6039 lines
400 KiB
Django/Jinja
6039 lines
400 KiB
Django/Jinja
# Copyright YEAR The Jetstack cert-manager contributors.
|
||
#
|
||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||
# you may not use this file except in compliance with the License.
|
||
# You may obtain a copy of the License at
|
||
#
|
||
# http://www.apache.org/licenses/LICENSE-2.0
|
||
#
|
||
# Unless required by applicable law or agreed to in writing, software
|
||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
# See the License for the specific language governing permissions and
|
||
# limitations under the License.
|
||
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||
labels:
|
||
app: cert-manager
|
||
app.kubernetes.io/instance: cert-manager
|
||
app.kubernetes.io/name: cert-manager
|
||
name: challenges.acme.cert-manager.io
|
||
spec:
|
||
conversion:
|
||
strategy: Webhook
|
||
webhook:
|
||
clientConfig:
|
||
service:
|
||
name: cert-manager-webhook
|
||
namespace: {{ cert_manager_namespace }}
|
||
path: /convert
|
||
conversionReviewVersions:
|
||
- v1
|
||
- v1beta1
|
||
group: acme.cert-manager.io
|
||
names:
|
||
kind: Challenge
|
||
listKind: ChallengeList
|
||
plural: challenges
|
||
singular: challenge
|
||
scope: Namespaced
|
||
versions:
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.state
|
||
name: State
|
||
type: string
|
||
- jsonPath: .spec.dnsName
|
||
name: Domain
|
||
type: string
|
||
- jsonPath: .status.reason
|
||
name: Reason
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1alpha2
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: Challenge is a type to represent a Challenge request with an
|
||
ACME server
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
properties:
|
||
authzURL:
|
||
description: AuthzURL is the URL to the ACME Authorization resource
|
||
that this challenge is a part of.
|
||
type: string
|
||
dnsName:
|
||
description: DNSName is the identifier that this challenge is for,
|
||
e.g. example.com. If the requested DNSName is a 'wildcard', this
|
||
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
|
||
it must be `example.com`.
|
||
type: string
|
||
issuerRef:
|
||
description: IssuerRef references a properly configured ACME-type
|
||
Issuer which should be used to create this Challenge. If the Issuer
|
||
does not exist, processing will be retried. If the Issuer is not
|
||
an 'ACME' Issuer, an error will be returned and the Challenge will
|
||
be marked as failed.
|
||
properties:
|
||
group:
|
||
description: Group of the resource being referred to.
|
||
type: string
|
||
kind:
|
||
description: Kind of the resource being referred to.
|
||
type: string
|
||
name:
|
||
description: Name of the resource being referred to.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
key:
|
||
description: 'Key is the ACME challenge key for this challenge For
|
||
HTTP01 challenges, this is the value that must be responded with
|
||
to complete the HTTP01 challenge in the format: `<private key JWK
|
||
thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
|
||
this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
|
||
from acme server for challenge>` text that must be set as the TXT
|
||
record content.'
|
||
type: string
|
||
solver:
|
||
description: Solver contains the domain solving configuration that
|
||
should be used to solve this challenge resource.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmedns:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azuredns:
|
||
description: Use the Microsoft Azure DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left unset
|
||
MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left unset
|
||
MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
clouddns:
|
||
description: Use the Google Cloud DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field that
|
||
tells cert-manager in which Cloud DNS zone the challenge
|
||
record has to be created. If left empty cert-manager
|
||
will automatically choose a zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with Cloudflare.
|
||
Note: using an API token to authenticate is now the
|
||
recommended method as it allows greater control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required when
|
||
using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01 provider
|
||
should handle CNAME records when found in DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain Name
|
||
System") (https://datatracker.ietf.org/doc/rfc2136/) to
|
||
manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed in
|
||
square brackets (e.g [2001:db8::1]) ; port is optional.
|
||
This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the DNS
|
||
supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values are
|
||
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
|
||
``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the DNS.
|
||
If ``tsigSecretSecretRef`` is defined, this field is
|
||
required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the TSIG
|
||
value. If ``tsigKeyName`` is defined, this field is
|
||
required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only this
|
||
zone in Route53 and will not do an lookup using the
|
||
route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53 provider
|
||
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
||
or the inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01 challenge
|
||
solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should be passed
|
||
to the webhook apiserver when challenges are processed.
|
||
This can contain arbitrary JSON data. Secret values
|
||
should not be specified in this stanza. If secret values
|
||
are needed (e.g. credentials for a DNS service), you
|
||
should use a SecretKeySelector to reference a Secret
|
||
resource. For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used when
|
||
POSTing ChallengePayload resources to the webhook apiserver.
|
||
This should be the same as the GroupName specified in
|
||
the webhook provider implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will typically
|
||
be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the HTTP01 challenge flow. It is not possible
|
||
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
|
||
using the HTTP01 challenge mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver will
|
||
solve challenges by creating or modifying Ingress resources
|
||
in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by cert-manager
|
||
for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating Ingress
|
||
resources to solve ACME challenges that use this challenge
|
||
solver. Only one of 'class' or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the 'labels'
|
||
and 'annotations' fields may be set. If labels or
|
||
annotations overlap with in-built values, the values
|
||
here will override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that should
|
||
have ACME challenge solving routes inserted into it
|
||
in order to solve HTTP01 challenges. This is typically
|
||
used in conjunction with ingress controllers like ingress-gce,
|
||
which maintains a 1:1 mapping between external IPs and
|
||
ingress resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure the
|
||
ACME challenge solver pods used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod used
|
||
to solve HTTP01 challenges. Only the 'labels' and
|
||
'annotations' fields may be set. If labels or annotations
|
||
overlap with in-built values, the values here will
|
||
override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the create ACME HTTP01 solver pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the HTTP01
|
||
challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity scheduling
|
||
rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node matches the corresponding
|
||
matchExpressions; the node(s) with the
|
||
highest sum are the most preferred.
|
||
items:
|
||
description: An empty preferred scheduling
|
||
term matches all objects with implicit
|
||
weight 0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector term,
|
||
associated with the corresponding
|
||
weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated with
|
||
matching the corresponding nodeSelectorTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to an update),
|
||
the system may or may not try to eventually
|
||
evict the pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list of node
|
||
selector terms. The terms are ORed.
|
||
items:
|
||
description: A null or empty node
|
||
selector term matches no objects.
|
||
The requirements of them are ANDed.
|
||
The TopologySelectorTerm type
|
||
implements a subset of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity scheduling
|
||
rules (e.g. co-locate this pod in the same
|
||
node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity scheduling
|
||
rules (e.g. avoid putting this pod in the
|
||
same node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the anti-affinity expressions specified
|
||
by this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling anti-affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the anti-affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector which
|
||
must be true for the pod to fit on a node. Selector
|
||
which must match a node''s labels for the pod
|
||
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is attached
|
||
to tolerates any taint that matches the triple
|
||
<key,value,effect> using the matching operator
|
||
<operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the taint
|
||
effect to match. Empty means match all
|
||
taint effects. When specified, allowed
|
||
values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key that the
|
||
toleration applies to. Empty means match
|
||
all taint keys. If the key is empty, operator
|
||
must be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a key's
|
||
relationship to the value. Valid operators
|
||
are Exists and Equal. Defaults to Equal.
