c12s-kubespray/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
tasekida fc61f8d52e
Update cert manager to 0.16.1 (#6600)
* Update cert manager to 0.16.1

* Update cert manager to 0.16.1

Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
2020-09-04 04:53:48 -07:00

4476 lines
298 KiB
Django/Jinja
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: challenges.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names:
kind: Challenge
listKind: ChallengeList
plural: challenges
singular: challenge
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
"schema":
"openAPIV3Schema":
description: Challenge is a type to represent a Challenge request with an
ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- authzURL
- dnsName
- issuerRef
- key
- solver
- token
- type
- url
properties:
authzURL:
description: AuthzURL is the URL to the ACME Authorization resource
that this challenge is a part of.
type: string
dnsName:
description: DNSName is the identifier that this challenge is for,
e.g. example.com. If the requested DNSName is a 'wildcard', this
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
it must be `example.com`.
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Challenge. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Challenge will
be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
key:
description: 'Key is the ACME challenge key for this challenge For
HTTP01 challenges, this is the value that must be responded with
to complete the HTTP01 challenge in the format: `<private key JWK
thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
from acme server for challenge>` text that must be set as the TXT
record content.'
type: string
solver:
description: Solver contains the domain solving configuration that
should be used to solve this challenge resource.
type: object
properties:
dns01:
description: Configures cert-manager to attempt to complete authorizations
by performing the DNS01 challenge flow.
type: object
properties:
acmedns:
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
API to manage DNS01 challenge records.
type: object
required:
- accountSecretRef
- host
properties:
accountSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
host:
type: string
akamai:
description: Use the Akamai DNS zone management API to manage
DNS01 challenge records.
type: object
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
properties:
accessTokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
clientSecretSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
clientTokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
serviceConsumerDomain:
type: string
azuredns:
description: Use the Microsoft Azure DNS API to manage DNS01
challenge records.
type: object
required:
- resourceGroupName
- subscriptionID
properties:
clientID:
description: if both this and ClientSecret are left unset
MSI will be used
type: string
clientSecretSecretRef:
description: if both this and ClientID are left unset
MSI will be used
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
environment:
type: string
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
description: when specifying ClientID and ClientSecret
then this field is also needed
type: string
clouddns:
description: Use the Google Cloud DNS API to manage DNS01
challenge records.
type: object
required:
- project
properties:
hostedZoneName:
description: HostedZoneName is an optional field that
tells cert-manager in which Cloud DNS zone the challenge
record has to be created. If left empty cert-manager
will automatically choose a zone.
type: string
project:
type: string
serviceAccountSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
cloudflare:
description: Use the Cloudflare API to manage DNS01 challenge
records.
type: object
properties:
apiKeySecretRef:
description: 'API key to use to authenticate with Cloudflare.
Note: using an API token to authenticate is now the
recommended method as it allows greater control of permissions.'
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
apiTokenSecretRef:
description: API token used to authenticate with Cloudflare.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
email:
description: Email of the account, only required when
using API key based authentication.
type: string
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
type: string
enum:
- None
- Follow
digitalocean:
description: Use the DigitalOcean DNS API to manage DNS01
challenge records.
type: object
required:
- tokenSecretRef
properties:
tokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
rfc2136:
description: Use RFC2136 ("Dynamic Updates in the Domain Name
System") (https://datatracker.ietf.org/doc/rfc2136/) to
manage DNS01 challenge records.
type: object
required:
- nameserver
properties:
nameserver:
description: The IP address or hostname of an authoritative
DNS server supporting RFC2136 in the form host:port.
If the host is an IPv6 address it must be enclosed in
square brackets (e.g [2001:db8::1]) ; port is optional.
This field is required.
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS
supporting RFC2136. Used only when ``tsigSecretSecretRef``
and ``tsigKeyName`` are defined. Supported values are
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
``HMACSHA256`` or ``HMACSHA512``.'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS.
If ``tsigSecretSecretRef`` is defined, this field is
required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG
value. If ``tsigKeyName`` is defined, this field is
required.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
route53:
description: Use the AWS Route53 API to manage DNS01 challenge
records.
type: object
required:
- region
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this
zone in Route53 and will not do an lookup using the
route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID
and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
or the inferred credentials from environment variables,
shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
webhook:
description: Configure an external webhook based DNS01 challenge
solver to manage DNS01 challenge records.
type: object
required:
- groupName
- solverName
properties:
config:
description: Additional configuration that should be passed
to the webhook apiserver when challenges are processed.
This can contain arbitrary JSON data. Secret values
should not be specified in this stanza. If secret values
are needed (e.g. credentials for a DNS service), you
should use a SecretKeySelector to reference a Secret
resource. For details on the schema of this field, consult
the webhook provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when
POSTing ChallengePayload resources to the webhook apiserver.
