME) server to obtain signed x509 certificates.
|
||
properties:
|
||
disableAccountKeyGeneration:
|
||
description: Enables or disables generating a new ACME account
|
||
key. If true, the Issuer resource will *not* request a new account
|
||
but will expect the account key to be supplied via an existing
|
||
secret. If false, the cert-manager system will generate a new
|
||
ACME account key for the Issuer. Defaults to false.
|
||
type: boolean
|
||
email:
|
||
description: Email is the email address to be associated with
|
||
the ACME account. This field is optional, but it is strongly
|
||
recommended to be set. It will be used to contact you in case
|
||
of issues with your account or certificates, including expiry
|
||
notification emails. This field may be updated after the account
|
||
is initially registered.
|
||
type: string
|
||
externalAccountBinding:
|
||
description: ExternalAccountBinding is a reference to a CA external
|
||
account of the ACME server. If set, upon registration cert-manager
|
||
will attempt to associate the given external account credentials
|
||
with the registered ACME account.
|
||
properties:
|
||
keyAlgorithm:
|
||
description: keyAlgorithm is the MAC key algorithm that the
|
||
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
||
enum:
|
||
- HS256
|
||
- HS384
|
||
- HS512
|
||
type: string
|
||
keyID:
|
||
description: keyID is the ID of the CA key that the External
|
||
Account is bound to.
|
||
type: string
|
||
keySecretRef:
|
||
description: keySecretRef is a Secret Key Selector referencing
|
||
a data item in a Kubernetes Secret which holds the symmetric
|
||
MAC key of the External Account Binding. The `key` is the
|
||
index string that is paired with the key data in the Secret
|
||
and should not be confused with the key data itself, or
|
||
indeed with the External Account Binding keyID above. The
|
||
secret key stored in the Secret **must** be un-padded, base64
|
||
URL encoded data.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- keyAlgorithm
|
||
- keyID
|
||
- keySecretRef
|
||
type: object
|
||
preferredChain:
|
||
description: 'PreferredChain is the chain to use if the ACME server
|
||
outputs multiple. PreferredChain is no guarantee that this one
|
||
gets delivered by the ACME endpoint. For example, for Let''s
|
||
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
||
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
||
picks the first certificate bundle in the ACME alternative chains
|
||
that has a certificate with this value as its issuer''s CN'
|
||
maxLength: 64
|
||
type: string
|
||
privateKeySecretRef:
|
||
description: PrivateKey is the name of a Kubernetes Secret resource
|
||
that will be used to store the automatically generated ACME
|
||
account private key. Optionally, a `key` may be specified to
|
||
select a specific entry within the named Secret resource. If
|
||
`key` is not specified, a default of `tls.key` will be used.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field may
|
||
be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to. More
|
||
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
server:
|
||
description: 'Server is the URL used to access the ACME server''s
|
||
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
||
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
||
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
||
type: string
|
||
skipTLSVerify:
|
||
description: Enables or disables validation of the ACME server
|
||
TLS certificate. If true, requests to the ACME server will not
|
||
have their TLS certificate validated (i.e. insecure connections
|
||
will be allowed). Only enable this option in development environments.
|
||
The cert-manager system installed roots will be used to verify
|
||
connections to the ACME server if this is false. Defaults to
|
||
false.
|
||
type: boolean
|
||
solvers:
|
||
description: 'Solvers is a list of challenge solvers that will
|
||
be used to solve ACME challenges for the matching domains. Solver
|
||
configurations must be provided in order to obtain certificates
|
||
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
||
items:
|
||
description: Configures an issuer to solve challenges using
|
||
the specified options. Only one of HTTP01 or DNS01 may be
|
||
provided.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmedns:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azuredns:
|
||
description: Use the Microsoft Azure DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left
|
||
unset MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left
|
||
unset MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
clouddns:
|
||
description: Use the Google Cloud DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field
|
||
that tells cert-manager in which Cloud DNS zone
|
||
the challenge record has to be created. If left
|
||
empty cert-manager will automatically choose a
|
||
zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with
|
||
Cloudflare. Note: using an API token to authenticate
|
||
is now the recommended method as it allows greater
|
||
control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with
|
||
Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required
|
||
when using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01
|
||
provider should handle CNAME records when found in
|
||
DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain
|
||
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed
|
||
in square brackets (e.g [2001:db8::1]) ; port
|
||
is optional. This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the
|
||
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values
|
||
are (case-insensitive): ``HMACMD5`` (default),
|
||
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the
|
||
DNS. If ``tsigSecretSecretRef`` is defined, this
|
||
field is required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the
|
||
TSIG value. If ``tsigKeyName`` is defined, this
|
||
field is required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata see:
|
||
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only
|
||
this zone in Route53 and will not do an lookup
|
||
using the route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53
|
||
provider will assume using either the explicit
|
||
credentials AccessKeyID/SecretAccessKey or the
|
||
inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01
|
||
challenge solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should
|
||
be passed to the webhook apiserver when challenges
|
||
are processed. This can contain arbitrary JSON
|
||
data. Secret values should not be specified in
|
||
this stanza. If secret values are needed (e.g.
|
||
credentials for a DNS service), you should use
|
||
a SecretKeySelector to reference a Secret resource.
|
||
For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used
|
||
when POSTing ChallengePayload resources to the
|
||
webhook apiserver. This should be the same as
|
||
the GroupName specified in the webhook provider
|
||
implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will
|
||
typically be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the HTTP01 challenge flow.
|
||
It is not possible to obtain certificates for wildcard
|
||
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
||
mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver
|
||
will solve challenges by creating or modifying Ingress
|
||
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by
|
||
cert-manager for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating
|
||
Ingress resources to solve ACME challenges that
|
||
use this challenge solver. Only one of 'class'
|
||
or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the created ACME HTTP01 solver
|
||
ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that
|
||
should have ACME challenge solving routes inserted
|
||
into it in order to solve HTTP01 challenges. This
|
||
is typically used in conjunction with ingress
|
||
controllers like ingress-gce, which maintains
|
||
a 1:1 mapping between external IPs and ingress
|
||
resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure
|
||
the ACME challenge solver pods used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the create ACME HTTP01 solver
|
||
pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the
|
||
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity
|
||
scheduling rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node matches
|
||
the corresponding matchExpressions;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: An empty preferred
|
||
scheduling term matches all
|
||
objects with implicit weight
|
||
0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector
|
||
term, associated with the
|
||
corresponding weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated
|
||
with matching the corresponding
|
||
nodeSelectorTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to an
|
||
update), the system may or may
|
||
not try to eventually evict the
|
||
pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list
|
||
of node selector terms. The
|
||
terms are ORed.
|
||
items:
|
||
description: A null or empty
|
||
node selector term matches
|
||
no objects. The requirements
|
||
of them are ANDed. The TopologySelectorTerm
|
||
type implements a subset
|
||
of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity
|
||
scheduling rules (e.g. co-locate this
|
||
pod in the same node, zone, etc. as
|
||
some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node has pods
|
||
which matches the corresponding
|
||
podAffinityTerm; the node(s) with
|
||
the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to a pod
|
||
label update), the system may
|
||
or may not try to eventually evict
|
||
the pod from its node. When there
|
||
are multiple elements, the lists
|
||
of nodes corresponding to each
|
||
podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity
|
||
scheduling rules (e.g. avoid putting
|
||
this pod in the same node, zone, etc.
|
||
as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the anti-affinity
|
||
expressions specified by this
|
||
field, but it may choose a node
|
||
that violates one or more of the
|
||
expressions. The node that is
|
||
most preferred is the one with
|
||
the greatest sum of weights, i.e.
|
||
for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling
|
||
anti-affinity expressions, etc.),
|
||
compute a sum by iterating through
|
||
the elements of this field and
|
||
adding "weight" to the sum if
|
||
the node has pods which matches
|
||
the corresponding podAffinityTerm;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity
|
||
requirements specified by this
|
||
field are not met at scheduling
|
||
time, the pod will not be scheduled
|
||
onto the node. If the anti-affinity
|
||
requirements specified by this
|
||
field cease to be met at some
|
||
point during pod execution (e.g.
|
||
due to a pod label update), the
|
||
system may or may not try to eventually
|
||
evict the pod from its node. When
|
||
there are multiple elements, the
|
||
lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector
|
||
which must be true for the pod to fit
|
||
on a node. Selector which must match a
|
||
node''s labels for the pod to be scheduled
|
||
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service
|
||
account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is
|
||
attached to tolerates any taint that
|
||
matches the triple <key,value,effect>
|
||
using the matching operator <operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the
|
||
taint effect to match. Empty means
|
||
match all taint effects. When specified,
|
||
allowed values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key
|
||
that the toleration applies to.
|
||
Empty means match all taint keys.
|
||
If the key is empty, operator must
|
||
be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a
|
||
key's relationship to the value.
|
||
Valid operators are Exists and Equal.
|
||
Defaults to Equal. Exists is equivalent
|
||
to wildcard for value, so that a
|
||
pod can tolerate all taints of a
|
||
particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration
|
||
(which must be of effect NoExecute,
|
||
otherwise this field is ignored)
|
||
tolerates the taint. By default,
|
||
it is not set, which means tolerate
|
||
the taint forever (do not evict).