|
||
Exists is equivalent to wildcard for value,
|
||
so that a pod can tolerate all taints
|
||
of a particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration (which
|
||
must be of effect NoExecute, otherwise
|
||
this field is ignored) tolerates the taint.
|
||
By default, it is not set, which means
|
||
tolerate the taint forever (do not evict).
|
||
Zero and negative values will be treated
|
||
as 0 (evict immediately) by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value the
|
||
toleration matches to. If the operator
|
||
is Exists, the value should be empty,
|
||
otherwise just a regular string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes solver
|
||
service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver has
|
||
a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will be used
|
||
to solve. If specified and a match is found, a dnsNames
|
||
selector will take precedence over a dnsZones selector.
|
||
If multiple solvers match with the same dnsNames value,
|
||
the solver with the most matching labels in matchLabels
|
||
will be selected. If neither has more matches, the solver
|
||
defined earlier in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will be used
|
||
to solve. The most specific DNS zone match specified here
|
||
will take precedence over other DNS zone matches, so a solver
|
||
specifying sys.example.com will be selected over one specifying
|
||
example.com for the domain www.sys.example.com. If multiple
|
||
solvers match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine the set
|
||
of certificate's that this challenge solver will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
token:
|
||
description: Token is the ACME challenge token for this challenge.
|
||
This is the raw value returned from the ACME server.
|
||
type: string
|
||
type:
|
||
description: Type is the type of ACME challenge this resource represents.
|
||
One of "http-01" or "dns-01".
|
||
enum:
|
||
- http-01
|
||
- dns-01
|
||
type: string
|
||
url:
|
||
description: URL is the URL of the ACME Challenge resource for this
|
||
challenge. This can be used to lookup details about the status of
|
||
this challenge.
|
||
type: string
|
||
wildcard:
|
||
description: Wildcard will be true if this challenge is for a wildcard
|
||
identifier, for example '*.example.com'.
|
||
type: boolean
|
||
required:
|
||
- authzURL
|
||
- dnsName
|
||
- issuerRef
|
||
- key
|
||
- solver
|
||
- token
|
||
- type
|
||
- url
|
||
type: object
|
||
status:
|
||
properties:
|
||
presented:
|
||
description: Presented will be set to true if the challenge values
|
||
for this challenge are currently 'presented'. This *does not* imply
|
||
the self check is passing. Only that the values have been 'submitted'
|
||
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
|
||
has been presented, or the HTTP01 configuration has been configured).
|
||
type: boolean
|
||
processing:
|
||
description: Processing is used to denote whether this challenge should
|
||
be processed or not. This field will only be set to true by the
|
||
'scheduling' component. It will only be set to false by the 'challenges'
|
||
controller, after the challenge has reached a final state or timed
|
||
out. If this field is set to false, the challenge controller will
|
||
not take any more action.
|
||
type: boolean
|
||
reason:
|
||
description: Reason contains human readable information on why the
|
||
Challenge is in the current state.
|
||
type: string
|
||
state:
|
||
description: State contains the current 'state' of the challenge.
|
||
If not set, the state of the challenge is unknown.
|
||
enum:
|
||
- valid
|
||
- ready
|
||
- pending
|
||
- processing
|
||
- invalid
|
||
- expired
|
||
- errored
|
||
type: string
|
||
type: object
|
||
required:
|
||
- metadata
|
||
type: object
|
||
served: true
|
||
storage: false
|
||
subresources:
|
||
status: {}
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.state
|
||
name: State
|
||
type: string
|
||
- jsonPath: .spec.dnsName
|
||
name: Domain
|
||
type: string
|
||
- jsonPath: .status.reason
|
||
name: Reason
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1alpha3
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: Challenge is a type to represent a Challenge request with an
|
||
ACME server
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
properties:
|
||
authzURL:
|
||
description: AuthzURL is the URL to the ACME Authorization resource
|
||
that this challenge is a part of.
|
||
type: string
|
||
dnsName:
|
||
description: DNSName is the identifier that this challenge is for,
|
||
e.g. example.com. If the requested DNSName is a 'wildcard', this
|
||
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
|
||
it must be `example.com`.
|
||
type: string
|
||
issuerRef:
|
||
description: IssuerRef references a properly configured ACME-type
|
||
Issuer which should be used to create this Challenge. If the Issuer
|
||
does not exist, processing will be retried. If the Issuer is not
|
||
an 'ACME' Issuer, an error will be returned and the Challenge will
|
||
be marked as failed.
|
||
properties:
|
||
group:
|
||
description: Group of the resource being referred to.
|
||
type: string
|
||
kind:
|
||
description: Kind of the resource being referred to.
|
||
type: string
|
||
name:
|
||
description: Name of the resource being referred to.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
key:
|
||
description: 'Key is the ACME challenge key for this challenge For
|
||
HTTP01 challenges, this is the value that must be responded with
|
||
to complete the HTTP01 challenge in the format: `<private key JWK
|
||
thumbprint>.<key from acme server for challenge>`. For DNS01 challenges,
|
||
this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
|
||
from acme server for challenge>` text that must be set as the TXT
|
||
record content.'
|
||
type: string
|
||
solver:
|
||
description: Solver contains the domain solving configuration that
|
||
should be used to solve this challenge resource.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmedns:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azuredns:
|
||
description: Use the Microsoft Azure DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left unset
|
||
MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left unset
|
||
MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
clouddns:
|
||
description: Use the Google Cloud DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field that
|
||
tells cert-manager in which Cloud DNS zone the challenge
|
||
record has to be created. If left empty cert-manager
|
||
will automatically choose a zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with Cloudflare.
|
||
Note: using an API token to authenticate is now the
|
||
recommended method as it allows greater control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required when
|
||
using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01 provider
|
||
should handle CNAME records when found in DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain Name
|
||
System") (https://datatracker.ietf.org/doc/rfc2136/) to
|
||
manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed in
|
||
square brackets (e.g [2001:db8::1]) ; port is optional.
|
||
This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the DNS
|
||
supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values are
|
||
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
|
||
``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the DNS.
|
||
If ``tsigSecretSecretRef`` is defined, this field is
|
||
required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the TSIG
|
||
value. If ``tsigKeyName`` is defined, this field is
|
||
required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only this
|
||
zone in Route53 and will not do an lookup using the
|
||
route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53 provider
|
||
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
||
or the inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01 challenge
|
||
solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should be passed
|
||
to the webhook apiserver when challenges are processed.
|
||
This can contain arbitrary JSON data. Secret values
|
||
should not be specified in this stanza. If secret values
|
||
are needed (e.g. credentials for a DNS service), you
|
||
should use a SecretKeySelector to reference a Secret
|
||
resource. For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used when
|
||
POSTing ChallengePayload resources to the webhook apiserver.