This should be the same as the GroupName specified in
the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined
in the webhook provider implementation. This will typically
be the name of the provider, e.g. 'cloudflare'.
type: string
http01:
description: Configures cert-manager to attempt to complete authorizations
by performing the HTTP01 challenge flow. It is not possible
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
using the HTTP01 challenge mechanism.
type: object
properties:
ingress:
description: The ingress based HTTP01 challenge solver will
solve challenges by creating or modifying Ingress resources
in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
type: object
properties:
class:
description: The ingress class to use when creating Ingress
resources to solve ACME challenges that use this challenge
solver. Only one of 'class' or 'name' may be specified.
type: string
ingressTemplate:
description: Optional ingress template used to configure
the ACME challenge solver ingress used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the ingress
used to solve HTTP01 challenges. Only the 'labels'
and 'annotations' fields may be set. If labels or
annotations overlap with in-built values, the values
here will override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added
to the created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
name:
description: The name of the ingress resource that should
have ACME challenge solving routes inserted into it
in order to solve HTTP01 challenges. This is typically
used in conjunction with ingress controllers like ingress-gce,
which maintains a 1:1 mapping between external IPs and
ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the
ACME challenge solver pods used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the pod used
to solve HTTP01 challenges. Only the 'labels' and
'annotations' fields may be set. If labels or annotations
overlap with in-built values, the values here will
override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added
to the create ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
spec:
description: PodSpec defines overrides for the HTTP01
challenge solver pod. Only the 'nodeSelector', 'affinity'
and 'tolerations' fields are supported currently.
All other fields will be ignored.
type: object
properties:
affinity:
description: If specified, the pod's scheduling
constraints
type: object
properties:
nodeAffinity:
description: Describes node affinity scheduling
rules for the pod.
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the affinity expressions specified by
this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node matches the corresponding
matchExpressions; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: An empty preferred scheduling
term matches all objects with implicit
weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches
no objects (i.e. is also a no-op).
type: object
required:
- preference
- weight
properties:
preference:
description: A node selector term,
associated with the corresponding
weight.
type: object
properties:
matchExpressions:
description: A list of node
selector requirements by node's
labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node
selector requirements by node's
fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
weight:
description: Weight associated with
matching the corresponding nodeSelectorTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to an update),
the system may or may not try to eventually
evict the pod from its node.
type: object
required:
- nodeSelectorTerms
properties:
nodeSelectorTerms:
description: Required. A list of node
selector terms. The terms are ORed.
type: array
items:
description: A null or empty node
selector term matches no objects.
The requirements of them are ANDed.
The TopologySelectorTerm type
implements a subset of the NodeSelectorTerm.
type: object
properties:
matchExpressions:
description: A list of node
selector requirements by node's
labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node
selector requirements by node's
fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
podAffinity:
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the same
node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the affinity expressions specified by
this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node has pods which matches the
corresponding podAffinityTerm; the node(s)
with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key
and values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to
a set of values.
Valid operators
are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
is Exists or DoesNotExist,
the values array
must be empty. This
array is replaced
during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
in the matchLabels map
is equivalent to an element
of matchExpressions, whose
key field is "key", the
operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
be co-located (affinity) or
not co-located (anti-affinity)
with the pods matching the
labelSelector in the specified
namespaces, where co-located
is defined as running on a
node whose value of the label
with key topologyKey matches
that of any node on which
any of the selected pods is
running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to a pod label
update), the system may or may not try
to eventually evict the pod from its
node. When there are multiple elements,
the lists of nodes corresponding to
each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity)
with, where co-located is defined
as running on a node whose value of
the label with key <topologyKey> matches
that of any node on which a pod of
the set of pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this case
pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator
represents a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is
an array of string values.
If the operator is In
or NotIn, the values
array must be non-empty.
If the operator is Exists
or DoesNotExist, the
values array must be
empty. This array is
replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in the
matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not co-located
(anti-affinity) with the pods
matching the labelSelector in
the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
podAntiAffinity:
description: Describes pod anti-affinity scheduling
rules (e.g. avoid putting this pod in the
same node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the anti-affinity expressions specified
by this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node has pods which matches the
corresponding podAffinityTerm; the node(s)
with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key
and values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to
a set of values.
Valid operators
are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
is Exists or DoesNotExist,
the values array
must be empty. This
array is replaced
during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
in the matchLabels map
is equivalent to an element
of matchExpressions, whose
key field is "key", the
operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
be co-located (affinity) or
not co-located (anti-affinity)
with the pods matching the
labelSelector in the specified
namespaces, where co-located
is defined as running on a
node whose value of the label
with key topologyKey matches
that of any node on which
any of the selected pods is
running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the anti-affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to a pod label
update), the system may or may not try
to eventually evict the pod from its
node. When there are multiple elements,
the lists of nodes corresponding to
each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity)
with, where co-located is defined
as running on a node whose value of
the label with key <topologyKey> matches
that of any node on which a pod of
the set of pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this case
pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator
represents a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is
an array of string values.
If the operator is In
or NotIn, the values
array must be non-empty.