|
||
Zero and negative values will be
|
||
treated as 0 (evict immediately)
|
||
by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value
|
||
the toleration matches to. If the
|
||
operator is Exists, the value should
|
||
be empty, otherwise just a regular
|
||
string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes
|
||
solver service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver
|
||
has a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will
|
||
be used to solve. If specified and a match is found,
|
||
a dnsNames selector will take precedence over a dnsZones
|
||
selector. If multiple solvers match with the same
|
||
dnsNames value, the solver with the most matching
|
||
labels in matchLabels will be selected. If neither
|
||
has more matches, the solver defined earlier in the
|
||
list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will
|
||
be used to solve. The most specific DNS zone match
|
||
specified here will take precedence over other DNS
|
||
zone matches, so a solver specifying sys.example.com
|
||
will be selected over one specifying example.com for
|
||
the domain www.sys.example.com. If multiple solvers
|
||
match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine
|
||
the set of certificate's that this challenge solver
|
||
will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
type: array
|
||
required:
|
||
- privateKeySecretRef
|
||
- server
|
||
type: object
|
||
ca:
|
||
description: CA configures this issuer to sign certificates using
|
||
a signing CA keypair stored in a Secret resource. This is used to
|
||
build internal PKIs that are managed by cert-manager.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set,
|
||
certificates will be issued without distribution points set.
|
||
items:
|
||
type: string
|
||
type: array
|
||
secretName:
|
||
description: SecretName is the name of the secret used to sign
|
||
Certificates issued by this Issuer.
|
||
type: string
|
||
required:
|
||
- secretName
|
||
type: object
|
||
selfSigned:
|
||
description: SelfSigned configures this issuer to 'self sign' certificates
|
||
using the private key used to create the CertificateRequest object.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set
|
||
certificate will be issued without CDP. Values are strings.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
vault:
|
||
description: Vault configures this issuer to sign certificates using
|
||
a HashiCorp Vault PKI backend.
|
||
properties:
|
||
auth:
|
||
description: Auth configures how cert-manager authenticates with
|
||
the Vault server.
|
||
properties:
|
||
appRole:
|
||
description: AppRole authenticates with Vault using the App
|
||
Role auth mechanism, with the role and secret stored in
|
||
a Kubernetes Secret resource.
|
||
properties:
|
||
path:
|
||
description: 'Path where the App Role authentication backend
|
||
is mounted in Vault, e.g: "approle"'
|
||
type: string
|
||
roleId:
|
||
description: RoleID configured in the App Role authentication
|
||
backend when setting up the authentication backend in
|
||
Vault.
|
||
type: string
|
||
secretRef:
|
||
description: Reference to a key in a Secret that contains
|
||
the App Role secret used to authenticate with Vault.
|
||
The `key` field must be specified and denotes which
|
||
entry within the Secret resource is used as the app
|
||
role secret.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- path
|
||
- roleId
|
||
- secretRef
|
||
type: object
|
||
kubernetes:
|
||
description: Kubernetes authenticates with Vault by passing
|
||
the ServiceAccount token stored in the named Secret resource
|
||
to the Vault server.
|
||
properties:
|
||
mountPath:
|
||
description: The Vault mountPath here is the mount path
|
||
to use when authenticating with Vault. For example,
|
||
setting a value to `/v1/auth/foo`, will use the path
|
||
`/v1/auth/foo/login` to authenticate with Vault. If
|
||
unspecified, the default value "/v1/auth/kubernetes"
|
||
will be used.
|
||
type: string
|
||
role:
|
||
description: A required field containing the Vault Role
|
||
to assume. A Role binds a Kubernetes ServiceAccount
|
||
with a set of Vault policies.
|
||
type: string
|
||
secretRef:
|
||
description: The required Secret field containing a Kubernetes
|
||
ServiceAccount JWT used for authenticating with Vault.
|
||
Use of 'ambient credentials' is not supported.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- role
|
||
- secretRef
|
||
type: object
|
||
tokenSecretRef:
|
||
description: TokenSecretRef authenticates with Vault by presenting
|
||
a token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: object
|
||
caBundle:
|
||
description: PEM encoded CA bundle used to validate Vault server
|
||
certificate. Only used if the Server URL is using HTTPS protocol.
|
||
This parameter is ignored for plain HTTP protocol connection.
|
||
If not set the system root certificates are used to validate
|
||
the TLS connection.
|
||
format: byte
|
||
type: string
|
||
namespace:
|
||
description: 'Name of the vault namespace. Namespaces is a set
|
||
of features within Vault Enterprise that allows Vault environments
|
||
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
||
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
||
type: string
|
||
path:
|
||
description: 'Path is the mount path of the Vault PKI backend''s
|
||
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
||
type: string
|
||
server:
|
||
description: 'Server is the connection address for the Vault server,
|
||
e.g: "https://vault.example.com:8200".'
|
||
type: string
|
||
required:
|
||
- auth
|
||
- path
|
||
- server
|
||
type: object
|
||
venafi:
|
||
description: Venafi configures this issuer to sign certificates using
|
||
a Venafi TPP or Venafi Cloud policy zone.
|
||
properties:
|
||
cloud:
|
||
description: Cloud specifies the Venafi cloud configuration settings.
|
||
Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
apiTokenSecretRef:
|
||
description: APITokenSecretRef is a secret key selector for
|
||
the Venafi Cloud API token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: URL is the base URL for Venafi Cloud. Defaults
|
||
to "https://api.venafi.cloud/v1".
|
||
type: string
|
||
required:
|
||
- apiTokenSecretRef
|
||
type: object
|
||
tpp:
|
||
description: TPP specifies Trust Protection Platform configuration
|
||
settings. Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
caBundle:
|
||
description: CABundle is a PEM encoded TLS certificate to
|
||
use to verify connections to the TPP instance. If specified,
|
||
system roots will not be used and the issuing CA for the
|
||
TPP instance must be verifiable using the provided root.
|
||
If not specified, the connection will be verified using
|
||
the cert-manager system root certificates.
|
||
format: byte
|
||
type: string
|
||
credentialsRef:
|
||
description: CredentialsRef is a reference to a Secret containing
|
||
the username and password for the TPP server. The secret
|
||
must contain two keys, 'username' and 'password'.
|
||
properties:
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: 'URL is the base URL for the vedsdk endpoint
|
||
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
||
type: string
|
||
required:
|
||
- credentialsRef
|
||
- url
|
||
type: object
|
||
zone:
|
||
description: Zone is the Venafi Policy Zone to use for this issuer.
|
||
All requests made to the Venafi platform will be restricted
|
||
by the named zone policy. This field is required.
|
||
type: string
|
||
required:
|
||
- zone
|
||
type: object
|
||
type: object
|
||
status:
|
||
description: Status of the ClusterIssuer. This is set and managed automatically.
|
||
properties:
|
||
acme:
|
||
description: ACME specific status options. This field should only
|
||
be set if the Issuer is configured to use an ACME server to issue
|
||
certificates.
|
||
properties:
|
||
lastRegisteredEmail:
|
||
description: LastRegisteredEmail is the email associated with
|
||
the latest registered ACME account, in order to track changes
|
||
made to registered account associated with the Issuer
|
||
type: string
|
||
uri:
|
||
description: URI is the unique account identifier, which can also
|
||
be used to retrieve account details from the CA
|
||
type: string
|
||
type: object
|
||
conditions:
|
||
description: List of status conditions to indicate the status of a
|
||
CertificateRequest. Known condition types are `Ready`.
|
||
items:
|
||
description: IssuerCondition contains condition information for
|
||
an Issuer.
|
||
properties:
|
||
lastTransitionTime:
|
||
description: LastTransitionTime is the timestamp corresponding
|
||
to the last status change of this condition.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: Message is a human readable description of the
|
||
details of the last transition, complementing reason.
|
||
type: string
|
||
reason:
|
||
description: Reason is a brief machine readable explanation
|
||
for the condition's last transition.
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of ('True', 'False',
|
||
'Unknown').
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: Type of the condition, known values are ('Ready').
|
||
type: string
|
||
required:
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
served: true
|
||
storage: false
|
||
subresources:
|
||
status: {}
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
||
name: Ready
|
||
type: string
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
||
name: Status
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1alpha3
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: A ClusterIssuer represents a certificate issuing authority which
|
||
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
||
however it is cluster-scoped and therefore can be referenced by resources
|
||
that exist in *any* namespace, not just the same namespace as the referent.
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: Desired state of the ClusterIssuer resource.
|
||
properties:
|
||
acme:
|
||
description: ACME configures this issuer to communicate with a RFC8555
|
||
(ACME) server to obtain signed x509 certificates.
|
||
properties:
|
||
disableAccountKeyGeneration:
|
||
description: Enables or disables generating a new ACME account
|
||
key. If true, the Issuer resource will *not* request a new account
|
||
but will expect the account key to be supplied via an existing
|
||
secret. If false, the cert-manager system will generate a new
|
||
ACME account key for the Issuer. Defaults to false.
|
||
type: boolean
|
||
email:
|
||
description: Email is the email address to be associated with
|
||
the ACME account. This field is optional, but it is strongly
|
||
recommended to be set. It will be used to contact you in case
|
||
of issues with your account or certificates, including expiry
|
||
notification emails. This field may be updated after the account
|
||
is initially registered.
|
||
type: string
|
||
externalAccountBinding:
|
||
description: ExternalAccountBinding is a reference to a CA external
|
||
account of the ACME server. If set, upon registration cert-manager
|
||
will attempt to associate the given external account credentials
|
||
with the registered ACME account.
|
||
properties:
|
||
keyAlgorithm:
|
||
description: keyAlgorithm is the MAC key algorithm that the
|
||
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
||
enum:
|
||
- HS256
|
||
- HS384
|
||
- HS512
|
||
type: string
|
||
keyID:
|
||
description: keyID is the ID of the CA key that the External
|
||
Account is bound to.