|
||
This should be the same as the GroupName specified in
|
||
the webhook provider implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will typically
|
||
be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the HTTP01 challenge flow. It is not possible
|
||
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
|
||
using the HTTP01 challenge mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver will
|
||
solve challenges by creating or modifying Ingress resources
|
||
in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by cert-manager
|
||
for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating Ingress
|
||
resources to solve ACME challenges that use this challenge
|
||
solver. Only one of 'class' or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the 'labels'
|
||
and 'annotations' fields may be set. If labels or
|
||
annotations overlap with in-built values, the values
|
||
here will override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that should
|
||
have ACME challenge solving routes inserted into it
|
||
in order to solve HTTP01 challenges. This is typically
|
||
used in conjunction with ingress controllers like ingress-gce,
|
||
which maintains a 1:1 mapping between external IPs and
|
||
ingress resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure the
|
||
ACME challenge solver pods used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod used
|
||
to solve HTTP01 challenges. Only the 'labels' and
|
||
'annotations' fields may be set. If labels or annotations
|
||
overlap with in-built values, the values here will
|
||
override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the create ACME HTTP01 solver pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the HTTP01
|
||
challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity scheduling
|
||
rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node matches the corresponding
|
||
matchExpressions; the node(s) with the
|
||
highest sum are the most preferred.
|
||
items:
|
||
description: An empty preferred scheduling
|
||
term matches all objects with implicit
|
||
weight 0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector term,
|
||
associated with the corresponding
|
||
weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated with
|
||
matching the corresponding nodeSelectorTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to an update),
|
||
the system may or may not try to eventually
|
||
evict the pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list of node
|
||
selector terms. The terms are ORed.
|
||
items:
|
||
description: A null or empty node
|
||
selector term matches no objects.
|
||
The requirements of them are ANDed.
|
||
The TopologySelectorTerm type
|
||
implements a subset of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity scheduling
|
||
rules (e.g. co-locate this pod in the same
|
||
node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity scheduling
|
||
rules (e.g. avoid putting this pod in the
|
||
same node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the anti-affinity expressions specified
|
||
by this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling anti-affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the anti-affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector which
|
||
must be true for the pod to fit on a node. Selector
|
||
which must match a node''s labels for the pod
|
||
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is attached
|
||
to tolerates any taint that matches the triple
|
||
<key,value,effect> using the matching operator
|
||
<operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the taint
|
||
effect to match. Empty means match all
|
||
taint effects. When specified, allowed
|
||
values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key that the
|
||
toleration applies to. Empty means match
|
||
all taint keys. If the key is empty, operator
|
||
must be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a key's
|
||
relationship to the value. Valid operators
|
||
are Exists and Equal. Defaults to Equal.
|
||
Exists is equivalent to wildcard for value,
|
||
so that a pod can tolerate all taints
|
||
of a particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration (which
|
||
must be of effect NoExecute, otherwise
|
||
this field is ignored) tolerates the taint.
|
||
By default, it is not set, which means
|
||
tolerate the taint forever (do not evict).
|
||
Zero and negative values will be treated
|
||
as 0 (evict immediately) by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value the
|
||
toleration matches to. If the operator
|
||
is Exists, the value should be empty,
|
||
otherwise just a regular string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes solver
|
||
service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver has
|
||
a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will be used
|
||
to solve. If specified and a match is found, a dnsNames
|
||
selector will take precedence over a dnsZones selector.
|
||
If multiple solvers match with the same dnsNames value,
|
||
the solver with the most matching labels in matchLabels
|
||
will be selected. If neither has more matches, the solver
|
||
defined earlier in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will be used
|
||
to solve. The most specific DNS zone match specified here
|
||
will take precedence over other DNS zone matches, so a solver
|
||
specifying sys.example.com will be selected over one specifying
|
||
example.com for the domain www.sys.example.com. If multiple
|
||
solvers match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine the set
|
||
of certificate's that this challenge solver will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
token:
|
||
description: Token is the ACME challenge token for this challenge.
|
||
This is the raw value returned from the ACME server.
|
||
type: string
|
||
type:
|
||
description: Type is the type of ACME challenge this resource represents.
|
||
One of "http-01" or "dns-01".
|
||
enum:
|
||
- http-01
|
||
- dns-01
|
||
type: string
|
||
url:
|
||
description: URL is the URL of the ACME Challenge resource for this
|
||
challenge. This can be used to lookup details about the status of
|
||
this challenge.
|
||
type: string
|
||
wildcard:
|
||
description: Wildcard will be true if this challenge is for a wildcard
|
||
identifier, for example '*.example.com'.
|
||
type: boolean
|
||
required:
|
||
- authzURL
|
||
- dnsName
|
||
- issuerRef
|
||
- key
|
||
- solver
|
||
- token
|
||
- type
|
||
- url
|
||
type: object
|
||
status:
|
||
properties:
|
||
presented:
|
||
description: Presented will be set to true if the challenge values
|
||
for this challenge are currently 'presented'. This *does not* imply
|
||
the self check is passing. Only that the values have been 'submitted'
|
||
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
|
||
has been presented, or the HTTP01 configuration has been configured).
|
||
type: boolean
|
||
processing:
|
||
description: Processing is used to denote whether this challenge should
|
||
be processed or not. This field will only be set to true by the
|
||
'scheduling' component. It will only be set to false by the 'challenges'
|
||
controller, after the challenge has reached a final state or timed
|
||
out. If this field is set to false, the challenge controller will
|
||
not take any more action.
|
||
type: boolean
|
||
reason:
|
||
description: Reason contains human readable information on why the
|
||
Challenge is in the current state.
|
||
type: string
|
||
state:
|
||
description: State contains the current 'state' of the challenge.
|
||
If not set, the state of the challenge is unknown.
|
||
enum:
|
||
- valid
|
||
- ready
|
||
- pending
|
||
- processing
|
||
- invalid
|
||
- expired
|
||
- errored
|
||
type: string
|
||
type: object
|
||
required:
|
||
- metadata
|
||
type: object
|
||
served: true
|
||
storage: false
|
||
subresources:
|
||
status: {}
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.state
|
||
name: State
|
||
type: string
|
||
- jsonPath: .spec.dnsName
|
||
name: Domain
|
||
type: string
|
||
- jsonPath: .status.reason
|
||
name: Reason
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1beta1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: Challenge is a type to represent a Challenge request with an
|
||
ACME server
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
properties:
|
||
authorizationURL:
|
||
description: The URL to the ACME Authorization resource that this
|
||
challenge is a part of.
|
||
type: string
|
||
dnsName:
|
||
description: dnsName is the identifier that this challenge is for,
|
||
e.g. example.com. If the requested DNSName is a 'wildcard', this
|
||
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
|
||
it must be `example.com`.