If the operator is Exists
or DoesNotExist, the
values array must be
empty. This array is
replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in the
matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not co-located
(anti-affinity) with the pods
matching the labelSelector in
the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
nodeSelector:
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node. Selector
which must match a node''s labels for the pod
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
additionalProperties:
type: string
tolerations:
description: If specified, the pod's tolerations.
type: array
items:
description: The pod this Toleration is attached
to tolerates any taint that matches the triple
<key,value,effect> using the matching operator
<operator>.
type: object
properties:
effect:
description: Effect indicates the taint
effect to match. Empty means match all
taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule
and NoExecute.
type: string
key:
description: Key is the taint key that the
toleration applies to. Empty means match
all taint keys. If the key is empty, operator
must be Exists; this combination means
to match all values and all keys.
type: string
operator:
description: Operator represents a key's
relationship to the value. Valid operators
are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints
of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents
the period of time the toleration (which
must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint.
By default, it is not set, which means
tolerate the taint forever (do not evict).
Zero and negative values will be treated
as 0 (evict immediately) by the system.
type: integer
format: int64
value:
description: Value is the taint value the
toleration matches to. If the operator
is Exists, the value should be empty,
otherwise just a regular string.
type: string
serviceType:
description: Optional service type for Kubernetes solver
service
type: string
selector:
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
If not specified, the solver will be treated as the 'default'
solver with the lowest priority, i.e. if any other solver has
a more specific match, it will be used instead.
type: object
properties:
dnsNames:
description: List of DNSNames that this solver will be used
to solve. If specified and a match is found, a dnsNames
selector will take precedence over a dnsZones selector.
If multiple solvers match with the same dnsNames value,
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
type: array
items:
type: string
dnsZones:
description: List of DNSZones that this solver will be used
to solve. The most specific DNS zone match specified here
will take precedence over other DNS zone matches, so a solver
specifying sys.example.com will be selected over one specifying
example.com for the domain www.sys.example.com. If multiple
solvers match with the same dnsZones value, the solver with
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier
in the list will be selected.
type: array
items:
type: string
matchLabels:
description: A label selector that is used to refine the set
of certificate's that this challenge solver will apply to.
type: object
additionalProperties:
type: string
token:
description: Token is the ACME challenge token for this challenge.
This is the raw value returned from the ACME server.
type: string
type:
description: Type is the type of ACME challenge this resource represents.
One of "http-01" or "dns-01".
type: string
enum:
- http-01
- dns-01
url:
description: URL is the URL of the ACME Challenge resource for this
challenge. This can be used to lookup details about the status of
this challenge.
type: string
wildcard:
description: Wildcard will be true if this challenge is for a wildcard
identifier, for example '*.example.com'.
type: boolean
status:
type: object
properties:
presented:
description: Presented will be set to true if the challenge values
for this challenge are currently 'presented'. This *does not* imply
the self check is passing. Only that the values have been 'submitted'
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
has been presented, or the HTTP01 configuration has been configured).
type: boolean
processing:
description: Processing is used to denote whether this challenge should
be processed or not. This field will only be set to true by the
'scheduling' component. It will only be set to false by the 'challenges'
controller, after the challenge has reached a final state or timed
out. If this field is set to false, the challenge controller will
not take any more action.
type: boolean
reason:
description: Reason contains human readable information on why the
Challenge is in the current state.
type: string
state:
description: State contains the current 'state' of the challenge.
If not set, the state of the challenge is unknown.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
- name: v1alpha3
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Challenge is a type to represent a Challenge request with an
ACME server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- authzURL
- dnsName
- issuerRef
- key
- solver
- token
- type
- url
properties:
authzURL:
description: AuthzURL is the URL to the ACME Authorization resource
that this challenge is a part of.
type: string
dnsName:
description: DNSName is the identifier that this challenge is for,
e.g. example.com. If the requested DNSName is a 'wildcard', this
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
it must be `example.com`.
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type
Issuer which should be used to create this Challenge. If the Issuer
does not exist, processing will be retried. If the Issuer is not
an 'ACME' Issuer, an error will be returned and the Challenge will
be marked as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
key:
description: 'Key is the ACME challenge key for this challenge For
HTTP01 challenges, this is the value that must be responded with
to complete the HTTP01 challenge in the format: `<private key JWK
thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
from acme server for challenge>` text that must be set as the TXT
record content.'
type: string
solver:
description: Solver contains the domain solving configuration that
should be used to solve this challenge resource.
type: object
properties:
dns01:
description: Configures cert-manager to attempt to complete authorizations
by performing the DNS01 challenge flow.
type: object
properties:
acmedns:
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
API to manage DNS01 challenge records.
type: object
required:
- accountSecretRef
- host
properties:
accountSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
host:
type: string
akamai:
description: Use the Akamai DNS zone management API to manage
DNS01 challenge records.
type: object
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
properties:
accessTokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
clientSecretSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
clientTokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
serviceConsumerDomain:
type: string
azuredns:
description: Use the Microsoft Azure DNS API to manage DNS01
challenge records.
type: object
required:
- resourceGroupName
- subscriptionID
properties:
clientID:
description: if both this and ClientSecret are left unset
MSI will be used
type: string
clientSecretSecretRef:
description: if both this and ClientID are left unset
MSI will be used
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
environment:
type: string
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
description: when specifying ClientID and ClientSecret
then this field is also needed
type: string
clouddns:
description: Use the Google Cloud DNS API to manage DNS01
challenge records.
type: object
required:
- project
properties:
hostedZoneName:
description: HostedZoneName is an optional field that
tells cert-manager in which Cloud DNS zone the challenge
record has to be created. If left empty cert-manager
will automatically choose a zone.
type: string
project:
type: string
serviceAccountSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
cloudflare:
description: Use the Cloudflare API to manage DNS01 challenge
records.
type: object
properties:
apiKeySecretRef:
description: 'API key to use to authenticate with Cloudflare.