|
||
type: string
|
||
keySecretRef:
|
||
description: keySecretRef is a Secret Key Selector referencing
|
||
a data item in a Kubernetes Secret which holds the symmetric
|
||
MAC key of the External Account Binding. The `key` is the
|
||
index string that is paired with the key data in the Secret
|
||
and should not be confused with the key data itself, or
|
||
indeed with the External Account Binding keyID above. The
|
||
secret key stored in the Secret **must** be un-padded, base64
|
||
URL encoded data.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- keyAlgorithm
|
||
- keyID
|
||
- keySecretRef
|
||
type: object
|
||
preferredChain:
|
||
description: 'PreferredChain is the chain to use if the ACME server
|
||
outputs multiple. PreferredChain is no guarantee that this one
|
||
gets delivered by the ACME endpoint. For example, for Let''s
|
||
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
||
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
||
picks the first certificate bundle in the ACME alternative chains
|
||
that has a certificate with this value as its issuer''s CN'
|
||
maxLength: 64
|
||
type: string
|
||
privateKeySecretRef:
|
||
description: PrivateKey is the name of a Kubernetes Secret resource
|
||
that will be used to store the automatically generated ACME
|
||
account private key. Optionally, a `key` may be specified to
|
||
select a specific entry within the named Secret resource. If
|
||
`key` is not specified, a default of `tls.key` will be used.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field may
|
||
be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to. More
|
||
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
server:
|
||
description: 'Server is the URL used to access the ACME server''s
|
||
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
||
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
||
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
||
type: string
|
||
skipTLSVerify:
|
||
description: Enables or disables validation of the ACME server
|
||
TLS certificate. If true, requests to the ACME server will not
|
||
have their TLS certificate validated (i.e. insecure connections
|
||
will be allowed). Only enable this option in development environments.
|
||
The cert-manager system installed roots will be used to verify
|
||
connections to the ACME server if this is false. Defaults to
|
||
false.
|
||
type: boolean
|
||
solvers:
|
||
description: 'Solvers is a list of challenge solvers that will
|
||
be used to solve ACME challenges for the matching domains. Solver
|
||
configurations must be provided in order to obtain certificates
|
||
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
||
items:
|
||
description: Configures an issuer to solve challenges using
|
||
the specified options. Only one of HTTP01 or DNS01 may be
|
||
provided.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmedns:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azuredns:
|
||
description: Use the Microsoft Azure DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left
|
||
unset MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left
|
||
unset MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
clouddns:
|
||
description: Use the Google Cloud DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field
|
||
that tells cert-manager in which Cloud DNS zone
|
||
the challenge record has to be created. If left
|
||
empty cert-manager will automatically choose a
|
||
zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with
|
||
Cloudflare. Note: using an API token to authenticate
|
||
is now the recommended method as it allows greater
|
||
control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with
|
||
Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required
|
||
when using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01
|
||
provider should handle CNAME records when found in
|
||
DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain
|
||
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed
|
||
in square brackets (e.g [2001:db8::1]) ; port
|
||
is optional. This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the
|
||
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values
|
||
are (case-insensitive): ``HMACMD5`` (default),
|
||
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the
|
||
DNS. If ``tsigSecretSecretRef`` is defined, this
|
||
field is required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the
|
||
TSIG value. If ``tsigKeyName`` is defined, this
|
||
field is required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata see:
|
||
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only
|
||
this zone in Route53 and will not do an lookup
|
||
using the route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53
|
||
provider will assume using either the explicit
|
||
credentials AccessKeyID/SecretAccessKey or the
|
||
inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01
|
||
challenge solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should
|
||
be passed to the webhook apiserver when challenges
|
||
are processed. This can contain arbitrary JSON
|
||
data. Secret values should not be specified in
|
||
this stanza. If secret values are needed (e.g.
|
||
credentials for a DNS service), you should use
|
||
a SecretKeySelector to reference a Secret resource.
|
||
For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used
|
||
when POSTing ChallengePayload resources to the
|
||
webhook apiserver. This should be the same as
|
||
the GroupName specified in the webhook provider
|
||
implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will
|
||
typically be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the HTTP01 challenge flow.
|
||
It is not possible to obtain certificates for wildcard
|
||
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
||
mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver
|
||
will solve challenges by creating or modifying Ingress
|
||
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by
|
||
cert-manager for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating
|
||
Ingress resources to solve ACME challenges that
|
||
use this challenge solver. Only one of 'class'
|
||
or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the created ACME HTTP01 solver
|
||
ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that
|
||
should have ACME challenge solving routes inserted
|
||
into it in order to solve HTTP01 challenges. This
|
||
is typically used in conjunction with ingress
|
||
controllers like ingress-gce, which maintains
|
||
a 1:1 mapping between external IPs and ingress
|
||
resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure
|
||
the ACME challenge solver pods used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the create ACME HTTP01 solver
|
||
pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the
|
||
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity
|
||
scheduling rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node matches
|
||
the corresponding matchExpressions;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: An empty preferred
|
||
scheduling term matches all
|
||
objects with implicit weight
|
||
0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector
|
||
term, associated with the
|
||
corresponding weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated
|
||
with matching the corresponding
|
||
nodeSelectorTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to an
|
||
update), the system may or may
|
||
not try to eventually evict the
|
||
pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list
|
||
of node selector terms. The
|
||
terms are ORed.
|
||
items:
|
||
description: A null or empty
|
||
node selector term matches
|
||
no objects. The requirements
|
||
of them are ANDed. The TopologySelectorTerm
|
||
type implements a subset
|
||
of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity
|
||
scheduling rules (e.g. co-locate this
|
||
pod in the same node, zone, etc. as
|
||
some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node has pods
|
||
which matches the corresponding
|
||
podAffinityTerm; the node(s) with
|
||
the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to a pod
|
||
label update), the system may
|
||
or may not try to eventually evict
|
||
the pod from its node. When there
|
||
are multiple elements, the lists
|
||
of nodes corresponding to each
|
||
podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity
|
||
scheduling rules (e.g. avoid putting
|
||
this pod in the same node, zone, etc.
|
||
as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the anti-affinity
|
||
expressions specified by this
|
||
field, but it may choose a node
|
||
that violates one or more of the
|
||
expressions. The node that is
|
||
most preferred is the one with
|
||
the greatest sum of weights, i.e.
|
||
for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling
|
||
anti-affinity expressions, etc.),
|
||
compute a sum by iterating through
|
||
the elements of this field and
|
||
adding "weight" to the sum if
|
||
the node has pods which matches
|
||
the corresponding podAffinityTerm;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity
|
||
requirements specified by this
|
||
field are not met at scheduling
|
||
time, the pod will not be scheduled
|
||
onto the node. If the anti-affinity
|
||
requirements specified by this
|
||
field cease to be met at some
|
||
point during pod execution (e.g.
|
||
due to a pod label update), the
|
||
system may or may not try to eventually
|
||
evict the pod from its node. When
|
||
there are multiple elements, the
|
||
lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector
|
||
which must be true for the pod to fit
|
||
on a node. Selector which must match a
|
||
node''s labels for the pod to be scheduled
|
||
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service
|
||
account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is
|
||
attached to tolerates any taint that
|
||
matches the triple <key,value,effect>
|
||
using the matching operator <operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the
|
||
taint effect to match. Empty means
|
||
match all taint effects. When specified,
|
||
allowed values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key
|
||
that the toleration applies to.
|
||
Empty means match all taint keys.
|
||
If the key is empty, operator must
|
||
be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a
|
||
key's relationship to the value.
|
||
Valid operators are Exists and Equal.
|
||
Defaults to Equal. Exists is equivalent
|
||
to wildcard for value, so that a
|
||
pod can tolerate all taints of a
|
||
particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration
|
||
(which must be of effect NoExecute,
|
||
otherwise this field is ignored)
|
||
tolerates the taint. By default,
|
||
it is not set, which means tolerate
|
||
the taint forever (do not evict).
|
||
Zero and negative values will be
|
||
treated as 0 (evict immediately)
|
||
by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value
|
||
the toleration matches to. If the
|
||
operator is Exists, the value should
|
||
be empty, otherwise just a regular
|
||
string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes
|
||
solver service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver
|
||
has a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will
|
||
be used to solve. If specified and a match is found,
|
||
a dnsNames selector will take precedence over a dnsZones
|
||
selector. If multiple solvers match with the same
|
||
dnsNames value, the solver with the most matching
|
||
labels in matchLabels will be selected. If neither
|
||
has more matches, the solver defined earlier in the
|
||
list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will
|
||
be used to solve. The most specific DNS zone match
|
||
specified here will take precedence over other DNS
|
||
zone matches, so a solver specifying sys.example.com
|
||
will be selected over one specifying example.com for
|
||
the domain www.sys.example.com. If multiple solvers
|
||
match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine
|
||
the set of certificate's that this challenge solver
|
||
will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
type: array
|
||
required:
|
||
- privateKeySecretRef
|
||
- server
|
||
type: object
|
||
ca:
|
||
description: CA configures this issuer to sign certificates using
|
||
a signing CA keypair stored in a Secret resource. This is used to
|
||
build internal PKIs that are managed by cert-manager.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set,
|
||
certificates will be issued without distribution points set.
|
||
items:
|
||
type: string
|
||
type: array
|
||
secretName:
|
||
description: SecretName is the name of the secret used to sign
|
||
Certificates issued by this Issuer.
|
||
type: string
|
||
required:
|
||
- secretName
|
||
type: object
|
||
selfSigned:
|
||
description: SelfSigned configures this issuer to 'self sign' certificates
|
||
using the private key used to create the CertificateRequest object.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set
|
||
certificate will be issued without CDP. Values are strings.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
vault:
|
||
description: Vault configures this issuer to sign certificates using
|
||
a HashiCorp Vault PKI backend.