|
||
type: string
|
||
issuerRef:
|
||
description: References a properly configured ACME-type Issuer which
|
||
should be used to create this Challenge. If the Issuer does not
|
||
exist, processing will be retried. If the Issuer is not an 'ACME'
|
||
Issuer, an error will be returned and the Challenge will be marked
|
||
as failed.
|
||
properties:
|
||
group:
|
||
description: Group of the resource being referred to.
|
||
type: string
|
||
kind:
|
||
description: Kind of the resource being referred to.
|
||
type: string
|
||
name:
|
||
description: Name of the resource being referred to.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
key:
|
||
description: 'The ACME challenge key for this challenge For HTTP01
|
||
challenges, this is the value that must be responded with to complete
|
||
the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
|
||
from acme server for challenge>`. For DNS01 challenges, this is
|
||
the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
|
||
from acme server for challenge>` text that must be set as the TXT
|
||
record content.'
|
||
type: string
|
||
solver:
|
||
description: Contains the domain solving configuration that should
|
||
be used to solve this challenge resource.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmeDNS:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azureDNS:
|
||
description: Use the Microsoft Azure DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left unset
|
||
MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left unset
|
||
MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
cloudDNS:
|
||
description: Use the Google Cloud DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field that
|
||
tells cert-manager in which Cloud DNS zone the challenge
|
||
record has to be created. If left empty cert-manager
|
||
will automatically choose a zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with Cloudflare.
|
||
Note: using an API token to authenticate is now the
|
||
recommended method as it allows greater control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required when
|
||
using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01 provider
|
||
should handle CNAME records when found in DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain Name
|
||
System") (https://datatracker.ietf.org/doc/rfc2136/) to
|
||
manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed in
|
||
square brackets (e.g [2001:db8::1]) ; port is optional.
|
||
This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the DNS
|
||
supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values are
|
||
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
|
||
``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the DNS.
|
||
If ``tsigSecretSecretRef`` is defined, this field is
|
||
required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the TSIG
|
||
value. If ``tsigKeyName`` is defined, this field is
|
||
required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only this
|
||
zone in Route53 and will not do an lookup using the
|
||
route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53 provider
|
||
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
||
or the inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01 challenge
|
||
solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should be passed
|
||
to the webhook apiserver when challenges are processed.
|
||
This can contain arbitrary JSON data. Secret values
|
||
should not be specified in this stanza. If secret values
|
||
are needed (e.g. credentials for a DNS service), you
|
||
should use a SecretKeySelector to reference a Secret
|
||
resource. For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used when
|
||
POSTing ChallengePayload resources to the webhook apiserver.
|
||
This should be the same as the GroupName specified in
|
||
the webhook provider implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will typically
|
||
be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the HTTP01 challenge flow. It is not possible
|
||
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
|
||
using the HTTP01 challenge mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver will
|
||
solve challenges by creating or modifying Ingress resources
|
||
in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by cert-manager
|
||
for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating Ingress
|
||
resources to solve ACME challenges that use this challenge
|
||
solver. Only one of 'class' or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the 'labels'
|
||
and 'annotations' fields may be set. If labels or
|
||
annotations overlap with in-built values, the values
|
||
here will override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that should
|
||
have ACME challenge solving routes inserted into it
|
||
in order to solve HTTP01 challenges. This is typically
|
||
used in conjunction with ingress controllers like ingress-gce,
|
||
which maintains a 1:1 mapping between external IPs and
|
||
ingress resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure the
|
||
ACME challenge solver pods used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod used
|
||
to solve HTTP01 challenges. Only the 'labels' and
|
||
'annotations' fields may be set. If labels or annotations
|
||
overlap with in-built values, the values here will
|
||
override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the create ACME HTTP01 solver pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the HTTP01
|
||
challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity scheduling
|
||
rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node matches the corresponding
|
||
matchExpressions; the node(s) with the
|
||
highest sum are the most preferred.
|
||
items:
|
||
description: An empty preferred scheduling
|
||
term matches all objects with implicit
|
||
weight 0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector term,
|
||
associated with the corresponding
|
||
weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated with
|
||
matching the corresponding nodeSelectorTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to an update),
|
||
the system may or may not try to eventually
|
||
evict the pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list of node
|
||
selector terms. The terms are ORed.
|
||
items:
|
||
description: A null or empty node
|
||
selector term matches no objects.
|
||
The requirements of them are ANDed.
|
||
The TopologySelectorTerm type
|
||
implements a subset of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity scheduling
|
||
rules (e.g. co-locate this pod in the same
|
||
node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity scheduling
|
||
rules (e.g. avoid putting this pod in the
|
||
same node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the anti-affinity expressions specified
|
||
by this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling anti-affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the anti-affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector which
|
||
must be true for the pod to fit on a node. Selector
|
||
which must match a node''s labels for the pod
|
||
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is attached
|
||
to tolerates any taint that matches the triple
|
||
<key,value,effect> using the matching operator
|
||
<operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the taint
|
||
effect to match. Empty means match all
|
||
taint effects. When specified, allowed
|
||
values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key that the
|
||
toleration applies to. Empty means match
|
||
all taint keys. If the key is empty, operator
|
||
must be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a key's
|
||
relationship to the value. Valid operators
|
||
are Exists and Equal. Defaults to Equal.
|
||
Exists is equivalent to wildcard for value,
|
||
so that a pod can tolerate all taints
|
||
of a particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration (which
|
||
must be of effect NoExecute, otherwise
|
||
this field is ignored) tolerates the taint.
|
||
By default, it is not set, which means
|
||
tolerate the taint forever (do not evict).
|
||
Zero and negative values will be treated
|
||
as 0 (evict immediately) by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value the
|
||
toleration matches to. If the operator
|
||
is Exists, the value should be empty,
|
||
otherwise just a regular string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes solver
|
||
service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver has
|
||
a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will be used
|
||
to solve. If specified and a match is found, a dnsNames
|
||
selector will take precedence over a dnsZones selector.
|
||
If multiple solvers match with the same dnsNames value,
|
||
the solver with the most matching labels in matchLabels
|
||
will be selected. If neither has more matches, the solver
|
||
defined earlier in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will be used
|
||
to solve. The most specific DNS zone match specified here
|
||
will take precedence over other DNS zone matches, so a solver
|
||
specifying sys.example.com will be selected over one specifying
|
||
example.com for the domain www.sys.example.com. If multiple
|
||
solvers match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine the set
|
||
of certificate's that this challenge solver will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
token:
|
||
description: The ACME challenge token for this challenge. This is
|
||
the raw value returned from the ACME server.
|
||
type: string
|
||
type:
|
||
description: The type of ACME challenge this resource represents.
|
||
One of "HTTP-01" or "DNS-01".
|
||
enum:
|
||
- HTTP-01
|
||
- DNS-01
|
||
type: string
|
||
url:
|
||
description: The URL of the ACME Challenge resource for this challenge.
|
||
This can be used to lookup details about the status of this challenge.