Note: using an API token to authenticate is now the
recommended method as it allows greater control of permissions.'
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
apiTokenSecretRef:
description: API token used to authenticate with Cloudflare.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
email:
description: Email of the account, only required when
using API key based authentication.
type: string
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
type: string
enum:
- None
- Follow
digitalocean:
description: Use the DigitalOcean DNS API to manage DNS01
challenge records.
type: object
required:
- tokenSecretRef
properties:
tokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
rfc2136:
description: Use RFC2136 ("Dynamic Updates in the Domain Name
System") (https://datatracker.ietf.org/doc/rfc2136/) to
manage DNS01 challenge records.
type: object
required:
- nameserver
properties:
nameserver:
description: The IP address or hostname of an authoritative
DNS server supporting RFC2136 in the form host:port.
If the host is an IPv6 address it must be enclosed in
square brackets (e.g [2001:db8::1]) ; port is optional.
This field is required.
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS
supporting RFC2136. Used only when ``tsigSecretSecretRef``
and ``tsigKeyName`` are defined. Supported values are
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
``HMACSHA256`` or ``HMACSHA512``.'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS.
If ``tsigSecretSecretRef`` is defined, this field is
required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG
value. If ``tsigKeyName`` is defined, this field is
required.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
route53:
description: Use the AWS Route53 API to manage DNS01 challenge
records.
type: object
required:
- region
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this
zone in Route53 and will not do an lookup using the
route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID
and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
or the inferred credentials from environment variables,
shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
webhook:
description: Configure an external webhook based DNS01 challenge
solver to manage DNS01 challenge records.
type: object
required:
- groupName
- solverName
properties:
config:
description: Additional configuration that should be passed
to the webhook apiserver when challenges are processed.
This can contain arbitrary JSON data. Secret values
should not be specified in this stanza. If secret values
are needed (e.g. credentials for a DNS service), you
should use a SecretKeySelector to reference a Secret
resource. For details on the schema of this field, consult
the webhook provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when
POSTing ChallengePayload resources to the webhook apiserver.
This should be the same as the GroupName specified in
the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined
in the webhook provider implementation. This will typically
be the name of the provider, e.g. 'cloudflare'.
type: string
http01:
description: Configures cert-manager to attempt to complete authorizations
by performing the HTTP01 challenge flow. It is not possible
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
using the HTTP01 challenge mechanism.
type: object
properties:
ingress:
description: The ingress based HTTP01 challenge solver will
solve challenges by creating or modifying Ingress resources
in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
type: object
properties:
class:
description: The ingress class to use when creating Ingress
resources to solve ACME challenges that use this challenge
solver. Only one of 'class' or 'name' may be specified.
type: string
ingressTemplate:
description: Optional ingress template used to configure
the ACME challenge solver ingress used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the ingress
used to solve HTTP01 challenges. Only the 'labels'
and 'annotations' fields may be set. If labels or
annotations overlap with in-built values, the values
here will override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added
to the created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
name:
description: The name of the ingress resource that should
have ACME challenge solving routes inserted into it
in order to solve HTTP01 challenges. This is typically
used in conjunction with ingress controllers like ingress-gce,
which maintains a 1:1 mapping between external IPs and
ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the
ACME challenge solver pods used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the pod used
to solve HTTP01 challenges. Only the 'labels' and
'annotations' fields may be set. If labels or annotations
overlap with in-built values, the values here will
override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added
to the create ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
spec:
description: PodSpec defines overrides for the HTTP01
challenge solver pod. Only the 'nodeSelector', 'affinity'
and 'tolerations' fields are supported currently.
All other fields will be ignored.
type: object
properties:
affinity:
description: If specified, the pod's scheduling
constraints
type: object
properties:
nodeAffinity:
description: Describes node affinity scheduling
rules for the pod.
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the affinity expressions specified by
this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node matches the corresponding
matchExpressions; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: An empty preferred scheduling
term matches all objects with implicit
weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches
no objects (i.e. is also a no-op).
type: object
required:
- preference
- weight
properties:
preference:
description: A node selector term,
associated with the corresponding
weight.
type: object
properties:
matchExpressions:
description: A list of node
selector requirements by node's
labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node
selector requirements by node's
fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
weight:
description: Weight associated with
matching the corresponding nodeSelectorTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to an update),
the system may or may not try to eventually
evict the pod from its node.
type: object
required:
- nodeSelectorTerms
properties:
nodeSelectorTerms:
description: Required. A list of node
selector terms. The terms are ORed.
type: array
items:
description: A null or empty node
selector term matches no objects.
The requirements of them are ANDed.