|
||
properties:
|
||
auth:
|
||
description: Auth configures how cert-manager authenticates with
|
||
the Vault server.
|
||
properties:
|
||
appRole:
|
||
description: AppRole authenticates with Vault using the App
|
||
Role auth mechanism, with the role and secret stored in
|
||
a Kubernetes Secret resource.
|
||
properties:
|
||
path:
|
||
description: 'Path where the App Role authentication backend
|
||
is mounted in Vault, e.g: "approle"'
|
||
type: string
|
||
roleId:
|
||
description: RoleID configured in the App Role authentication
|
||
backend when setting up the authentication backend in
|
||
Vault.
|
||
type: string
|
||
secretRef:
|
||
description: Reference to a key in a Secret that contains
|
||
the App Role secret used to authenticate with Vault.
|
||
The `key` field must be specified and denotes which
|
||
entry within the Secret resource is used as the app
|
||
role secret.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- path
|
||
- roleId
|
||
- secretRef
|
||
type: object
|
||
kubernetes:
|
||
description: Kubernetes authenticates with Vault by passing
|
||
the ServiceAccount token stored in the named Secret resource
|
||
to the Vault server.
|
||
properties:
|
||
mountPath:
|
||
description: The Vault mountPath here is the mount path
|
||
to use when authenticating with Vault. For example,
|
||
setting a value to `/v1/auth/foo`, will use the path
|
||
`/v1/auth/foo/login` to authenticate with Vault. If
|
||
unspecified, the default value "/v1/auth/kubernetes"
|
||
will be used.
|
||
type: string
|
||
role:
|
||
description: A required field containing the Vault Role
|
||
to assume. A Role binds a Kubernetes ServiceAccount
|
||
with a set of Vault policies.
|
||
type: string
|
||
secretRef:
|
||
description: The required Secret field containing a Kubernetes
|
||
ServiceAccount JWT used for authenticating with Vault.
|
||
Use of 'ambient credentials' is not supported.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- role
|
||
- secretRef
|
||
type: object
|
||
tokenSecretRef:
|
||
description: TokenSecretRef authenticates with Vault by presenting
|
||
a token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: object
|
||
caBundle:
|
||
description: PEM encoded CA bundle used to validate Vault server
|
||
certificate. Only used if the Server URL is using HTTPS protocol.
|
||
This parameter is ignored for plain HTTP protocol connection.
|
||
If not set the system root certificates are used to validate
|
||
the TLS connection.
|
||
format: byte
|
||
type: string
|
||
namespace:
|
||
description: 'Name of the vault namespace. Namespaces is a set
|
||
of features within Vault Enterprise that allows Vault environments
|
||
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
||
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
||
type: string
|
||
path:
|
||
description: 'Path is the mount path of the Vault PKI backend''s
|
||
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
||
type: string
|
||
server:
|
||
description: 'Server is the connection address for the Vault server,
|
||
e.g: "https://vault.example.com:8200".'
|
||
type: string
|
||
required:
|
||
- auth
|
||
- path
|
||
- server
|
||
type: object
|
||
venafi:
|
||
description: Venafi configures this issuer to sign certificates using
|
||
a Venafi TPP or Venafi Cloud policy zone.
|
||
properties:
|
||
cloud:
|
||
description: Cloud specifies the Venafi cloud configuration settings.
|
||
Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
apiTokenSecretRef:
|
||
description: APITokenSecretRef is a secret key selector for
|
||
the Venafi Cloud API token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: URL is the base URL for Venafi Cloud. Defaults
|
||
to "https://api.venafi.cloud/v1".
|
||
type: string
|
||
required:
|
||
- apiTokenSecretRef
|
||
type: object
|
||
tpp:
|
||
description: TPP specifies Trust Protection Platform configuration
|
||
settings. Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
caBundle:
|
||
description: CABundle is a PEM encoded TLS certificate to
|
||
use to verify connections to the TPP instance. If specified,
|
||
system roots will not be used and the issuing CA for the
|
||
TPP instance must be verifiable using the provided root.
|
||
If not specified, the connection will be verified using
|
||
the cert-manager system root certificates.
|
||
format: byte
|
||
type: string
|
||
credentialsRef:
|
||
description: CredentialsRef is a reference to a Secret containing
|
||
the username and password for the TPP server. The secret
|
||
must contain two keys, 'username' and 'password'.
|
||
properties:
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: 'URL is the base URL for the vedsdk endpoint
|
||
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
||
type: string
|
||
required:
|
||
- credentialsRef
|
||
- url
|
||
type: object
|
||
zone:
|
||
description: Zone is the Venafi Policy Zone to use for this issuer.
|
||
All requests made to the Venafi platform will be restricted
|
||
by the named zone policy. This field is required.
|
||
type: string
|
||
required:
|
||
- zone
|
||
type: object
|
||
type: object
|
||
status:
|
||
description: Status of the ClusterIssuer. This is set and managed automatically.
|
||
properties:
|
||
acme:
|
||
description: ACME specific status options. This field should only
|
||
be set if the Issuer is configured to use an ACME server to issue
|
||
certificates.
|
||
properties:
|
||
lastRegisteredEmail:
|
||
description: LastRegisteredEmail is the email associated with
|
||
the latest registered ACME account, in order to track changes
|
||
made to registered account associated with the Issuer
|
||
type: string
|
||
uri:
|
||
description: URI is the unique account identifier, which can also
|
||
be used to retrieve account details from the CA
|
||
type: string
|
||
type: object
|
||
conditions:
|
||
description: List of status conditions to indicate the status of a
|
||
CertificateRequest. Known condition types are `Ready`.
|
||
items:
|
||
description: IssuerCondition contains condition information for
|
||
an Issuer.
|
||
properties:
|
||
lastTransitionTime:
|
||
description: LastTransitionTime is the timestamp corresponding
|
||
to the last status change of this condition.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: Message is a human readable description of the
|
||
details of the last transition, complementing reason.
|
||
type: string
|
||
reason:
|
||
description: Reason is a brief machine readable explanation
|
||
for the condition's last transition.
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of ('True', 'False',
|
||
'Unknown').
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: Type of the condition, known values are ('Ready').
|
||
type: string
|
||
required:
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
served: true
|
||
storage: false
|
||
subresources:
|
||
status: {}
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
||
name: Ready
|
||
type: string
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
||
name: Status
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1beta1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: A ClusterIssuer represents a certificate issuing authority which
|
||
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
||
however it is cluster-scoped and therefore can be referenced by resources
|
||
that exist in *any* namespace, not just the same namespace as the referent.
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: Desired state of the ClusterIssuer resource.
|
||
properties:
|
||
acme:
|
||
description: ACME configures this issuer to communicate with a RFC8555
|
||
(ACME) server to obtain signed x509 certificates.
|
||
properties:
|
||
disableAccountKeyGeneration:
|
||
description: Enables or disables generating a new ACME account
|
||
key. If true, the Issuer resource will *not* request a new account
|
||
but will expect the account key to be supplied via an existing
|
||
secret. If false, the cert-manager system will generate a new
|
||
ACME account key for the Issuer. Defaults to false.
|
||
type: boolean
|
||
email:
|
||
description: Email is the email address to be associated with
|
||
the ACME account. This field is optional, but it is strongly
|
||
recommended to be set. It will be used to contact you in case
|
||
of issues with your account or certificates, including expiry
|
||
notification emails. This field may be updated after the account
|
||
is initially registered.
|
||
type: string
|
||
externalAccountBinding:
|
||
description: ExternalAccountBinding is a reference to a CA external
|
||
account of the ACME server. If set, upon registration cert-manager
|
||
will attempt to associate the given external account credentials
|
||
with the registered ACME account.
|
||
properties:
|
||
keyAlgorithm:
|
||
description: keyAlgorithm is the MAC key algorithm that the
|
||
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
||
enum:
|
||
- HS256
|
||
- HS384
|
||
- HS512
|
||
type: string
|
||
keyID:
|
||
description: keyID is the ID of the CA key that the External
|
||
Account is bound to.
|
||
type: string
|
||
keySecretRef:
|
||
description: keySecretRef is a Secret Key Selector referencing
|
||
a data item in a Kubernetes Secret which holds the symmetric
|
||
MAC key of the External Account Binding. The `key` is the
|
||
index string that is paired with the key data in the Secret
|
||
and should not be confused with the key data itself, or
|
||
indeed with the External Account Binding keyID above. The
|
||
secret key stored in the Secret **must** be un-padded, base64
|
||
URL encoded data.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- keyAlgorithm
|
||
- keyID
|
||
- keySecretRef
|
||
type: object
|
||
preferredChain:
|
||
description: 'PreferredChain is the chain to use if the ACME server
|
||
outputs multiple. PreferredChain is no guarantee that this one
|
||
gets delivered by the ACME endpoint. For example, for Let''s
|
||
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
||
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
||
picks the first certificate bundle in the ACME alternative chains
|
||
that has a certificate with this value as its issuer''s CN'
|
||
maxLength: 64
|
||
type: string
|
||
privateKeySecretRef:
|
||
description: PrivateKey is the name of a Kubernetes Secret resource
|
||
that will be used to store the automatically generated ACME
|
||
account private key. Optionally, a `key` may be specified to
|
||
select a specific entry within the named Secret resource. If
|
||
`key` is not specified, a default of `tls.key` will be used.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field may
|
||
be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to. More
|
||
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
server:
|
||
description: 'Server is the URL used to access the ACME server''s
|
||
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
||
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
||
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
||
type: string
|
||
skipTLSVerify:
|
||
description: Enables or disables validation of the ACME server
|
||
TLS certificate. If true, requests to the ACME server will not
|
||
have their TLS certificate validated (i.e. insecure connections
|
||
will be allowed). Only enable this option in development environments.