|
||
type: string
|
||
wildcard:
|
||
description: wildcard will be true if this challenge is for a wildcard
|
||
identifier, for example '*.example.com'.
|
||
type: boolean
|
||
required:
|
||
- authorizationURL
|
||
- dnsName
|
||
- issuerRef
|
||
- key
|
||
- solver
|
||
- token
|
||
- type
|
||
- url
|
||
type: object
|
||
status:
|
||
properties:
|
||
presented:
|
||
description: presented will be set to true if the challenge values
|
||
for this challenge are currently 'presented'. This *does not* imply
|
||
the self check is passing. Only that the values have been 'submitted'
|
||
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
|
||
has been presented, or the HTTP01 configuration has been configured).
|
||
type: boolean
|
||
processing:
|
||
description: Used to denote whether this challenge should be processed
|
||
or not. This field will only be set to true by the 'scheduling'
|
||
component. It will only be set to false by the 'challenges' controller,
|
||
after the challenge has reached a final state or timed out. If this
|
||
field is set to false, the challenge controller will not take any
|
||
more action.
|
||
type: boolean
|
||
reason:
|
||
description: Contains human readable information on why the Challenge
|
||
is in the current state.
|
||
type: string
|
||
state:
|
||
description: Contains the current 'state' of the challenge. If not
|
||
set, the state of the challenge is unknown.
|
||
enum:
|
||
- valid
|
||
- ready
|
||
- pending
|
||
- processing
|
||
- invalid
|
||
- expired
|
||
- errored
|
||
type: string
|
||
type: object
|
||
required:
|
||
- metadata
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: false
|
||
subresources:
|
||
status: {}
|
||
- additionalPrinterColumns:
|
||
- jsonPath: .status.state
|
||
name: State
|
||
type: string
|
||
- jsonPath: .spec.dnsName
|
||
name: Domain
|
||
type: string
|
||
- jsonPath: .status.reason
|
||
name: Reason
|
||
priority: 1
|
||
type: string
|
||
- description: CreationTimestamp is a timestamp representing the server time when
|
||
this object was created. It is not guaranteed to be set in happens-before
|
||
order across separate operations. Clients may not set this value. It is represented
|
||
in RFC3339 form and is in UTC.
|
||
jsonPath: .metadata.creationTimestamp
|
||
name: Age
|
||
type: date
|
||
name: v1
|
||
schema:
|
||
openAPIV3Schema:
|
||
description: Challenge is a type to represent a Challenge request with an
|
||
ACME server
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
properties:
|
||
authorizationURL:
|
||
description: The URL to the ACME Authorization resource that this
|
||
challenge is a part of.
|
||
type: string
|
||
dnsName:
|
||
description: dnsName is the identifier that this challenge is for,
|
||
e.g. example.com. If the requested DNSName is a 'wildcard', this
|
||
field MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
|
||
it must be `example.com`.
|
||
type: string
|
||
issuerRef:
|
||
description: References a properly configured ACME-type Issuer which
|
||
should be used to create this Challenge. If the Issuer does not
|
||
exist, processing will be retried. If the Issuer is not an 'ACME'
|
||
Issuer, an error will be returned and the Challenge will be marked
|
||
as failed.
|
||
properties:
|
||
group:
|
||
description: Group of the resource being referred to.
|
||
type: string
|
||
kind:
|
||
description: Kind of the resource being referred to.
|
||
type: string
|
||
name:
|
||
description: Name of the resource being referred to.
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
key:
|
||
description: 'The ACME challenge key for this challenge For HTTP01
|
||
challenges, this is the value that must be responded with to complete
|
||
the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
|
||
from acme server for challenge>`. For DNS01 challenges, this is
|
||
the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
|
||
from acme server for challenge>` text that must be set as the TXT
|
||
record content.'
|
||
type: string
|
||
solver:
|
||
description: Contains the domain solving configuration that should
|
||
be used to solve this challenge resource.
|
||
properties:
|
||
dns01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the DNS01 challenge flow.
|
||
properties:
|
||
acmeDNS:
|
||
description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns)
|
||
API to manage DNS01 challenge records.
|
||
properties:
|
||
accountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
host:
|
||
type: string
|
||
required:
|
||
- accountSecretRef
|
||
- host
|
||
type: object
|
||
akamai:
|
||
description: Use the Akamai DNS zone management API to manage
|
||
DNS01 challenge records.
|
||
properties:
|
||
accessTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientSecretSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
clientTokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
serviceConsumerDomain:
|
||
type: string
|
||
required:
|
||
- accessTokenSecretRef
|
||
- clientSecretSecretRef
|
||
- clientTokenSecretRef
|
||
- serviceConsumerDomain
|
||
type: object
|
||
azureDNS:
|
||
description: Use the Microsoft Azure DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
clientID:
|
||
description: if both this and ClientSecret are left unset
|
||
MSI will be used
|
||
type: string
|
||
clientSecretSecretRef:
|
||
description: if both this and ClientID are left unset
|
||
MSI will be used
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
environment:
|
||
enum:
|
||
- AzurePublicCloud
|
||
- AzureChinaCloud
|
||
- AzureGermanCloud
|
||
- AzureUSGovernmentCloud
|
||
type: string
|
||
hostedZoneName:
|
||
type: string
|
||
resourceGroupName:
|
||
type: string
|
||
subscriptionID:
|
||
type: string
|
||
tenantID:
|
||
description: when specifying ClientID and ClientSecret
|
||
then this field is also needed
|
||
type: string
|
||
required:
|
||
- resourceGroupName
|
||
- subscriptionID
|
||
type: object
|
||
cloudDNS:
|
||
description: Use the Google Cloud DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
hostedZoneName:
|
||
description: HostedZoneName is an optional field that
|
||
tells cert-manager in which Cloud DNS zone the challenge
|
||
record has to be created. If left empty cert-manager
|
||
will automatically choose a zone.
|
||
type: string
|
||
project:
|
||
type: string
|
||
serviceAccountSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- project
|
||
type: object
|
||
cloudflare:
|
||
description: Use the Cloudflare API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
apiKeySecretRef:
|
||
description: 'API key to use to authenticate with Cloudflare.
|
||
Note: using an API token to authenticate is now the
|
||
recommended method as it allows greater control of permissions.'