The TopologySelectorTerm type
implements a subset of the NodeSelectorTerm.
type: object
properties:
matchExpressions:
description: A list of node
selector requirements by node's
labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node
selector requirements by node's
fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
podAffinity:
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the same
node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the affinity expressions specified by
this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node has pods which matches the
corresponding podAffinityTerm; the node(s)
with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key
and values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to
a set of values.
Valid operators
are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
is Exists or DoesNotExist,
the values array
must be empty. This
array is replaced
during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
in the matchLabels map
is equivalent to an element
of matchExpressions, whose
key field is "key", the
operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
be co-located (affinity) or
not co-located (anti-affinity)
with the pods matching the
labelSelector in the specified
namespaces, where co-located
is defined as running on a
node whose value of the label
with key topologyKey matches
that of any node on which
any of the selected pods is
running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to a pod label
update), the system may or may not try
to eventually evict the pod from its
node. When there are multiple elements,
the lists of nodes corresponding to
each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity)
with, where co-located is defined
as running on a node whose value of
the label with key <topologyKey> matches
that of any node on which a pod of
the set of pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this case
pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator
represents a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is
an array of string values.
If the operator is In
or NotIn, the values
array must be non-empty.
If the operator is Exists
or DoesNotExist, the
values array must be
empty. This array is
replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in the
matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not co-located
(anti-affinity) with the pods
matching the labelSelector in
the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
podAntiAffinity:
description: Describes pod anti-affinity scheduling
rules (e.g. avoid putting this pod in the
same node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the anti-affinity expressions specified
by this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node has pods which matches the
corresponding podAffinityTerm; the node(s)
with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key
and values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to
a set of values.
Valid operators
are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
is Exists or DoesNotExist,
the values array
must be empty. This
array is replaced
during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
in the matchLabels map
is equivalent to an element
of matchExpressions, whose
key field is "key", the
operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
be co-located (affinity) or
not co-located (anti-affinity)
with the pods matching the
labelSelector in the specified
namespaces, where co-located
is defined as running on a
node whose value of the label
with key topologyKey matches
that of any node on which
any of the selected pods is
running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the anti-affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to a pod label
update), the system may or may not try
to eventually evict the pod from its
node. When there are multiple elements,
the lists of nodes corresponding to
each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity)
with, where co-located is defined
as running on a node whose value of
the label with key <topologyKey> matches
that of any node on which a pod of
the set of pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this case
pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator
represents a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is
an array of string values.
If the operator is In
or NotIn, the values
array must be non-empty.
If the operator is Exists
or DoesNotExist, the
values array must be
empty. This array is
replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in the
matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not co-located
(anti-affinity) with the pods
matching the labelSelector in
the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
nodeSelector:
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node. Selector
which must match a node''s labels for the pod
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
additionalProperties:
type: string
tolerations:
description: If specified, the pod's tolerations.
type: array
items:
description: The pod this Toleration is attached
to tolerates any taint that matches the triple
<key,value,effect> using the matching operator
<operator>.
type: object
properties:
effect:
description: Effect indicates the taint
effect to match. Empty means match all
taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule
and NoExecute.
type: string
key:
description: Key is the taint key that the
toleration applies to. Empty means match
all taint keys. If the key is empty, operator
must be Exists; this combination means
to match all values and all keys.
type: string
operator:
description: Operator represents a key's
relationship to the value. Valid operators
are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints
of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents
the period of time the toleration (which
must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint.
By default, it is not set, which means
tolerate the taint forever (do not evict).
Zero and negative values will be treated
as 0 (evict immediately) by the system.
type: integer
format: int64
value:
description: Value is the taint value the
toleration matches to. If the operator
is Exists, the value should be empty,
otherwise just a regular string.
type: string
serviceType:
description: Optional service type for Kubernetes solver
service
type: string
selector:
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
If not specified, the solver will be treated as the 'default'
solver with the lowest priority, i.e. if any other solver has
a more specific match, it will be used instead.
type: object
properties:
dnsNames:
description: List of DNSNames that this solver will be used
to solve. If specified and a match is found, a dnsNames
selector will take precedence over a dnsZones selector.
If multiple solvers match with the same dnsNames value,
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
type: array
items:
type: string
dnsZones:
description: List of DNSZones that this solver will be used
to solve. The most specific DNS zone match specified here
will take precedence over other DNS zone matches, so a solver
specifying sys.example.com will be selected over one specifying
example.com for the domain www.sys.example.com. If multiple
solvers match with the same dnsZones value, the solver with
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier
in the list will be selected.
type: array
items:
type: string
matchLabels:
description: A label selector that is used to refine the set
of certificate's that this challenge solver will apply to.
type: object
additionalProperties:
type: string
token:
description: Token is the ACME challenge token for this challenge.
This is the raw value returned from the ACME server.
type: string
type:
description: Type is the type of ACME challenge this resource represents.