|
||
The cert-manager system installed roots will be used to verify
|
||
connections to the ACME server if this is false. Defaults to
|
||
false.
|
||
type: boolean
|
||
solvers:
|
||
description: 'Solvers is a list of challenge solvers that will
|
||
be used to solve ACME challenges for the matching domains. Solver
|
||
configurations must be provided in order to obtain certificates
|
||
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
||
items:
|
||
description: Configures an issuer to solve challenges using
|
||
the specified options. Only one of HTTP01 or DNS01 may be
|
||
provided.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmeDNS:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azureDNS:
|
||
description: Use the Microsoft Azure DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left
|
||
unset MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left
|
||
unset MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
cloudDNS:
|
||
description: Use the Google Cloud DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field
|
||
that tells cert-manager in which Cloud DNS zone
|
||
the challenge record has to be created. If left
|
||
empty cert-manager will automatically choose a
|
||
zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with
|
||
Cloudflare. Note: using an API token to authenticate
|
||
is now the recommended method as it allows greater
|
||
control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with
|
||
Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required
|
||
when using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01
|
||
provider should handle CNAME records when found in
|
||
DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain
|
||
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed
|
||
in square brackets (e.g [2001:db8::1]) ; port
|
||
is optional. This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the
|
||
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values
|
||
are (case-insensitive): ``HMACMD5`` (default),
|
||
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the
|
||
DNS. If ``tsigSecretSecretRef`` is defined, this
|
||
field is required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the
|
||
TSIG value. If ``tsigKeyName`` is defined, this
|
||
field is required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata see:
|
||
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only
|
||
this zone in Route53 and will not do an lookup
|
||
using the route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53
|
||
provider will assume using either the explicit
|
||
credentials AccessKeyID/SecretAccessKey or the
|
||
inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01
|
||
challenge solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should
|
||
be passed to the webhook apiserver when challenges
|
||
are processed. This can contain arbitrary JSON
|
||
data. Secret values should not be specified in
|
||
this stanza. If secret values are needed (e.g.
|
||
credentials for a DNS service), you should use
|
||
a SecretKeySelector to reference a Secret resource.
|
||
For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used
|
||
when POSTing ChallengePayload resources to the
|
||
webhook apiserver. This should be the same as
|
||
the GroupName specified in the webhook provider
|
||
implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will
|
||
typically be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the HTTP01 challenge flow.
|
||
It is not possible to obtain certificates for wildcard
|
||
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
||
mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver
|
||
will solve challenges by creating or modifying Ingress
|
||
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by
|
||
cert-manager for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating
|
||
Ingress resources to solve ACME challenges that
|
||
use this challenge solver. Only one of 'class'
|
||
or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the created ACME HTTP01 solver
|
||
ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that
|
||
should have ACME challenge solving routes inserted
|
||
into it in order to solve HTTP01 challenges. This
|
||
is typically used in conjunction with ingress
|
||
controllers like ingress-gce, which maintains
|
||
a 1:1 mapping between external IPs and ingress
|
||
resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure
|
||
the ACME challenge solver pods used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the create ACME HTTP01 solver
|
||
pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the
|
||
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity
|
||
scheduling rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node matches
|
||
the corresponding matchExpressions;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: An empty preferred
|
||
scheduling term matches all
|
||
objects with implicit weight
|
||
0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector
|
||
term, associated with the
|
||
corresponding weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated
|
||
with matching the corresponding
|
||
nodeSelectorTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to an
|
||
update), the system may or may
|
||
not try to eventually evict the
|
||
pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list
|
||
of node selector terms. The
|
||
terms are ORed.
|
||
items:
|
||
description: A null or empty
|
||
node selector term matches
|
||
no objects. The requirements
|
||
of them are ANDed. The TopologySelectorTerm
|
||
type implements a subset
|
||
of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity
|
||
scheduling rules (e.g. co-locate this
|
||
pod in the same node, zone, etc. as
|
||
some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node has pods
|
||
which matches the corresponding
|
||
podAffinityTerm; the node(s) with
|
||
the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to a pod
|
||
label update), the system may
|
||
or may not try to eventually evict
|
||
the pod from its node. When there
|
||
are multiple elements, the lists
|
||
of nodes corresponding to each
|
||
podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity
|
||
scheduling rules (e.g. avoid putting
|
||
this pod in the same node, zone, etc.
|
||
as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the anti-affinity
|
||
expressions specified by this
|
||
field, but it may choose a node
|
||
that violates one or more of the
|
||
expressions. The node that is
|
||
most preferred is the one with
|
||
the greatest sum of weights, i.e.
|
||
for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling
|
||
anti-affinity expressions, etc.),
|
||
compute a sum by iterating through
|
||
the elements of this field and
|
||
adding "weight" to the sum if
|
||
the node has pods which matches
|
||
the corresponding podAffinityTerm;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity
|
||
requirements specified by this
|
||
field are not met at scheduling
|
||
time, the pod will not be scheduled
|
||
onto the node. If the anti-affinity
|
||
requirements specified by this
|
||
field cease to be met at some
|
||
point during pod execution (e.g.
|
||
due to a pod label update), the
|
||
system may or may not try to eventually
|
||
evict the pod from its node. When
|
||
there are multiple elements, the
|
||
lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector
|
||
which must be true for the pod to fit
|
||
on a node. Selector which must match a
|
||
node''s labels for the pod to be scheduled
|
||
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service
|
||
account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is
|
||
attached to tolerates any taint that
|
||
matches the triple <key,value,effect>
|
||
using the matching operator <operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the
|
||
taint effect to match. Empty means
|
||
match all taint effects. When specified,
|
||
allowed values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key
|
||
that the toleration applies to.
|
||
Empty means match all taint keys.
|
||
If the key is empty, operator must
|
||
be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a
|
||
key's relationship to the value.
|
||
Valid operators are Exists and Equal.
|
||
Defaults to Equal. Exists is equivalent
|
||
to wildcard for value, so that a
|
||
pod can tolerate all taints of a
|
||
particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration
|
||
(which must be of effect NoExecute,
|
||
otherwise this field is ignored)
|
||
tolerates the taint. By default,
|
||
it is not set, which means tolerate
|
||
the taint forever (do not evict).
|
||
Zero and negative values will be
|
||
treated as 0 (evict immediately)
|
||
by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value
|
||
the toleration matches to. If the
|
||
operator is Exists, the value should
|
||
be empty, otherwise just a regular
|
||
string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes
|
||
solver service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver
|
||
has a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will
|
||
be used to solve. If specified and a match is found,
|
||
a dnsNames selector will take precedence over a dnsZones
|
||
selector. If multiple solvers match with the same
|
||
dnsNames value, the solver with the most matching
|
||
labels in matchLabels will be selected. If neither
|
||
has more matches, the solver defined earlier in the
|
||
list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will
|
||
be used to solve. The most specific DNS zone match
|
||
specified here will take precedence over other DNS
|
||
zone matches, so a solver specifying sys.example.com
|
||
will be selected over one specifying example.com for
|
||
the domain www.sys.example.com. If multiple solvers
|
||
match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine
|
||
the set of certificate's that this challenge solver
|
||
will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
type: array
|
||
required:
|
||
- privateKeySecretRef
|
||
- server
|
||
type: object
|
||
ca:
|
||
description: CA configures this issuer to sign certificates using
|
||
a signing CA keypair stored in a Secret resource. This is used to
|
||
build internal PKIs that are managed by cert-manager.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set,
|
||
certificates will be issued without distribution points set.
|
||
items:
|
||
type: string
|
||
type: array
|
||
secretName:
|
||
description: SecretName is the name of the secret used to sign
|
||
Certificates issued by this Issuer.
|
||
type: string
|
||
required:
|
||
- secretName
|
||
type: object
|
||
selfSigned:
|
||
description: SelfSigned configures this issuer to 'self sign' certificates
|
||
using the private key used to create the CertificateRequest object.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set
|
||
certificate will be issued without CDP. Values are strings.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
vault:
|
||
description: Vault configures this issuer to sign certificates using
|
||
a HashiCorp Vault PKI backend.
|
||
properties:
|
||
auth:
|
||
description: Auth configures how cert-manager authenticates with
|
||
the Vault server.
|
||
properties:
|
||
appRole:
|
||
description: AppRole authenticates with Vault using the App
|
||
Role auth mechanism, with the role and secret stored in
|
||
a Kubernetes Secret resource.
|
||
properties:
|
||
path:
|
||
description: 'Path where the App Role authentication backend
|
||
is mounted in Vault, e.g: "approle"'
|
||
type: string
|
||
roleId:
|
||
description: RoleID configured in the App Role authentication
|
||
backend when setting up the authentication backend in
|
||
Vault.
|
||
type: string
|
||
secretRef:
|
||
description: Reference to a key in a Secret that contains
|
||
the App Role secret used to authenticate with Vault.
|
||
The `key` field must be specified and denotes which
|
||
entry within the Secret resource is used as the app
|
||
role secret.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- path
|
||
- roleId
|
||
- secretRef
|
||
type: object
|
||
kubernetes:
|
||
description: Kubernetes authenticates with Vault by passing
|
||
the ServiceAccount token stored in the named Secret resource
|
||
to the Vault server.