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
apiTokenSecretRef:
|
||
description: API token used to authenticate with Cloudflare.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
email:
|
||
description: Email of the account, only required when
|
||
using API key based authentication.
|
||
type: string
|
||
type: object
|
||
cnameStrategy:
|
||
description: CNAMEStrategy configures how the DNS01 provider
|
||
should handle CNAME records when found in DNS zones.
|
||
enum:
|
||
- None
|
||
- Follow
|
||
type: string
|
||
digitalocean:
|
||
description: Use the DigitalOcean DNS API to manage DNS01
|
||
challenge records.
|
||
properties:
|
||
tokenSecretRef:
|
||
description: A reference to a specific 'key' within a
|
||
Secret resource. In some instances, `key` is a required
|
||
field.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- tokenSecretRef
|
||
type: object
|
||
rfc2136:
|
||
description: Use RFC2136 ("Dynamic Updates in the Domain Name
|
||
System") (https://datatracker.ietf.org/doc/rfc2136/) to
|
||
manage DNS01 challenge records.
|
||
properties:
|
||
nameserver:
|
||
description: The IP address or hostname of an authoritative
|
||
DNS server supporting RFC2136 in the form host:port.
|
||
If the host is an IPv6 address it must be enclosed in
|
||
square brackets (e.g [2001:db8::1]) ; port is optional.
|
||
This field is required.
|
||
type: string
|
||
tsigAlgorithm:
|
||
description: 'The TSIG Algorithm configured in the DNS
|
||
supporting RFC2136. Used only when ``tsigSecretSecretRef``
|
||
and ``tsigKeyName`` are defined. Supported values are
|
||
(case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
|
||
``HMACSHA256`` or ``HMACSHA512``.'
|
||
type: string
|
||
tsigKeyName:
|
||
description: The TSIG Key name configured in the DNS.
|
||
If ``tsigSecretSecretRef`` is defined, this field is
|
||
required.
|
||
type: string
|
||
tsigSecretSecretRef:
|
||
description: The name of the secret containing the TSIG
|
||
value. If ``tsigKeyName`` is defined, this field is
|
||
required.
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- nameserver
|
||
type: object
|
||
route53:
|
||
description: Use the AWS Route53 API to manage DNS01 challenge
|
||
records.
|
||
properties:
|
||
accessKeyID:
|
||
description: 'The AccessKeyID is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
|
||
type: string
|
||
hostedZoneID:
|
||
description: If set, the provider will manage only this
|
||
zone in Route53 and will not do an lookup using the
|
||
route53:ListHostedZonesByName api call.
|
||
type: string
|
||
region:
|
||
description: Always set the region when using AccessKeyID
|
||
and SecretAccessKey
|
||
type: string
|
||
role:
|
||
description: Role is a Role ARN which the Route53 provider
|
||
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
||
or the inferred credentials from environment variables,
|
||
shared credentials file or AWS Instance metadata
|
||
type: string
|
||
secretAccessKeySecretRef:
|
||
description: The SecretAccessKey is used for authentication.
|
||
If not set we fall-back to using env vars, shared credentials
|
||
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
||
properties:
|
||
key:
|
||
description: The key of the entry in the Secret resource's
|
||
`data` field to be used. Some instances of this
|
||
field may be defaulted, in others it may be required.
|
||
type: string
|
||
name:
|
||
description: 'Name of the resource being referred
|
||
to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||
type: string
|
||
required:
|
||
- name
|
||
type: object
|
||
required:
|
||
- region
|
||
type: object
|
||
webhook:
|
||
description: Configure an external webhook based DNS01 challenge
|
||
solver to manage DNS01 challenge records.
|
||
properties:
|
||
config:
|
||
description: Additional configuration that should be passed
|
||
to the webhook apiserver when challenges are processed.
|
||
This can contain arbitrary JSON data. Secret values
|
||
should not be specified in this stanza. If secret values
|
||
are needed (e.g. credentials for a DNS service), you
|
||
should use a SecretKeySelector to reference a Secret
|
||
resource. For details on the schema of this field, consult
|
||
the webhook provider implementation's documentation.
|
||
x-kubernetes-preserve-unknown-fields: true
|
||
groupName:
|
||
description: The API group name that should be used when
|
||
POSTing ChallengePayload resources to the webhook apiserver.
|
||
This should be the same as the GroupName specified in
|
||
the webhook provider implementation.
|
||
type: string
|
||
solverName:
|
||
description: The name of the solver to use, as defined
|
||
in the webhook provider implementation. This will typically
|
||
be the name of the provider, e.g. 'cloudflare'.
|
||
type: string
|
||
required:
|
||
- groupName
|
||
- solverName
|
||
type: object
|
||
type: object
|
||
http01:
|
||
description: Configures cert-manager to attempt to complete authorizations
|
||
by performing the HTTP01 challenge flow. It is not possible
|
||
to obtain certificates for wildcard domain names (e.g. `*.example.com`)
|
||
using the HTTP01 challenge mechanism.
|
||
properties:
|
||
ingress:
|
||
description: The ingress based HTTP01 challenge solver will
|
||
solve challenges by creating or modifying Ingress resources
|
||
in order to route requests for '/.well-known/acme-challenge/XYZ'
|
||
to 'challenge solver' pods that are provisioned by cert-manager
|
||
for each Challenge to be completed.
|
||
properties:
|
||
class:
|
||
description: The ingress class to use when creating Ingress
|
||
resources to solve ACME challenges that use this challenge
|
||
solver. Only one of 'class' or 'name' may be specified.
|
||
type: string
|
||
ingressTemplate:
|
||
description: Optional ingress template used to configure
|
||
the ACME challenge solver ingress used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the ingress
|
||
used to solve HTTP01 challenges. Only the 'labels'
|
||
and 'annotations' fields may be set. If labels or
|
||
annotations overlap with in-built values, the values
|
||
here will override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the created ACME HTTP01 solver ingress.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver ingress.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
name:
|
||
description: The name of the ingress resource that should
|
||
have ACME challenge solving routes inserted into it
|
||
in order to solve HTTP01 challenges. This is typically
|
||
used in conjunction with ingress controllers like ingress-gce,
|
||
which maintains a 1:1 mapping between external IPs and
|
||
ingress resources.
|
||
type: string
|
||
podTemplate:
|
||
description: Optional pod template used to configure the
|
||
ACME challenge solver pods used for HTTP01 challenges
|
||
properties:
|
||
metadata:
|
||
description: ObjectMeta overrides for the pod used
|
||
to solve HTTP01 challenges. Only the 'labels' and
|
||
'annotations' fields may be set. If labels or annotations
|
||
overlap with in-built values, the values here will
|
||
override the in-built values.
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations that should be added
|
||
to the create ACME HTTP01 solver pods.
|
||
type: object
|
||
labels:
|
||
additionalProperties:
|
||
type: string
|
||
description: Labels that should be added to the
|
||
created ACME HTTP01 solver pods.
|
||
type: object
|
||
type: object
|
||
spec:
|
||
description: PodSpec defines overrides for the HTTP01
|
||
challenge solver pod. Only the 'priorityClassName',
|
||
'nodeSelector', 'affinity', 'serviceAccountName'
|
||
and 'tolerations' fields are supported currently.
|
||
All other fields will be ignored.
|
||
properties:
|
||
affinity:
|
||
description: If specified, the pod's scheduling
|
||
constraints
|
||
properties:
|
||
nodeAffinity:
|
||
description: Describes node affinity scheduling
|
||
rules for the pod.