One of "http-01" or "dns-01".
type: string
enum:
- http-01
- dns-01
url:
description: URL is the URL of the ACME Challenge resource for this
challenge. This can be used to lookup details about the status of
this challenge.
type: string
wildcard:
description: Wildcard will be true if this challenge is for a wildcard
identifier, for example '*.example.com'.
type: boolean
status:
type: object
properties:
presented:
description: Presented will be set to true if the challenge values
for this challenge are currently 'presented'. This *does not* imply
the self check is passing. Only that the values have been 'submitted'
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
has been presented, or the HTTP01 configuration has been configured).
type: boolean
processing:
description: Processing is used to denote whether this challenge should
be processed or not. This field will only be set to true by the
'scheduling' component. It will only be set to false by the 'challenges'
controller, after the challenge has reached a final state or timed
out. If this field is set to false, the challenge controller will
not take any more action.
type: boolean
reason:
description: Reason contains human readable information on why the
Challenge is in the current state.
type: string
state:
description: State contains the current 'state' of the challenge.
If not set, the state of the challenge is unknown.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored
- name: v1beta1
served: true
storage: false
"schema":
"openAPIV3Schema":
description: Challenge is a type to represent a Challenge request with an
ACME server
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- authorizationURL
- dnsName
- issuerRef
- key
- solver
- token
- type
- url
properties:
authorizationURL:
description: The URL to the ACME Authorization resource that this
challenge is a part of.
type: string
dnsName:
description: dnsName is the identifier that this challenge is for,
e.g. example.com. If the requested DNSName is a 'wildcard', this
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
it must be `example.com`.
type: string
issuerRef:
description: References a properly configured ACME-type Issuer which
should be used to create this Challenge. If the Issuer does not
exist, processing will be retried. If the Issuer is not an 'ACME'
Issuer, an error will be returned and the Challenge will be marked
as failed.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
key:
description: 'The ACME challenge key for this challenge For HTTP01
challenges, this is the value that must be responded with to complete
the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
from acme server for challenge>`. For DNS01 challenges, this is
the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
from acme server for challenge>` text that must be set as the TXT
record content.'
type: string
solver:
description: Contains the domain solving configuration that should
be used to solve this challenge resource.
type: object
properties:
dns01:
description: Configures cert-manager to attempt to complete authorizations
by performing the DNS01 challenge flow.
type: object
properties:
acmeDNS:
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
API to manage DNS01 challenge records.
type: object
required:
- accountSecretRef
- host
properties:
accountSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
host:
type: string
akamai:
description: Use the Akamai DNS zone management API to manage
DNS01 challenge records.
type: object
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
properties:
accessTokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
clientSecretSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
clientTokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
serviceConsumerDomain:
type: string
azureDNS:
description: Use the Microsoft Azure DNS API to manage DNS01
challenge records.
type: object
required:
- resourceGroupName
- subscriptionID
properties:
clientID:
description: if both this and ClientSecret are left unset
MSI will be used
type: string
clientSecretSecretRef:
description: if both this and ClientID are left unset
MSI will be used
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
environment:
type: string
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
description: when specifying ClientID and ClientSecret
then this field is also needed
type: string
cloudDNS:
description: Use the Google Cloud DNS API to manage DNS01
challenge records.
type: object
required:
- project
properties:
hostedZoneName:
description: HostedZoneName is an optional field that
tells cert-manager in which Cloud DNS zone the challenge
record has to be created. If left empty cert-manager
will automatically choose a zone.
type: string
project:
type: string
serviceAccountSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
cloudflare:
description: Use the Cloudflare API to manage DNS01 challenge
records.
type: object
properties:
apiKeySecretRef:
description: 'API key to use to authenticate with Cloudflare.
Note: using an API token to authenticate is now the
recommended method as it allows greater control of permissions.'
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
apiTokenSecretRef:
description: API token used to authenticate with Cloudflare.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
email:
description: Email of the account, only required when
using API key based authentication.
type: string
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
type: string
enum:
- None
- Follow
digitalocean:
description: Use the DigitalOcean DNS API to manage DNS01
challenge records.
type: object
required:
- tokenSecretRef
properties:
tokenSecretRef:
description: A reference to a specific 'key' within a
Secret resource. In some instances, `key` is a required
field.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
rfc2136:
description: Use RFC2136 ("Dynamic Updates in the Domain Name
System") (https://datatracker.ietf.org/doc/rfc2136/) to
manage DNS01 challenge records.
type: object
required:
- nameserver
properties:
nameserver:
description: The IP address or hostname of an authoritative
DNS server supporting RFC2136 in the form host:port.
If the host is an IPv6 address it must be enclosed in
square brackets (e.g [2001:db8::1]) ; port is optional.
This field is required.
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS
supporting RFC2136. Used only when ``tsigSecretSecretRef``
and ``tsigKeyName`` are defined. Supported values are
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
``HMACSHA256`` or ``HMACSHA512``.'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS.
If ``tsigSecretSecretRef`` is defined, this field is
required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG
value. If ``tsigKeyName`` is defined, this field is
required.