|
||
properties:
|
||
mountPath:
|
||
description: The Vault mountPath here is the mount path
|
||
to use when authenticating with Vault. For example,
|
||
setting a value to `/v1/auth/foo`, will use the path
|
||
`/v1/auth/foo/login` to authenticate with Vault. If
|
||
unspecified, the default value "/v1/auth/kubernetes"
|
||
will be used.
|
||
type: string
|
||
role:
|
||
description: A required field containing the Vault Role
|
||
to assume. A Role binds a Kubernetes ServiceAccount
|
||
with a set of Vault policies.
|
||
type: string
|
||
secretRef:
|
||
description: The required Secret field containing a Kubernetes
|
||
ServiceAccount JWT used for authenticating with Vault.
|
||
Use of 'ambient credentials' is not supported.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- role
|
||
- secretRef
|
||
type: object
|
||
tokenSecretRef:
|
||
description: TokenSecretRef authenticates with Vault by presenting
|
||
a token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: object
|
||
caBundle:
|
||
description: PEM encoded CA bundle used to validate Vault server
|
||
certificate. Only used if the Server URL is using HTTPS protocol.
|
||
This parameter is ignored for plain HTTP protocol connection.
|
||
If not set the system root certificates are used to validate
|
||
the TLS connection.
|
||
format: byte
|
||
type: string
|
||
namespace:
|
||
description: 'Name of the vault namespace. Namespaces is a set
|
||
of features within Vault Enterprise that allows Vault environments
|
||
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
||
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
||
type: string
|
||
path:
|
||
description: 'Path is the mount path of the Vault PKI backend''s
|
||
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
||
type: string
|
||
server:
|
||
description: 'Server is the connection address for the Vault server,
|
||
e.g: "https://vault.example.com:8200".'
|
||
type: string
|
||
required:
|
||
- auth
|
||
- path
|
||
- server
|
||
type: object
|
||
venafi:
|
||
description: Venafi configures this issuer to sign certificates using
|
||
a Venafi TPP or Venafi Cloud policy zone.
|
||
properties:
|
||
cloud:
|
||
description: Cloud specifies the Venafi cloud configuration settings.
|
||
Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
apiTokenSecretRef:
|
||
description: APITokenSecretRef is a secret key selector for
|
||
the Venafi Cloud API token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: URL is the base URL for Venafi Cloud. Defaults
|
||
to "https://api.venafi.cloud/v1".
|
||
type: string
|
||
required:
|
||
- apiTokenSecretRef
|
||
type: object
|
||
tpp:
|
||
description: TPP specifies Trust Protection Platform configuration
|
||
settings. Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
caBundle:
|
||
description: CABundle is a PEM encoded TLS certificate to
|
||
use to verify connections to the TPP instance. If specified,
|
||
system roots will not be used and the issuing CA for the
|
||
TPP instance must be verifiable using the provided root.
|
||
If not specified, the connection will be verified using
|
||
the cert-manager system root certificates.
|
||
format: byte
|
||
type: string
|
||
credentialsRef:
|
||
description: CredentialsRef is a reference to a Secret containing
|
||
the username and password for the TPP server. The secret
|
||
must contain two keys, 'username' and 'password'.
|
||
properties:
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: 'URL is the base URL for the vedsdk endpoint
|
||
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
||
type: string
|
||
required:
|
||
- credentialsRef
|
||
- url
|
||
type: object
|
||
zone:
|
||
description: Zone is the Venafi Policy Zone to use for this issuer.
|
||
All requests made to the Venafi platform will be restricted
|
||
by the named zone policy. This field is required.
|
||
type: string
|
||
required:
|
||
- zone
|
||
type: object
|
||
type: object
|
||
status:
|
||
description: Status of the ClusterIssuer. This is set and managed automatically.
|
||
properties:
|
||
acme:
|
||
description: ACME specific status options. This field should only
|
||
be set if the Issuer is configured to use an ACME server to issue
|
||
certificates.
|
||
properties:
|
||
lastRegisteredEmail:
|
||
description: LastRegisteredEmail is the email associated with
|
||
the latest registered ACME account, in order to track changes
|
||
made to registered account associated with the Issuer
|
||
type: string
|
||
uri:
|
||
description: URI is the unique account identifier, which can also
|
||
be used to retrieve account details from the CA
|
||
type: string
|
||
type: object
|
||
conditions:
|
||
description: List of status conditions to indicate the status of a
|
||
CertificateRequest. Known condition types are `Ready`.
|
||
items:
|
||
description: IssuerCondition contains condition information for
|
||
an Issuer.
|
||
properties:
|
||
lastTransitionTime:
|
||
description: LastTransitionTime is the timestamp corresponding
|
||
to the last status change of this condition.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: Message is a human readable description of the
|
||
details of the last transition, complementing reason.
|
||
type: string
|
||
reason:
|
||
description: Reason is a brief machine readable explanation
|
||
for the condition's last transition.
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of ('True', 'False',
|
||
'Unknown').
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: Type of the condition, known values are ('Ready').
|
||
type: string
|
||
required:
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
type: object
|
||
required:
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: false
|
||
subresources:
|
||
status: {}
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
||
name: Ready
|
||
type: string
|
||
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
||
name: Status
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: A ClusterIssuer represents a certificate issuing authority which
|
||
can be referenced as part of `issuerRef` fields. It is similar to an Issuer,
|
||
however it is cluster-scoped and therefore can be referenced by resources
|
||
that exist in *any* namespace, not just the same namespace as the referent.
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: Desired state of the ClusterIssuer resource.
|
||
properties:
|
||
acme:
|
||
description: ACME configures this issuer to communicate with a RFC8555
|
||
(ACME) server to obtain signed x509 certificates.
|
||
properties:
|
||
disableAccountKeyGeneration:
|
||
description: Enables or disables generating a new ACME account
|
||
key. If true, the Issuer resource will *not* request a new account
|
||
but will expect the account key to be supplied via an existing
|
||
secret. If false, the cert-manager system will generate a new
|
||
ACME account key for the Issuer. Defaults to false.
|
||
type: boolean
|
||
email:
|
||
description: Email is the email address to be associated with
|
||
the ACME account. This field is optional, but it is strongly
|
||
recommended to be set. It will be used to contact you in case
|
||
of issues with your account or certificates, including expiry
|
||
notification emails. This field may be updated after the account
|
||
is initially registered.
|
||
type: string
|
||
externalAccountBinding:
|
||
description: ExternalAccountBinding is a reference to a CA external
|
||
account of the ACME server. If set, upon registration cert-manager
|
||
will attempt to associate the given external account credentials
|
||
with the registered ACME account.
|
||
properties:
|
||
keyAlgorithm:
|
||
description: keyAlgorithm is the MAC key algorithm that the
|
||
key is used for. Valid values are "HS256", "HS384" and "HS512".
|
||
enum:
|
||
- HS256
|
||
- HS384
|
||
- HS512
|
||
type: string
|
||
keyID:
|
||
description: keyID is the ID of the CA key that the External
|
||
Account is bound to.
|
||
type: string
|
||
keySecretRef:
|
||
description: keySecretRef is a Secret Key Selector referencing
|
||
a data item in a Kubernetes Secret which holds the symmetric
|
||
MAC key of the External Account Binding. The `key` is the
|
||
index string that is paired with the key data in the Secret
|
||
and should not be confused with the key data itself, or
|
||
indeed with the External Account Binding keyID above. The
|
||
secret key stored in the Secret **must** be un-padded, base64
|
||
URL encoded data.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- keyAlgorithm
|
||
- keyID
|
||
- keySecretRef
|
||
type: object
|
||
preferredChain:
|
||
description: 'PreferredChain is the chain to use if the ACME server
|
||
outputs multiple. PreferredChain is no guarantee that this one
|
||
gets delivered by the ACME endpoint. For example, for Let''s
|
||
Encrypt''s DST crosssign you would use: "DST Root CA X3" or
|
||
"ISRG Root X1" for the newer Let''s Encrypt root CA. This value
|
||
picks the first certificate bundle in the ACME alternative chains
|
||
that has a certificate with this value as its issuer''s CN'
|
||
maxLength: 64
|
||
type: string
|
||
privateKeySecretRef:
|
||
description: PrivateKey is the name of a Kubernetes Secret resource
|
||
that will be used to store the automatically generated ACME
|
||
account private key. Optionally, a `key` may be specified to
|
||
select a specific entry within the named Secret resource. If
|
||
`key` is not specified, a default of `tls.key` will be used.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field may
|
||
be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to. More
|
||
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
server:
|
||
description: 'Server is the URL used to access the ACME server''s
|
||
''directory'' endpoint. For example, for Let''s Encrypt''s staging
|
||
endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory".
|
||
Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
|
||
type: string
|
||
skipTLSVerify:
|
||
description: Enables or disables validation of the ACME server
|
||
TLS certificate. If true, requests to the ACME server will not
|
||
have their TLS certificate validated (i.e. insecure connections
|
||
will be allowed). Only enable this option in development environments.
|
||
The cert-manager system installed roots will be used to verify
|
||
connections to the ACME server if this is false. Defaults to
|
||
false.