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node matches the corresponding
|
||
matchExpressions; the node(s) with the
|
||
highest sum are the most preferred.
|
||
items:
|
||
description: An empty preferred scheduling
|
||
term matches all objects with implicit
|
||
weight 0 (i.e. it's a no-op). A null
|
||
preferred scheduling term matches
|
||
no objects (i.e. is also a no-op).
|
||
properties:
|
||
preference:
|
||
description: A node selector term,
|
||
associated with the corresponding
|
||
weight.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
weight:
|
||
description: Weight associated with
|
||
matching the corresponding nodeSelectorTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- preference
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to an update),
|
||
the system may or may not try to eventually
|
||
evict the pod from its node.
|
||
properties:
|
||
nodeSelectorTerms:
|
||
description: Required. A list of node
|
||
selector terms. The terms are ORed.
|
||
items:
|
||
description: A null or empty node
|
||
selector term matches no objects.
|
||
The requirements of them are ANDed.
|
||
The TopologySelectorTerm type
|
||
implements a subset of the NodeSelectorTerm.
|
||
properties:
|
||
matchExpressions:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
labels.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchFields:
|
||
description: A list of node
|
||
selector requirements by node's
|
||
fields.
|
||
items:
|
||
description: A node selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: The label
|
||
key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: Represents
|
||
a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists, DoesNotExist.
|
||
Gt, and Lt.
|
||
type: string
|
||
values:
|
||
description: An array
|
||
of string values. If
|
||
the operator is In or
|
||
NotIn, the values array
|
||
must be non-empty. If
|
||
the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. If the operator
|
||
is Gt or Lt, the values
|
||
array must have a single
|
||
element, which will
|
||
be interpreted as an
|
||
integer. This array
|
||
is replaced during a
|
||
strategic merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: array
|
||
required:
|
||
- nodeSelectorTerms
|
||
type: object
|
||
type: object
|
||
podAffinity:
|
||
description: Describes pod affinity scheduling
|
||
rules (e.g. co-locate this pod in the same
|
||
node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the affinity expressions specified by
|
||
this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
podAntiAffinity:
|
||
description: Describes pod anti-affinity scheduling
|
||
rules (e.g. avoid putting this pod in the
|
||
same node, zone, etc. as some other pod(s)).
|
||
properties:
|
||
preferredDuringSchedulingIgnoredDuringExecution:
|
||
description: The scheduler will prefer
|
||
to schedule pods to nodes that satisfy
|
||
the anti-affinity expressions specified
|
||
by this field, but it may choose a node
|
||
that violates one or more of the expressions.
|
||
The node that is most preferred is the
|
||
one with the greatest sum of weights,
|
||
i.e. for each node that meets all of
|
||
the scheduling requirements (resource
|
||
request, requiredDuringScheduling anti-affinity
|
||
expressions, etc.), compute a sum by
|
||
iterating through the elements of this
|
||
field and adding "weight" to the sum
|
||
if the node has pods which matches the
|
||
corresponding podAffinityTerm; the node(s)
|
||
with the highest sum are the most preferred.
|
||
items:
|
||
description: The weights of all of the
|
||
matched WeightedPodAffinityTerm fields
|
||
are added per-node to find the most
|
||
preferred node(s)
|
||
properties:
|
||
podAffinityTerm:
|
||
description: Required. A pod affinity
|
||
term, associated with the corresponding
|
||
weight.
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this
|
||
case pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values,
|
||
a key, and an operator
|
||
that relates the key
|
||
and values.
|
||
properties:
|
||
key:
|
||
description: key is
|
||
the label key that
|
||
the selector applies
|
||
to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's
|
||
relationship to
|
||
a set of values.
|
||
Valid operators
|
||
are In, NotIn, Exists
|
||
and DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values
|
||
is an array of string
|
||
values. If the operator
|
||
is In or NotIn,
|
||
the values array
|
||
must be non-empty.
|
||
If the operator
|
||
is Exists or DoesNotExist,
|
||
the values array
|
||
must be empty. This
|
||
array is replaced
|
||
during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels
|
||
is a map of {key,value}
|
||
pairs. A single {key,value}
|
||
in the matchLabels map
|
||
is equivalent to an element
|
||
of matchExpressions, whose
|
||
key field is "key", the
|
||
operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should
|
||
be co-located (affinity) or
|
||
not co-located (anti-affinity)
|
||
with the pods matching the
|
||
labelSelector in the specified
|
||
namespaces, where co-located
|
||
is defined as running on a
|
||
node whose value of the label
|
||
with key topologyKey matches
|
||
that of any node on which
|
||
any of the selected pods is
|
||
running. Empty topologyKey
|
||
is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
weight:
|
||
description: weight associated with
|
||
matching the corresponding podAffinityTerm,
|
||
in the range 1-100.
|
||
format: int32
|
||
type: integer
|
||
required:
|
||
- podAffinityTerm
|
||
- weight
|
||
type: object
|
||
type: array
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
description: If the anti-affinity requirements
|
||
specified by this field are not met
|
||
at scheduling time, the pod will not
|
||
be scheduled onto the node. If the anti-affinity
|
||
requirements specified by this field
|
||
cease to be met at some point during
|
||
pod execution (e.g. due to a pod label
|
||
update), the system may or may not try
|
||
to eventually evict the pod from its
|
||
node. When there are multiple elements,
|
||
the lists of nodes corresponding to
|
||
each podAffinityTerm are intersected,
|
||
i.e. all terms must be satisfied.
|
||
items:
|
||
description: Defines a set of pods (namely
|
||
those matching the labelSelector relative
|
||
to the given namespace(s)) that this
|
||
pod should be co-located (affinity)
|
||
or not co-located (anti-affinity)
|
||
with, where co-located is defined
|
||
as running on a node whose value of
|
||
the label with key <topologyKey> matches
|
||
that of any node on which a pod of
|
||
the set of pods is running
|
||
properties:
|
||
labelSelector:
|
||
description: A label query over
|
||
a set of resources, in this case
|
||
pods.
|
||
properties:
|
||
matchExpressions:
|
||
description: matchExpressions
|
||
is a list of label selector
|
||
requirements. The requirements
|
||
are ANDed.
|
||
items:
|
||
description: A label selector
|
||
requirement is a selector
|
||
that contains values, a
|
||
key, and an operator that
|
||
relates the key and values.
|
||
properties:
|
||
key:
|
||
description: key is the
|
||
label key that the selector
|
||
applies to.
|
||
type: string
|
||
operator:
|
||
description: operator
|
||
represents a key's relationship
|
||
to a set of values.
|
||
Valid operators are
|
||
In, NotIn, Exists and
|
||
DoesNotExist.
|
||
type: string
|
||
values:
|
||
description: values is
|
||
an array of string values.
|
||
If the operator is In
|
||
or NotIn, the values
|
||
array must be non-empty.
|
||
If the operator is Exists
|
||
or DoesNotExist, the
|
||
values array must be
|
||
empty. This array is
|
||
replaced during a strategic
|
||
merge patch.