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
route53:
description: Use the AWS Route53 API to manage DNS01 challenge
records.
type: object
required:
- region
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this
zone in Route53 and will not do an lookup using the
route53:ListHostedZonesByName api call.
type: string
region:
description: Always set the region when using AccessKeyID
and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
or the inferred credentials from environment variables,
shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
type: object
required:
- name
properties:
key:
description: The key of the entry in the Secret resource's
`data` field to be used. Some instances of this
field may be defaulted, in others it may be required.
type: string
name:
description: 'Name of the resource being referred
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
webhook:
description: Configure an external webhook based DNS01 challenge
solver to manage DNS01 challenge records.
type: object
required:
- groupName
- solverName
properties:
config:
description: Additional configuration that should be passed
to the webhook apiserver when challenges are processed.
This can contain arbitrary JSON data. Secret values
should not be specified in this stanza. If secret values
are needed (e.g. credentials for a DNS service), you
should use a SecretKeySelector to reference a Secret
resource. For details on the schema of this field, consult
the webhook provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when
POSTing ChallengePayload resources to the webhook apiserver.
This should be the same as the GroupName specified in
the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined
in the webhook provider implementation. This will typically
be the name of the provider, e.g. 'cloudflare'.
type: string
http01:
description: Configures cert-manager to attempt to complete authorizations
by performing the HTTP01 challenge flow. It is not possible
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
using the HTTP01 challenge mechanism.
type: object
properties:
ingress:
description: The ingress based HTTP01 challenge solver will
solve challenges by creating or modifying Ingress resources
in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
type: object
properties:
class:
description: The ingress class to use when creating Ingress
resources to solve ACME challenges that use this challenge
solver. Only one of 'class' or 'name' may be specified.
type: string
ingressTemplate:
description: Optional ingress template used to configure
the ACME challenge solver ingress used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the ingress
used to solve HTTP01 challenges. Only the 'labels'
and 'annotations' fields may be set. If labels or
annotations overlap with in-built values, the values
here will override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added
to the created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
name:
description: The name of the ingress resource that should
have ACME challenge solving routes inserted into it
in order to solve HTTP01 challenges. This is typically
used in conjunction with ingress controllers like ingress-gce,
which maintains a 1:1 mapping between external IPs and
ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the
ACME challenge solver pods used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the pod used
to solve HTTP01 challenges. Only the 'labels' and
'annotations' fields may be set. If labels or annotations
overlap with in-built values, the values here will
override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added
to the create ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
spec:
description: PodSpec defines overrides for the HTTP01
challenge solver pod. Only the 'nodeSelector', 'affinity'
and 'tolerations' fields are supported currently.
All other fields will be ignored.
type: object
properties:
affinity:
description: If specified, the pod's scheduling
constraints
type: object
properties:
nodeAffinity:
description: Describes node affinity scheduling
rules for the pod.
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the affinity expressions specified by
this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node matches the corresponding
matchExpressions; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: An empty preferred scheduling
term matches all objects with implicit
weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches
no objects (i.e. is also a no-op).
type: object
required:
- preference
- weight
properties:
preference:
description: A node selector term,
associated with the corresponding
weight.
type: object
properties:
matchExpressions:
description: A list of node
selector requirements by node's
labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node
selector requirements by node's
fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
weight:
description: Weight associated with
matching the corresponding nodeSelectorTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to an update),
the system may or may not try to eventually
evict the pod from its node.
type: object
required:
- nodeSelectorTerms
properties:
nodeSelectorTerms:
description: Required. A list of node
selector terms. The terms are ORed.
type: array
items:
description: A null or empty node
selector term matches no objects.
The requirements of them are ANDed.
The TopologySelectorTerm type
implements a subset of the NodeSelectorTerm.
type: object
properties:
matchExpressions:
description: A list of node
selector requirements by node's
labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
matchFields:
description: A list of node
selector requirements by node's
fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label
key that the selector
applies to.
type: string
operator:
description: Represents
a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array
of string values. If
the operator is In or
NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the
values array must be
empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will
be interpreted as an
integer. This array
is replaced during a
strategic merge patch.
type: array
items:
type: string
podAffinity:
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the same
node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the affinity expressions specified by
this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node has pods which matches the
corresponding podAffinityTerm; the node(s)
with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key
and values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to
a set of values.
Valid operators
are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
is Exists or DoesNotExist,
the values array
must be empty. This
array is replaced
during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
in the matchLabels map
is equivalent to an element
of matchExpressions, whose
key field is "key", the
operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
be co-located (affinity) or
not co-located (anti-affinity)
with the pods matching the
labelSelector in the specified
namespaces, where co-located
is defined as running on a
node whose value of the label
with key topologyKey matches
that of any node on which
any of the selected pods is
running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to a pod label
update), the system may or may not try
to eventually evict the pod from its
node. When there are multiple elements,
the lists of nodes corresponding to
each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity)
with, where co-located is defined
as running on a node whose value of
the label with key <topologyKey> matches
that of any node on which a pod of
the set of pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this case
pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator
represents a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is
an array of string values.
If the operator is In
or NotIn, the values
array must be non-empty.