|
||
type: boolean
|
||
solvers:
|
||
description: 'Solvers is a list of challenge solvers that will
|
||
be used to solve ACME challenges for the matching domains. Solver
|
||
configurations must be provided in order to obtain certificates
|
||
from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
|
||
items:
|
||
description: Configures an issuer to solve challenges using
|
||
the specified options. Only one of HTTP01 or DNS01 may be
|
||
provided.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmeDNS:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azureDNS:
|
||
description: Use the Microsoft Azure DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left
|
||
unset MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left
|
||
unset MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
cloudDNS:
|
||
description: Use the Google Cloud DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field
|
||
that tells cert-manager in which Cloud DNS zone
|
||
the challenge record has to be created. If left
|
||
empty cert-manager will automatically choose a
|
||
zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with
|
||
Cloudflare. Note: using an API token to authenticate
|
||
is now the recommended method as it allows greater
|
||
control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with
|
||
Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required
|
||
when using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01
|
||
provider should handle CNAME records when found in
|
||
DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within
|
||
a Secret resource. In some instances, `key` is
|
||
a required field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain
|
||
Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
||
to manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed
|
||
in square brackets (e.g [2001:db8::1]) ; port
|
||
is optional. This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the
|
||
DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values
|
||
are (case-insensitive): ``HMACMD5`` (default),
|
||
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the
|
||
DNS. If ``tsigSecretSecretRef`` is defined, this
|
||
field is required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the
|
||
TSIG value. If ``tsigKeyName`` is defined, this
|
||
field is required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata see:
|
||
https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only
|
||
this zone in Route53 and will not do an lookup
|
||
using the route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53
|
||
provider will assume using either the explicit
|
||
credentials AccessKeyID/SecretAccessKey or the
|
||
inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared
|
||
credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret
|
||
resource's `data` field to be used. Some instances
|
||
of this field may be defaulted, in others
|
||
it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01
|
||
challenge solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should
|
||
be passed to the webhook apiserver when challenges
|
||
are processed. This can contain arbitrary JSON
|
||
data. Secret values should not be specified in
|
||
this stanza. If secret values are needed (e.g.
|
||
credentials for a DNS service), you should use
|
||
a SecretKeySelector to reference a Secret resource.
|
||
For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used
|
||
when POSTing ChallengePayload resources to the
|
||
webhook apiserver. This should be the same as
|
||
the GroupName specified in the webhook provider
|
||
implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will
|
||
typically be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete
|
||
authorizations by performing the HTTP01 challenge flow.
|
||
It is not possible to obtain certificates for wildcard
|
||
domain names (e.g. `*.example.com`) using the HTTP01 challenge
|
||
mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver
|
||
will solve challenges by creating or modifying Ingress
|
||
resources in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by
|
||
cert-manager for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating
|
||
Ingress resources to solve ACME challenges that
|
||
use this challenge solver. Only one of 'class'
|
||
or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the created ACME HTTP01 solver
|
||
ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that
|
||
should have ACME challenge solving routes inserted
|
||
into it in order to solve HTTP01 challenges. This
|
||
is typically used in conjunction with ingress
|
||
controllers like ingress-gce, which maintains
|
||
a 1:1 mapping between external IPs and ingress
|
||
resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure
|
||
the ACME challenge solver pods used for HTTP01
|
||
challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod
|
||
used to solve HTTP01 challenges. Only the
|
||
'labels' and 'annotations' fields may be set.
|
||
If labels or annotations overlap with in-built
|
||
values, the values here will override the
|
||
in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be
|
||
added to the create ACME HTTP01 solver
|
||
pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added
|
||
to the created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the
|
||
HTTP01 challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity
|
||
scheduling rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node matches
|
||
the corresponding matchExpressions;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: An empty preferred
|
||
scheduling term matches all
|
||
objects with implicit weight
|
||
0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector
|
||
term, associated with the
|
||
corresponding weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated
|
||
with matching the corresponding
|
||
nodeSelectorTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to an
|
||
update), the system may or may
|
||
not try to eventually evict the
|
||
pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list
|
||
of node selector terms. The
|
||
terms are ORed.
|
||
items:
|
||
description: A null or empty
|
||
node selector term matches
|
||
no objects. The requirements
|
||
of them are ANDed. The TopologySelectorTerm
|
||
type implements a subset
|
||
of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's labels.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of
|
||
node selector requirements
|
||
by node's fields.
|
||
items:
|
||
description: A node
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: The
|
||
label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An
|
||
array of string
|
||
values. If the
|
||
operator is In
|
||
or NotIn, the
|
||
values array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
If the operator
|
||
is Gt or Lt, the
|
||
values array must
|
||
have a single
|
||
element, which
|
||
will be interpreted
|
||
as an integer.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity
|
||
scheduling rules (e.g. co-locate this
|
||
pod in the same node, zone, etc. as
|
||
some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the affinity expressions
|
||
specified by this field, but it
|
||
may choose a node that violates
|
||
one or more of the expressions.
|
||
The node that is most preferred
|
||
is the one with the greatest sum
|
||
of weights, i.e. for each node
|
||
that meets all of the scheduling
|
||
requirements (resource request,
|
||
requiredDuringScheduling affinity
|
||
expressions, etc.), compute a
|
||
sum by iterating through the elements
|
||
of this field and adding "weight"
|
||
to the sum if the node has pods
|
||
which matches the corresponding
|
||
podAffinityTerm; the node(s) with
|
||
the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not
|
||
met at scheduling time, the pod
|
||
will not be scheduled onto the
|
||
node. If the affinity requirements
|
||
specified by this field cease
|
||
to be met at some point during
|
||
pod execution (e.g. due to a pod
|
||
label update), the system may
|
||
or may not try to eventually evict
|
||
the pod from its node. When there
|
||
are multiple elements, the lists
|
||
of nodes corresponding to each
|
||
podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity
|
||
scheduling rules (e.g. avoid putting
|
||
this pod in the same node, zone, etc.
|
||
as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will
|
||
prefer to schedule pods to nodes
|
||
that satisfy the anti-affinity
|
||
expressions specified by this
|
||
field, but it may choose a node
|
||
that violates one or more of the
|
||
expressions. The node that is
|
||
most preferred is the one with
|
||
the greatest sum of weights, i.e.
|
||
for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling
|
||
anti-affinity expressions, etc.),
|
||
compute a sum by iterating through
|
||
the elements of this field and
|
||
adding "weight" to the sum if
|
||
the node has pods which matches
|
||
the corresponding podAffinityTerm;
|
||
the node(s) with the highest sum
|
||
are the most preferred.
|
||
items:
|
||
description: The weights of all
|
||
of the matched WeightedPodAffinityTerm
|
||
fields are added per-node to
|
||
find the most preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod
|
||
affinity term, associated
|
||
with the corresponding weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label
|
||
selector requirements.
|
||
The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector
|
||
that contains
|
||
values, a key,
|
||
and an operator
|
||
that relates the
|
||
key and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label
|
||
key that the
|
||
selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents
|
||
a key's relationship
|
||
to a set of
|
||
values. Valid
|
||
operators
|
||
are In, NotIn,
|
||
Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array
|
||
of string
|
||
values. If
|
||
the operator
|
||
is In or NotIn,
|
||
the values
|
||
array must
|
||
be non-empty.
|
||
If the operator
|
||
is Exists
|
||
or DoesNotExist,
|
||
the values
|
||
array must
|
||
be empty.
|
||
This array
|
||
is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single
|
||
{key,value} in the
|
||
matchLabels map
|
||
is equivalent to
|
||
an element of matchExpressions,
|
||
whose key field
|
||
is "key", the operator
|
||
is "In", and the
|
||
values array contains
|
||
only "value". The
|
||
requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces
|
||
specifies which namespaces
|
||
the labelSelector applies
|
||
to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod
|
||
should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with
|
||
the pods matching the
|
||
labelSelector in the
|
||
specified namespaces,
|
||
where co-located is
|
||
defined as running on
|
||
a node whose value of
|
||
the label with key topologyKey
|
||
matches that of any
|
||
node on which any of
|
||
the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated
|
||
with matching the corresponding
|
||
podAffinityTerm, in the
|
||
range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity
|
||
requirements specified by this
|
||
field are not met at scheduling
|
||
time, the pod will not be scheduled
|
||
onto the node. If the anti-affinity
|
||
requirements specified by this
|
||
field cease to be met at some
|
||
point during pod execution (e.g.
|
||
due to a pod label update), the
|
||
system may or may not try to eventually
|
||
evict the pod from its node. When
|
||
there are multiple elements, the
|
||
lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of
|
||
pods (namely those matching
|
||
the labelSelector relative to
|
||
the given namespace(s)) that
|
||
this pod should be co-located
|
||
(affinity) or not co-located
|
||
(anti-affinity) with, where
|
||
co-located is defined as running
|
||
on a node whose value of the
|
||
label with key <topologyKey>
|
||
matches that of any node on
|
||
which a pod of the set of pods
|
||
is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query
|
||
over a set of resources,
|
||
in this case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label
|
||
selector requirement
|
||
is a selector that
|
||
contains values, a
|
||
key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key
|
||
is the label key
|
||
that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn,
|
||
Exists and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of
|
||
string values.
|
||
If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty.
|
||
This array is
|
||
replaced during
|
||
a strategic merge
|
||
patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an
|
||
element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In",
|
||
and the values array
|
||
contains only "value".
|
||
The requirements are
|
||
ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means
|
||
"this pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on
|
||
a node whose value of the
|
||
label with key topologyKey
|
||
matches that of any node
|
||
on which any of the selected
|
||
pods is running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector
|
||
which must be true for the pod to fit
|
||
on a node. Selector which must match a
|
||
node''s labels for the pod to be scheduled
|
||
on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service
|
||
account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is
|
||
attached to tolerates any taint that
|
||
matches the triple <key,value,effect>
|
||
using the matching operator <operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the
|
||
taint effect to match. Empty means
|
||
match all taint effects. When specified,
|
||
allowed values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key
|
||
that the toleration applies to.
|
||
Empty means match all taint keys.
|
||
If the key is empty, operator must
|
||
be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a
|
||
key's relationship to the value.
|
||
Valid operators are Exists and Equal.
|
||
Defaults to Equal. Exists is equivalent
|
||
to wildcard for value, so that a
|
||
pod can tolerate all taints of a
|
||
particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration
|
||
(which must be of effect NoExecute,
|
||
otherwise this field is ignored)
|
||
tolerates the taint. By default,
|
||
it is not set, which means tolerate
|
||
the taint forever (do not evict).
|
||
Zero and negative values will be
|
||
treated as 0 (evict immediately)
|
||
by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value
|
||
the toleration matches to. If the
|
||
operator is Exists, the value should
|
||
be empty, otherwise just a regular
|
||
string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes
|
||
solver service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver
|
||
has a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will
|
||
be used to solve. If specified and a match is found,
|
||
a dnsNames selector will take precedence over a dnsZones
|
||
selector. If multiple solvers match with the same
|
||
dnsNames value, the solver with the most matching
|
||
labels in matchLabels will be selected. If neither
|
||
has more matches, the solver defined earlier in the
|
||
list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will
|
||
be used to solve. The most specific DNS zone match
|
||
specified here will take precedence over other DNS
|
||
zone matches, so a solver specifying sys.example.com
|
||
will be selected over one specifying example.com for
|
||
the domain www.sys.example.com. If multiple solvers
|
||
match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine
|
||
the set of certificate's that this challenge solver
|
||
will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
type: array
|
||
required:
|
||
- privateKeySecretRef
|
||
- server
|
||
type: object
|
||
ca:
|
||
description: CA configures this issuer to sign certificates using
|
||
a signing CA keypair stored in a Secret resource. This is used to
|
||
build internal PKIs that are managed by cert-manager.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set,
|
||
certificates will be issued without distribution points set.
|
||
items:
|
||
type: string
|
||
type: array
|
||
secretName:
|
||
description: SecretName is the name of the secret used to sign
|
||
Certificates issued by this Issuer.
|
||
type: string
|
||
required:
|
||
- secretName
|
||
type: object
|
||
selfSigned:
|
||
description: SelfSigned configures this issuer to 'self sign' certificates
|
||
using the private key used to create the CertificateRequest object.
|
||
properties:
|
||
crlDistributionPoints:
|
||
description: The CRL distribution points is an X.509 v3 certificate
|
||
extension which identifies the location of the CRL from which
|
||
the revocation of this certificate can be checked. If not set
|
||
certificate will be issued without CDP. Values are strings.
|
||
items:
|
||
type: string
|
||
type: array
|
||
type: object
|
||
vault:
|
||
description: Vault configures this issuer to sign certificates using
|
||
a HashiCorp Vault PKI backend.
|
||
properties:
|
||
auth:
|
||
description: Auth configures how cert-manager authenticates with
|
||
the Vault server.
|
||
properties:
|
||
appRole:
|
||
description: AppRole authenticates with Vault using the App
|
||
Role auth mechanism, with the role and secret stored in
|
||
a Kubernetes Secret resource.
|
||
properties:
|
||
path:
|
||
description: 'Path where the App Role authentication backend
|
||
is mounted in Vault, e.g: "approle"'
|
||
type: string
|
||
roleId:
|
||
description: RoleID configured in the App Role authentication
|
||
backend when setting up the authentication backend in
|
||
Vault.
|
||
type: string
|
||
secretRef:
|
||
description: Reference to a key in a Secret that contains
|
||
the App Role secret used to authenticate with Vault.
|
||
The `key` field must be specified and denotes which
|
||
entry within the Secret resource is used as the app
|
||
role secret.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- path
|
||
- roleId
|
||
- secretRef
|
||
type: object
|
||
kubernetes:
|
||
description: Kubernetes authenticates with Vault by passing
|
||
the ServiceAccount token stored in the named Secret resource
|
||
to the Vault server.
|
||
properties:
|
||
mountPath:
|
||
description: The Vault mountPath here is the mount path
|
||
to use when authenticating with Vault. For example,
|
||
setting a value to `/v1/auth/foo`, will use the path
|
||
`/v1/auth/foo/login` to authenticate with Vault. If
|
||
unspecified, the default value "/v1/auth/kubernetes"
|
||
will be used.
|
||
type: string
|
||
role:
|
||
description: A required field containing the Vault Role
|
||
to assume. A Role binds a Kubernetes ServiceAccount
|
||
with a set of Vault policies.
|
||
type: string
|
||
secretRef:
|
||
description: The required Secret field containing a Kubernetes
|
||
ServiceAccount JWT used for authenticating with Vault.
|
||
Use of 'ambient credentials' is not supported.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- role
|
||
- secretRef
|
||
type: object
|
||
tokenSecretRef:
|
||
description: TokenSecretRef authenticates with Vault by presenting
|
||
a token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
type: object
|
||
caBundle:
|
||
description: PEM encoded CA bundle used to validate Vault server
|
||
certificate. Only used if the Server URL is using HTTPS protocol.
|
||
This parameter is ignored for plain HTTP protocol connection.
|
||
If not set the system root certificates are used to validate
|
||
the TLS connection.
|
||
format: byte
|
||
type: string
|
||
namespace:
|
||
description: 'Name of the vault namespace. Namespaces is a set
|
||
of features within Vault Enterprise that allows Vault environments
|
||
to support Secure Multi-tenancy. e.g: "ns1" More about namespaces
|
||
can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
|
||
type: string
|
||
path:
|
||
description: 'Path is the mount path of the Vault PKI backend''s
|
||
`sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
|
||
type: string
|
||
server:
|
||
description: 'Server is the connection address for the Vault server,
|
||
e.g: "https://vault.example.com:8200".'
|
||
type: string
|
||
required:
|
||
- auth
|
||
- path
|
||
- server
|
||
type: object
|
||
venafi:
|
||
description: Venafi configures this issuer to sign certificates using
|
||
a Venafi TPP or Venafi Cloud policy zone.
|
||
properties:
|
||
cloud:
|
||
description: Cloud specifies the Venafi cloud configuration settings.
|
||
Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
apiTokenSecretRef:
|
||
description: APITokenSecretRef is a secret key selector for
|
||
the Venafi Cloud API token.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this field
|
||
may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: URL is the base URL for Venafi Cloud. Defaults
|
||
to "https://api.venafi.cloud/v1".
|
||
type: string
|
||
required:
|
||
- apiTokenSecretRef
|
||
type: object
|
||
tpp:
|
||
description: TPP specifies Trust Protection Platform configuration
|
||
settings. Only one of TPP or Cloud may be specified.
|
||
properties:
|
||
caBundle:
|
||
description: CABundle is a PEM encoded TLS certificate to
|
||
use to verify connections to the TPP instance. If specified,
|
||
system roots will not be used and the issuing CA for the
|
||
TPP instance must be verifiable using the provided root.
|
||
If not specified, the connection will be verified using
|
||
the cert-manager system root certificates.
|
||
format: byte
|
||
type: string
|
||
credentialsRef:
|
||
description: CredentialsRef is a reference to a Secret containing
|
||
the username and password for the TPP server. The secret
|
||
must contain two keys, 'username' and 'password'.
|
||
properties:
|
||
name:
|
||
description: 'Name of the resource being referred to.
|
||
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
url:
|
||
description: 'URL is the base URL for the vedsdk endpoint
|
||
of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
|
||
type: string
|
||
required:
|
||
- credentialsRef
|
||
- url
|
||
type: object
|
||
zone:
|
||
description: Zone is the Venafi Policy Zone to use for this issuer.
|
||
All requests made to the Venafi platform will be restricted
|
||
by the named zone policy. This field is required.
|
||
type: string
|
||
required:
|
||
- zone
|
||
type: object
|
||
type: object
|
||
status:
|
||
description: Status of the ClusterIssuer. This is set and managed automatically.
|
||
properties:
|
||
acme:
|
||
description: ACME specific status options. This field should only
|
||
be set if the Issuer is configured to use an ACME server to issue
|
||
certificates.
|
||
properties:
|
||
lastRegisteredEmail:
|
||
description: LastRegisteredEmail is the email associated with
|
||
the latest registered ACME account, in order to track changes
|
||
made to registered account associated with the Issuer
|
||
type: string
|
||
uri:
|
||
description: URI is the unique account identifier, which can also
|
||
be used to retrieve account details from the CA
|
||
type: string
|
||
type: object
|
||
conditions:
|
||
description: List of status conditions to indicate the status of a
|
||
CertificateRequest. Known condition types are `Ready`.
|
||
items:
|
||
description: IssuerCondition contains condition information for
|
||
an Issuer.
|
||
properties:
|
||
lastTransitionTime:
|
||
description: LastTransitionTime is the timestamp corresponding
|
||
to the last status change of this condition.
|
||
format: date-time
|
||
type: string
|
||
message:
|
||
description: Message is a human readable description of the
|
||
details of the last transition, complementing reason.
|
||
type: string
|
||
reason:
|
||
description: Reason is a brief machine readable explanation
|
||
for the condition's last transition.
|
||
type: string
|
||
status:
|
||
description: Status of the condition, one of ('True', 'False',
|
||
'Unknown').
|
||
enum:
|
||
- "True"
|
||
- "False"
|
||
- Unknown
|
||
type: string
|
||
type:
|
||
description: Type of the condition, known values are ('Ready').
|
||
type: string
|
||
required:
|
||
- status
|
||
- type
|
||
type: object
|
||
type: array
|
||
type: object
|
||
required:
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
status:
|
||
acceptedNames:
|
||
kind: ""
|
||
plural: ""
|
||
conditions: []
|
||
storedVersions: []
|