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- key
|
||
- operator
|
||
type: object
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: matchLabels is
|
||
a map of {key,value} pairs.
|
||
A single {key,value} in the
|
||
matchLabels map is equivalent
|
||
to an element of matchExpressions,
|
||
whose key field is "key",
|
||
the operator is "In", and
|
||
the values array contains
|
||
only "value". The requirements
|
||
are ANDed.
|
||
type: object
|
||
type: object
|
||
namespaces:
|
||
description: namespaces specifies
|
||
which namespaces the labelSelector
|
||
applies to (matches against);
|
||
null or empty list means "this
|
||
pod's namespace"
|
||
items:
|
||
type: string
|
||
type: array
|
||
topologyKey:
|
||
description: This pod should be
|
||
co-located (affinity) or not co-located
|
||
(anti-affinity) with the pods
|
||
matching the labelSelector in
|
||
the specified namespaces, where
|
||
co-located is defined as running
|
||
on a node whose value of the label
|
||
with key topologyKey matches that
|
||
of any node on which any of the
|
||
selected pods is running. Empty
|
||
topologyKey is not allowed.
|
||
type: string
|
||
required:
|
||
- topologyKey
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
nodeSelector:
|
||
additionalProperties:
|
||
type: string
|
||
description: 'NodeSelector is a selector which
|
||
must be true for the pod to fit on a node. Selector
|
||
which must match a node''s labels for the pod
|
||
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||
type: object
|
||
priorityClassName:
|
||
description: If specified, the pod's priorityClassName.
|
||
type: string
|
||
serviceAccountName:
|
||
description: If specified, the pod's service account
|
||
type: string
|
||
tolerations:
|
||
description: If specified, the pod's tolerations.
|
||
items:
|
||
description: The pod this Toleration is attached
|
||
to tolerates any taint that matches the triple
|
||
<key,value,effect> using the matching operator
|
||
<operator>.
|
||
properties:
|
||
effect:
|
||
description: Effect indicates the taint
|
||
effect to match. Empty means match all
|
||
taint effects. When specified, allowed
|
||
values are NoSchedule, PreferNoSchedule
|
||
and NoExecute.
|
||
type: string
|
||
key:
|
||
description: Key is the taint key that the
|
||
toleration applies to. Empty means match
|
||
all taint keys. If the key is empty, operator
|
||
must be Exists; this combination means
|
||
to match all values and all keys.
|
||
type: string
|
||
operator:
|
||
description: Operator represents a key's
|
||
relationship to the value. Valid operators
|
||
are Exists and Equal. Defaults to Equal.
|
||
Exists is equivalent to wildcard for value,
|
||
so that a pod can tolerate all taints
|
||
of a particular category.
|
||
type: string
|
||
tolerationSeconds:
|
||
description: TolerationSeconds represents
|
||
the period of time the toleration (which
|
||
must be of effect NoExecute, otherwise
|
||
this field is ignored) tolerates the taint.
|
||
By default, it is not set, which means
|
||
tolerate the taint forever (do not evict).
|
||
Zero and negative values will be treated
|
||
as 0 (evict immediately) by the system.
|
||
format: int64
|
||
type: integer
|
||
value:
|
||
description: Value is the taint value the
|
||
toleration matches to. If the operator
|
||
is Exists, the value should be empty,
|
||
otherwise just a regular string.
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
type: object
|
||
serviceType:
|
||
description: Optional service type for Kubernetes solver
|
||
service
|
||
type: string
|
||
type: object
|
||
type: object
|
||
selector:
|
||
description: Selector selects a set of DNSNames on the Certificate
|
||
resource that should be solved using this challenge solver.
|
||
If not specified, the solver will be treated as the 'default'
|
||
solver with the lowest priority, i.e. if any other solver has
|
||
a more specific match, it will be used instead.
|
||
properties:
|
||
dnsNames:
|
||
description: List of DNSNames that this solver will be used
|
||
to solve. If specified and a match is found, a dnsNames
|
||
selector will take precedence over a dnsZones selector.
|
||
If multiple solvers match with the same dnsNames value,
|
||
the solver with the most matching labels in matchLabels
|
||
will be selected. If neither has more matches, the solver
|
||
defined earlier in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
dnsZones:
|
||
description: List of DNSZones that this solver will be used
|
||
to solve. The most specific DNS zone match specified here
|
||
will take precedence over other DNS zone matches, so a solver
|
||
specifying sys.example.com will be selected over one specifying
|
||
example.com for the domain www.sys.example.com. If multiple
|
||
solvers match with the same dnsZones value, the solver with
|
||
the most matching labels in matchLabels will be selected.
|
||
If neither has more matches, the solver defined earlier
|
||
in the list will be selected.
|
||
items:
|
||
type: string
|
||
type: array
|
||
matchLabels:
|
||
additionalProperties:
|
||
type: string
|
||
description: A label selector that is used to refine the set
|
||
of certificate's that this challenge solver will apply to.
|
||
type: object
|
||
type: object
|
||
type: object
|
||
token:
|
||
description: The ACME challenge token for this challenge. This is
|
||
the raw value returned from the ACME server.
|
||
type: string
|
||
type:
|
||
description: The type of ACME challenge this resource represents.
|
||
One of "HTTP-01" or "DNS-01".
|
||
enum:
|
||
- HTTP-01
|
||
- DNS-01
|
||
type: string
|
||
url:
|
||
description: The URL of the ACME Challenge resource for this challenge.
|
||
This can be used to lookup details about the status of this challenge.
|
||
type: string
|
||
wildcard:
|
||
description: wildcard will be true if this challenge is for a wildcard
|
||
identifier, for example '*.example.com'.
|
||
type: boolean
|
||
required:
|
||
- authorizationURL
|
||
- dnsName
|
||
- issuerRef
|
||
- key
|
||
- solver
|
||
- token
|
||
- type
|
||
- url
|
||
type: object
|
||
status:
|
||
properties:
|
||
presented:
|
||
description: presented will be set to true if the challenge values
|
||
for this challenge are currently 'presented'. This *does not* imply
|
||
the self check is passing. Only that the values have been 'submitted'
|
||
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
|
||
has been presented, or the HTTP01 configuration has been configured).
|
||
type: boolean
|
||
processing:
|
||
description: Used to denote whether this challenge should be processed
|
||
or not. This field will only be set to true by the 'scheduling'
|
||
component. It will only be set to false by the 'challenges' controller,
|
||
after the challenge has reached a final state or timed out. If this
|
||
field is set to false, the challenge controller will not take any
|
||
more action.
|
||
type: boolean
|
||
reason:
|
||
description: Contains human readable information on why the Challenge
|
||
is in the current state.
|
||
type: string
|
||
state:
|
||
description: Contains the current 'state' of the challenge. If not
|
||
set, the state of the challenge is unknown.
|
||
enum:
|
||
- valid
|
||
- ready
|
||
- pending
|
||
- processing
|
||
- invalid
|
||
- expired
|
||
- errored
|
||
type: string
|
||
type: object
|
||
required:
|
||
- metadata
|
||
- spec
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
subresources:
|
||
status: {}
|
||
status:
|
||
acceptedNames:
|
||
kind: ""
|
||
plural: ""
|
||
conditions: []
|
||
storedVersions: []
|