If the operator is Exists
or DoesNotExist, the
values array must be
empty. This array is
replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in the
matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not co-located
(anti-affinity) with the pods
matching the labelSelector in
the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
podAntiAffinity:
description: Describes pod anti-affinity scheduling
rules (e.g. avoid putting this pod in the
same node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer
to schedule pods to nodes that satisfy
the anti-affinity expressions specified
by this field, but it may choose a node
that violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of
the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity
expressions, etc.), compute a sum by
iterating through the elements of this
field and adding "weight" to the sum
if the node has pods which matches the
corresponding podAffinityTerm; the node(s)
with the highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key
and values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to
a set of values.
Valid operators
are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
is Exists or DoesNotExist,
the values array
must be empty. This
array is replaced
during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
in the matchLabels map
is equivalent to an element
of matchExpressions, whose
key field is "key", the
operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
be co-located (affinity) or
not co-located (anti-affinity)
with the pods matching the
labelSelector in the specified
namespaces, where co-located
is defined as running on a
node whose value of the label
with key topologyKey matches
that of any node on which
any of the selected pods is
running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements
specified by this field are not met
at scheduling time, the pod will not
be scheduled onto the node. If the anti-affinity
requirements specified by this field
cease to be met at some point during
pod execution (e.g. due to a pod label
update), the system may or may not try
to eventually evict the pod from its
node. When there are multiple elements,
the lists of nodes corresponding to
each podAffinityTerm are intersected,
i.e. all terms must be satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity)
with, where co-located is defined
as running on a node whose value of
the label with key <topologyKey> matches
that of any node on which a pod of
the set of pods is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this case
pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a
key, and an operator that
relates the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator
represents a key's relationship
to a set of values.
Valid operators are
In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is
an array of string values.
If the operator is In
or NotIn, the values
array must be non-empty.
If the operator is Exists
or DoesNotExist, the
values array must be
empty. This array is
replaced during a strategic
merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in the
matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not co-located
(anti-affinity) with the pods
matching the labelSelector in
the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
nodeSelector:
description: 'NodeSelector is a selector which
must be true for the pod to fit on a node. Selector
which must match a node''s labels for the pod
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
additionalProperties:
type: string
tolerations:
description: If specified, the pod's tolerations.
type: array
items:
description: The pod this Toleration is attached
to tolerates any taint that matches the triple
<key,value,effect> using the matching operator
<operator>.
type: object
properties:
effect:
description: Effect indicates the taint
effect to match. Empty means match all
taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule
and NoExecute.
type: string
key:
description: Key is the taint key that the
toleration applies to. Empty means match
all taint keys. If the key is empty, operator
must be Exists; this combination means
to match all values and all keys.
type: string
operator:
description: Operator represents a key's
relationship to the value. Valid operators
are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints
of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents
the period of time the toleration (which
must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint.
By default, it is not set, which means
tolerate the taint forever (do not evict).
Zero and negative values will be treated
as 0 (evict immediately) by the system.
type: integer
format: int64
value:
description: Value is the taint value the
toleration matches to. If the operator
is Exists, the value should be empty,
otherwise just a regular string.
type: string
serviceType:
description: Optional service type for Kubernetes solver
service
type: string
selector:
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
If not specified, the solver will be treated as the 'default'
solver with the lowest priority, i.e. if any other solver has
a more specific match, it will be used instead.
type: object
properties:
dnsNames:
description: List of DNSNames that this solver will be used
to solve. If specified and a match is found, a dnsNames
selector will take precedence over a dnsZones selector.
If multiple solvers match with the same dnsNames value,
the solver with the most matching labels in matchLabels
will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
type: array
items:
type: string
dnsZones:
description: List of DNSZones that this solver will be used
to solve. The most specific DNS zone match specified here
will take precedence over other DNS zone matches, so a solver
specifying sys.example.com will be selected over one specifying
example.com for the domain www.sys.example.com. If multiple
solvers match with the same dnsZones value, the solver with
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier
in the list will be selected.
type: array
items:
type: string
matchLabels:
description: A label selector that is used to refine the set
of certificate's that this challenge solver will apply to.
type: object
additionalProperties:
type: string
token:
description: The ACME challenge token for this challenge. This is
the raw value returned from the ACME server.
type: string
type:
description: The type of ACME challenge this resource represents.
One of "HTTP-01" or "DNS-01".
type: string
enum:
- HTTP-01
- DNS-01
url:
description: The URL of the ACME Challenge resource for this challenge.
This can be used to lookup details about the status of this challenge.
type: string
wildcard:
description: wildcard will be true if this challenge is for a wildcard
identifier, for example '*.example.com'.
type: boolean
status:
type: object
properties:
presented:
description: presented will be set to true if the challenge values
for this challenge are currently 'presented'. This *does not* imply
the self check is passing. Only that the values have been 'submitted'
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
has been presented, or the HTTP01 configuration has been configured).
type: boolean
processing:
description: Used to denote whether this challenge should be processed
or not. This field will only be set to true by the 'scheduling'
component. It will only be set to false by the 'challenges' controller,
after the challenge has reached a final state or timed out. If this
field is set to false, the challenge controller will not take any
more action.
type: boolean
reason:
description: Contains human readable information on why the Challenge
is in the current state.
type: string
state:
description: Contains the current 'state' of the challenge. If not
set, the state of the challenge is unknown.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored