9352 lines
605 KiB
YAML
9352 lines
605 KiB
YAML
|
# Copyright 2022 The cert-manager Authors.
|
|||
|
#
|
|||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|||
|
# you may not use this file except in compliance with the License.
|
|||
|
# You may obtain a copy of the License at
|
|||
|
#
|
|||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|||
|
#
|
|||
|
# Unless required by applicable law or agreed to in writing, software
|
|||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|||
|
# See the License for the specific language governing permissions and
|
|||
|
# limitations under the License.
|
|||
|
|
|||
|
apiVersion: v1
|
|||
|
kind: Namespace
|
|||
|
metadata:
|
|||
|
name: cert-manager
|
|||
|
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
#
|
|||
|
# START crd
|
|||
|
apiVersion: apiextensions.k8s.io/v1
|
|||
|
kind: CustomResourceDefinition
|
|||
|
metadata:
|
|||
|
name: certificaterequests.cert-manager.io
|
|||
|
# START annotations
|
|||
|
annotations:
|
|||
|
helm.sh/resource-policy: keep
|
|||
|
# END annotations
|
|||
|
labels:
|
|||
|
app: 'cert-manager'
|
|||
|
app.kubernetes.io/name: 'cert-manager'
|
|||
|
app.kubernetes.io/instance: 'cert-manager'
|
|||
|
# Generated labels
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
group: cert-manager.io
|
|||
|
names:
|
|||
|
kind: CertificateRequest
|
|||
|
listKind: CertificateRequestList
|
|||
|
plural: certificaterequests
|
|||
|
shortNames:
|
|||
|
- cr
|
|||
|
- crs
|
|||
|
singular: certificaterequest
|
|||
|
categories:
|
|||
|
- cert-manager
|
|||
|
scope: Namespaced
|
|||
|
versions:
|
|||
|
- name: v1
|
|||
|
subresources:
|
|||
|
status: {}
|
|||
|
additionalPrinterColumns:
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Approved")].status
|
|||
|
name: Approved
|
|||
|
type: string
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Denied")].status
|
|||
|
name: Denied
|
|||
|
type: string
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|||
|
name: Ready
|
|||
|
type: string
|
|||
|
- jsonPath: .spec.issuerRef.name
|
|||
|
name: Issuer
|
|||
|
type: string
|
|||
|
- jsonPath: .spec.username
|
|||
|
name: Requestor
|
|||
|
type: string
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|||
|
name: Status
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .metadata.creationTimestamp
|
|||
|
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|||
|
name: Age
|
|||
|
type: date
|
|||
|
schema:
|
|||
|
openAPIV3Schema:
|
|||
|
description: |-
|
|||
|
A CertificateRequest is used to request a signed certificate from one of the
|
|||
|
configured issuers.
|
|||
|
|
|||
|
|
|||
|
All fields within the CertificateRequest's `spec` are immutable after creation.
|
|||
|
A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
|
|||
|
condition and its `status.failureTime` field.
|
|||
|
|
|||
|
|
|||
|
A CertificateRequest is a one-shot resource, meaning it represents a single
|
|||
|
point in time request for a certificate and cannot be re-used.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
apiVersion:
|
|||
|
description: |-
|
|||
|
APIVersion defines the versioned schema of this representation of an object.
|
|||
|
Servers should convert recognized schemas to the latest internal value, and
|
|||
|
may reject unrecognized values.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is a string value representing the REST resource this object represents.
|
|||
|
Servers may infer this from the endpoint the client submits requests to.
|
|||
|
Cannot be updated.
|
|||
|
In CamelCase.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|||
|
type: string
|
|||
|
metadata:
|
|||
|
type: object
|
|||
|
spec:
|
|||
|
description: |-
|
|||
|
Specification of the desired state of the CertificateRequest resource.
|
|||
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- issuerRef
|
|||
|
- request
|
|||
|
properties:
|
|||
|
duration:
|
|||
|
description: |-
|
|||
|
Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
|
|||
|
issuer may choose to ignore the requested duration, just like any other
|
|||
|
requested attribute.
|
|||
|
type: string
|
|||
|
extra:
|
|||
|
description: |-
|
|||
|
Extra contains extra attributes of the user that created the CertificateRequest.
|
|||
|
Populated by the cert-manager webhook on creation and immutable.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
groups:
|
|||
|
description: |-
|
|||
|
Groups contains group membership of the user that created the CertificateRequest.
|
|||
|
Populated by the cert-manager webhook on creation and immutable.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
isCA:
|
|||
|
description: |-
|
|||
|
Requested basic constraints isCA value. Note that the issuer may choose
|
|||
|
to ignore the requested isCA value, just like any other requested attribute.
|
|||
|
|
|||
|
|
|||
|
NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
|
|||
|
it must have the same isCA value as specified here.
|
|||
|
|
|||
|
|
|||
|
If true, this will automatically add the `cert sign` usage to the list
|
|||
|
of requested `usages`.
|
|||
|
type: boolean
|
|||
|
issuerRef:
|
|||
|
description: |-
|
|||
|
Reference to the issuer responsible for issuing the certificate.
|
|||
|
If the issuer is namespace-scoped, it must be in the same namespace
|
|||
|
as the Certificate. If the issuer is cluster-scoped, it can be used
|
|||
|
from any namespace.
|
|||
|
|
|||
|
|
|||
|
The `name` field of the reference must always be specified.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: Group of the resource being referred to.
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: Kind of the resource being referred to.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the resource being referred to.
|
|||
|
type: string
|
|||
|
request:
|
|||
|
description: |-
|
|||
|
The PEM-encoded X.509 certificate signing request to be submitted to the
|
|||
|
issuer for signing.
|
|||
|
|
|||
|
|
|||
|
If the CSR has a BasicConstraints extension, its isCA attribute must
|
|||
|
match the `isCA` value of this CertificateRequest.
|
|||
|
If the CSR has a KeyUsage extension, its key usages must match the
|
|||
|
key usages in the `usages` field of this CertificateRequest.
|
|||
|
If the CSR has a ExtKeyUsage extension, its extended key usages
|
|||
|
must match the extended key usages in the `usages` field of this
|
|||
|
CertificateRequest.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
uid:
|
|||
|
description: |-
|
|||
|
UID contains the uid of the user that created the CertificateRequest.
|
|||
|
Populated by the cert-manager webhook on creation and immutable.
|
|||
|
type: string
|
|||
|
usages:
|
|||
|
description: |-
|
|||
|
Requested key usages and extended key usages.
|
|||
|
|
|||
|
|
|||
|
NOTE: If the CSR in the `Request` field has uses the KeyUsage or
|
|||
|
ExtKeyUsage extension, these extensions must have the same values
|
|||
|
as specified here without any additional values.
|
|||
|
|
|||
|
|
|||
|
If unset, defaults to `digital signature` and `key encipherment`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
KeyUsage specifies valid usage contexts for keys.
|
|||
|
See:
|
|||
|
https://tools.ietf.org/html/rfc5280#section-4.2.1.3
|
|||
|
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|||
|
|
|||
|
|
|||
|
Valid KeyUsage values are as follows:
|
|||
|
"signing",
|
|||
|
"digital signature",
|
|||
|
"content commitment",
|
|||
|
"key encipherment",
|
|||
|
"key agreement",
|
|||
|
"data encipherment",
|
|||
|
"cert sign",
|
|||
|
"crl sign",
|
|||
|
"encipher only",
|
|||
|
"decipher only",
|
|||
|
"any",
|
|||
|
"server auth",
|
|||
|
"client auth",
|
|||
|
"code signing",
|
|||
|
"email protection",
|
|||
|
"s/mime",
|
|||
|
"ipsec end system",
|
|||
|
"ipsec tunnel",
|
|||
|
"ipsec user",
|
|||
|
"timestamping",
|
|||
|
"ocsp signing",
|
|||
|
"microsoft sgc",
|
|||
|
"netscape sgc"
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- signing
|
|||
|
- digital signature
|
|||
|
- content commitment
|
|||
|
- key encipherment
|
|||
|
- key agreement
|
|||
|
- data encipherment
|
|||
|
- cert sign
|
|||
|
- crl sign
|
|||
|
- encipher only
|
|||
|
- decipher only
|
|||
|
- any
|
|||
|
- server auth
|
|||
|
- client auth
|
|||
|
- code signing
|
|||
|
- email protection
|
|||
|
- s/mime
|
|||
|
- ipsec end system
|
|||
|
- ipsec tunnel
|
|||
|
- ipsec user
|
|||
|
- timestamping
|
|||
|
- ocsp signing
|
|||
|
- microsoft sgc
|
|||
|
- netscape sgc
|
|||
|
username:
|
|||
|
description: |-
|
|||
|
Username contains the name of the user that created the CertificateRequest.
|
|||
|
Populated by the cert-manager webhook on creation and immutable.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: |-
|
|||
|
Status of the CertificateRequest.
|
|||
|
This is set and managed automatically.
|
|||
|
Read-only.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
ca:
|
|||
|
description: |-
|
|||
|
The PEM encoded X.509 certificate of the signer, also known as the CA
|
|||
|
(Certificate Authority).
|
|||
|
This is set on a best-effort basis by different issuers.
|
|||
|
If not set, the CA is assumed to be unknown/not available.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
certificate:
|
|||
|
description: |-
|
|||
|
The PEM encoded X.509 certificate resulting from the certificate
|
|||
|
signing request.
|
|||
|
If not set, the CertificateRequest has either not been completed or has
|
|||
|
failed. More information on failure can be found by checking the
|
|||
|
`conditions` field.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
conditions:
|
|||
|
description: |-
|
|||
|
List of status conditions to indicate the status of a CertificateRequest.
|
|||
|
Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: CertificateRequestCondition contains condition information for a CertificateRequest.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- status
|
|||
|
- type
|
|||
|
properties:
|
|||
|
lastTransitionTime:
|
|||
|
description: |-
|
|||
|
LastTransitionTime is the timestamp corresponding to the last status
|
|||
|
change of this condition.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
message:
|
|||
|
description: |-
|
|||
|
Message is a human readable description of the details of the last
|
|||
|
transition, complementing reason.
|
|||
|
type: string
|
|||
|
reason:
|
|||
|
description: |-
|
|||
|
Reason is a brief machine readable explanation for the condition's last
|
|||
|
transition.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- "True"
|
|||
|
- "False"
|
|||
|
- Unknown
|
|||
|
type:
|
|||
|
description: |-
|
|||
|
Type of the condition, known values are (`Ready`, `InvalidRequest`,
|
|||
|
`Approved`, `Denied`).
|
|||
|
type: string
|
|||
|
x-kubernetes-list-map-keys:
|
|||
|
- type
|
|||
|
x-kubernetes-list-type: map
|
|||
|
failureTime:
|
|||
|
description: |-
|
|||
|
FailureTime stores the time that this CertificateRequest failed. This is
|
|||
|
used to influence garbage collection and back-off.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
served: true
|
|||
|
storage: true
|
|||
|
|
|||
|
# END crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
apiVersion: apiextensions.k8s.io/v1
|
|||
|
kind: CustomResourceDefinition
|
|||
|
metadata:
|
|||
|
name: certificates.cert-manager.io
|
|||
|
# START annotations
|
|||
|
annotations:
|
|||
|
helm.sh/resource-policy: keep
|
|||
|
# END annotations
|
|||
|
labels:
|
|||
|
app: 'cert-manager'
|
|||
|
app.kubernetes.io/name: 'cert-manager'
|
|||
|
app.kubernetes.io/instance: 'cert-manager'
|
|||
|
# Generated labels
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
group: cert-manager.io
|
|||
|
names:
|
|||
|
kind: Certificate
|
|||
|
listKind: CertificateList
|
|||
|
plural: certificates
|
|||
|
shortNames:
|
|||
|
- cert
|
|||
|
- certs
|
|||
|
singular: certificate
|
|||
|
categories:
|
|||
|
- cert-manager
|
|||
|
scope: Namespaced
|
|||
|
versions:
|
|||
|
- name: v1
|
|||
|
subresources:
|
|||
|
status: {}
|
|||
|
additionalPrinterColumns:
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|||
|
name: Ready
|
|||
|
type: string
|
|||
|
- jsonPath: .spec.secretName
|
|||
|
name: Secret
|
|||
|
type: string
|
|||
|
- jsonPath: .spec.issuerRef.name
|
|||
|
name: Issuer
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|||
|
name: Status
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .metadata.creationTimestamp
|
|||
|
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|||
|
name: Age
|
|||
|
type: date
|
|||
|
schema:
|
|||
|
openAPIV3Schema:
|
|||
|
description: |-
|
|||
|
A Certificate resource should be created to ensure an up to date and signed
|
|||
|
X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
|
|||
|
|
|||
|
|
|||
|
The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
apiVersion:
|
|||
|
description: |-
|
|||
|
APIVersion defines the versioned schema of this representation of an object.
|
|||
|
Servers should convert recognized schemas to the latest internal value, and
|
|||
|
may reject unrecognized values.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is a string value representing the REST resource this object represents.
|
|||
|
Servers may infer this from the endpoint the client submits requests to.
|
|||
|
Cannot be updated.
|
|||
|
In CamelCase.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|||
|
type: string
|
|||
|
metadata:
|
|||
|
type: object
|
|||
|
spec:
|
|||
|
description: |-
|
|||
|
Specification of the desired state of the Certificate resource.
|
|||
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- issuerRef
|
|||
|
- secretName
|
|||
|
properties:
|
|||
|
additionalOutputFormats:
|
|||
|
description: |-
|
|||
|
Defines extra output formats of the private key and signed certificate chain
|
|||
|
to be written to this Certificate's target Secret.
|
|||
|
|
|||
|
|
|||
|
This is a Beta Feature enabled by default. It can be disabled with the
|
|||
|
`--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
|
|||
|
the controller and webhook components.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
CertificateAdditionalOutputFormat defines an additional output format of a
|
|||
|
Certificate resource. These contain supplementary data formats of the signed
|
|||
|
certificate chain and paired private key.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- type
|
|||
|
properties:
|
|||
|
type:
|
|||
|
description: |-
|
|||
|
Type is the name of the format type that should be written to the
|
|||
|
Certificate's target Secret.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- DER
|
|||
|
- CombinedPEM
|
|||
|
commonName:
|
|||
|
description: |-
|
|||
|
Requested common name X509 certificate subject attribute.
|
|||
|
More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
|
|||
|
NOTE: TLS clients will ignore this value when any subject alternative name is
|
|||
|
set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
|
|||
|
|
|||
|
|
|||
|
Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
|
|||
|
Cannot be set if the `literalSubject` field is set.
|
|||
|
type: string
|
|||
|
dnsNames:
|
|||
|
description: Requested DNS subject alternative names.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
duration:
|
|||
|
description: |-
|
|||
|
Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
|
|||
|
issuer may choose to ignore the requested duration, just like any other
|
|||
|
requested attribute.
|
|||
|
|
|||
|
|
|||
|
If unset, this defaults to 90 days.
|
|||
|
Minimum accepted duration is 1 hour.
|
|||
|
Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
|
|||
|
type: string
|
|||
|
emailAddresses:
|
|||
|
description: Requested email subject alternative names.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
encodeUsagesInRequest:
|
|||
|
description: |-
|
|||
|
Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
|
|||
|
|
|||
|
|
|||
|
This option defaults to true, and should only be disabled if the target
|
|||
|
issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
|
|||
|
type: boolean
|
|||
|
ipAddresses:
|
|||
|
description: Requested IP address subject alternative names.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
isCA:
|
|||
|
description: |-
|
|||
|
Requested basic constraints isCA value.
|
|||
|
The isCA value is used to set the `isCA` field on the created CertificateRequest
|
|||
|
resources. Note that the issuer may choose to ignore the requested isCA value, just
|
|||
|
like any other requested attribute.
|
|||
|
|
|||
|
|
|||
|
If true, this will automatically add the `cert sign` usage to the list
|
|||
|
of requested `usages`.
|
|||
|
type: boolean
|
|||
|
issuerRef:
|
|||
|
description: |-
|
|||
|
Reference to the issuer responsible for issuing the certificate.
|
|||
|
If the issuer is namespace-scoped, it must be in the same namespace
|
|||
|
as the Certificate. If the issuer is cluster-scoped, it can be used
|
|||
|
from any namespace.
|
|||
|
|
|||
|
|
|||
|
The `name` field of the reference must always be specified.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: Group of the resource being referred to.
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: Kind of the resource being referred to.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the resource being referred to.
|
|||
|
type: string
|
|||
|
keystores:
|
|||
|
description: Additional keystore output formats to be stored in the Certificate's Secret.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
jks:
|
|||
|
description: |-
|
|||
|
JKS configures options for storing a JKS keystore in the
|
|||
|
`spec.secretName` Secret resource.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- create
|
|||
|
- passwordSecretRef
|
|||
|
properties:
|
|||
|
alias:
|
|||
|
description: |-
|
|||
|
Alias specifies the alias of the key in the keystore, required by the JKS format.
|
|||
|
If not provided, the default alias `certificate` will be used.
|
|||
|
type: string
|
|||
|
create:
|
|||
|
description: |-
|
|||
|
Create enables JKS keystore creation for the Certificate.
|
|||
|
If true, a file named `keystore.jks` will be created in the target
|
|||
|
Secret resource, encrypted using the password stored in
|
|||
|
`passwordSecretRef`.
|
|||
|
The keystore file will be updated immediately.
|
|||
|
If the issuer provided a CA certificate, a file named `truststore.jks`
|
|||
|
will also be created in the target Secret resource, encrypted using the
|
|||
|
password stored in `passwordSecretRef`
|
|||
|
containing the issuing Certificate Authority
|
|||
|
type: boolean
|
|||
|
passwordSecretRef:
|
|||
|
description: |-
|
|||
|
PasswordSecretRef is a reference to a key in a Secret resource
|
|||
|
containing the password used to encrypt the JKS keystore.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
pkcs12:
|
|||
|
description: |-
|
|||
|
PKCS12 configures options for storing a PKCS12 keystore in the
|
|||
|
`spec.secretName` Secret resource.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- create
|
|||
|
- passwordSecretRef
|
|||
|
properties:
|
|||
|
create:
|
|||
|
description: |-
|
|||
|
Create enables PKCS12 keystore creation for the Certificate.
|
|||
|
If true, a file named `keystore.p12` will be created in the target
|
|||
|
Secret resource, encrypted using the password stored in
|
|||
|
`passwordSecretRef`.
|
|||
|
The keystore file will be updated immediately.
|
|||
|
If the issuer provided a CA certificate, a file named `truststore.p12` will
|
|||
|
also be created in the target Secret resource, encrypted using the
|
|||
|
password stored in `passwordSecretRef` containing the issuing Certificate
|
|||
|
Authority
|
|||
|
type: boolean
|
|||
|
passwordSecretRef:
|
|||
|
description: |-
|
|||
|
PasswordSecretRef is a reference to a key in a Secret resource
|
|||
|
containing the password used to encrypt the PKCS12 keystore.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
profile:
|
|||
|
description: |-
|
|||
|
Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
|
|||
|
used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
|
|||
|
|
|||
|
|
|||
|
If provided, allowed values are:
|
|||
|
`LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
|
|||
|
`LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
|
|||
|
`Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
|
|||
|
(eg. because of company policy). Please note that the security of the algorithm is not that important
|
|||
|
in reality, because the unencrypted certificate and private key are also stored in the Secret.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- LegacyRC2
|
|||
|
- LegacyDES
|
|||
|
- Modern2023
|
|||
|
literalSubject:
|
|||
|
description: |-
|
|||
|
Requested X.509 certificate subject, represented using the LDAP "String
|
|||
|
Representation of a Distinguished Name" [1].
|
|||
|
Important: the LDAP string format also specifies the order of the attributes
|
|||
|
in the subject, this is important when issuing certs for LDAP authentication.
|
|||
|
Example: `CN=foo,DC=corp,DC=example,DC=com`
|
|||
|
More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
|
|||
|
More info: https://github.com/cert-manager/cert-manager/issues/3203
|
|||
|
More info: https://github.com/cert-manager/cert-manager/issues/4424
|
|||
|
|
|||
|
|
|||
|
Cannot be set if the `subject` or `commonName` field is set.
|
|||
|
type: string
|
|||
|
nameConstraints:
|
|||
|
description: |-
|
|||
|
x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
|
|||
|
More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
|
|||
|
|
|||
|
|
|||
|
This is an Alpha Feature and is only enabled with the
|
|||
|
`--feature-gates=NameConstraints=true` option set on both
|
|||
|
the controller and webhook components.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
critical:
|
|||
|
description: if true then the name constraints are marked critical.
|
|||
|
type: boolean
|
|||
|
excluded:
|
|||
|
description: |-
|
|||
|
Excluded contains the constraints which must be disallowed. Any name matching a
|
|||
|
restriction in the excluded field is invalid regardless
|
|||
|
of information appearing in the permitted
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dnsDomains:
|
|||
|
description: DNSDomains is a list of DNS domains that are permitted or excluded.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
emailAddresses:
|
|||
|
description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
ipRanges:
|
|||
|
description: |-
|
|||
|
IPRanges is a list of IP Ranges that are permitted or excluded.
|
|||
|
This should be a valid CIDR notation.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
uriDomains:
|
|||
|
description: URIDomains is a list of URI domains that are permitted or excluded.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
permitted:
|
|||
|
description: Permitted contains the constraints in which the names must be located.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dnsDomains:
|
|||
|
description: DNSDomains is a list of DNS domains that are permitted or excluded.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
emailAddresses:
|
|||
|
description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
ipRanges:
|
|||
|
description: |-
|
|||
|
IPRanges is a list of IP Ranges that are permitted or excluded.
|
|||
|
This should be a valid CIDR notation.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
uriDomains:
|
|||
|
description: URIDomains is a list of URI domains that are permitted or excluded.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
otherNames:
|
|||
|
description: |-
|
|||
|
`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
|
|||
|
Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
|
|||
|
Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
|
|||
|
You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
oid:
|
|||
|
description: |-
|
|||
|
OID is the object identifier for the otherName SAN.
|
|||
|
The object identifier must be expressed as a dotted string, for
|
|||
|
example, "1.2.840.113556.1.4.221".
|
|||
|
type: string
|
|||
|
utf8Value:
|
|||
|
description: |-
|
|||
|
utf8Value is the string value of the otherName SAN.
|
|||
|
The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
|
|||
|
type: string
|
|||
|
privateKey:
|
|||
|
description: |-
|
|||
|
Private key options. These include the key algorithm and size, the used
|
|||
|
encoding and the rotation policy.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
algorithm:
|
|||
|
description: |-
|
|||
|
Algorithm is the private key algorithm of the corresponding private key
|
|||
|
for this certificate.
|
|||
|
|
|||
|
|
|||
|
If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
|
|||
|
If `algorithm` is specified and `size` is not provided,
|
|||
|
key size of 2048 will be used for `RSA` key algorithm and
|
|||
|
key size of 256 will be used for `ECDSA` key algorithm.
|
|||
|
key size is ignored when using the `Ed25519` key algorithm.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- RSA
|
|||
|
- ECDSA
|
|||
|
- Ed25519
|
|||
|
encoding:
|
|||
|
description: |-
|
|||
|
The private key cryptography standards (PKCS) encoding for this
|
|||
|
certificate's private key to be encoded in.
|
|||
|
|
|||
|
|
|||
|
If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
|
|||
|
and PKCS#8, respectively.
|
|||
|
Defaults to `PKCS1` if not specified.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- PKCS1
|
|||
|
- PKCS8
|
|||
|
rotationPolicy:
|
|||
|
description: |-
|
|||
|
RotationPolicy controls how private keys should be regenerated when a
|
|||
|
re-issuance is being processed.
|
|||
|
|
|||
|
|
|||
|
If set to `Never`, a private key will only be generated if one does not
|
|||
|
already exist in the target `spec.secretName`. If one does exists but it
|
|||
|
does not have the correct algorithm or size, a warning will be raised
|
|||
|
to await user intervention.
|
|||
|
If set to `Always`, a private key matching the specified requirements
|
|||
|
will be generated whenever a re-issuance occurs.
|
|||
|
Default is `Never` for backward compatibility.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- Never
|
|||
|
- Always
|
|||
|
size:
|
|||
|
description: |-
|
|||
|
Size is the key bit size of the corresponding private key for this certificate.
|
|||
|
|
|||
|
|
|||
|
If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
|
|||
|
and will default to `2048` if not specified.
|
|||
|
If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
|
|||
|
and will default to `256` if not specified.
|
|||
|
If `algorithm` is set to `Ed25519`, Size is ignored.
|
|||
|
No other values are allowed.
|
|||
|
type: integer
|
|||
|
renewBefore:
|
|||
|
description: |-
|
|||
|
How long before the currently issued certificate's expiry cert-manager should
|
|||
|
renew the certificate. For example, if a certificate is valid for 60 minutes,
|
|||
|
and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
|
|||
|
50 minutes after it was issued (i.e. when there are 10 minutes remaining until
|
|||
|
the certificate is no longer valid).
|
|||
|
|
|||
|
|
|||
|
NOTE: The actual lifetime of the issued certificate is used to determine the
|
|||
|
renewal time. If an issuer returns a certificate with a different lifetime than
|
|||
|
the one requested, cert-manager will use the lifetime of the issued certificate.
|
|||
|
|
|||
|
|
|||
|
If unset, this defaults to 1/3 of the issued certificate's lifetime.
|
|||
|
Minimum accepted value is 5 minutes.
|
|||
|
Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
|
|||
|
type: string
|
|||
|
revisionHistoryLimit:
|
|||
|
description: |-
|
|||
|
The maximum number of CertificateRequest revisions that are maintained in
|
|||
|
the Certificate's history. Each revision represents a single `CertificateRequest`
|
|||
|
created by this Certificate, either when it was created, renewed, or Spec
|
|||
|
was changed. Revisions will be removed by oldest first if the number of
|
|||
|
revisions exceeds this number.
|
|||
|
|
|||
|
|
|||
|
If set, revisionHistoryLimit must be a value of `1` or greater.
|
|||
|
If unset (`nil`), revisions will not be garbage collected.
|
|||
|
Default value is `nil`.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
secretName:
|
|||
|
description: |-
|
|||
|
Name of the Secret resource that will be automatically created and
|
|||
|
managed by this Certificate resource. It will be populated with a
|
|||
|
private key and certificate, signed by the denoted issuer. The Secret
|
|||
|
resource lives in the same namespace as the Certificate resource.
|
|||
|
type: string
|
|||
|
secretTemplate:
|
|||
|
description: |-
|
|||
|
Defines annotations and labels to be copied to the Certificate's Secret.
|
|||
|
Labels and annotations on the Secret will be changed as they appear on the
|
|||
|
SecretTemplate when added or removed. SecretTemplate annotations are added
|
|||
|
in conjunction with, and cannot overwrite, the base set of annotations
|
|||
|
cert-manager sets on the Certificate's Secret.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations is a key value map to be copied to the target Kubernetes Secret.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels is a key value map to be copied to the target Kubernetes Secret.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
subject:
|
|||
|
description: |-
|
|||
|
Requested set of X509 certificate subject attributes.
|
|||
|
More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
|
|||
|
|
|||
|
|
|||
|
The common name attribute is specified separately in the `commonName` field.
|
|||
|
Cannot be set if the `literalSubject` field is set.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
countries:
|
|||
|
description: Countries to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
localities:
|
|||
|
description: Cities to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
organizationalUnits:
|
|||
|
description: Organizational Units to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
organizations:
|
|||
|
description: Organizations to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
postalCodes:
|
|||
|
description: Postal codes to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
provinces:
|
|||
|
description: State/Provinces to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
serialNumber:
|
|||
|
description: Serial number to be used on the Certificate.
|
|||
|
type: string
|
|||
|
streetAddresses:
|
|||
|
description: Street addresses to be used on the Certificate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
uris:
|
|||
|
description: Requested URI subject alternative names.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
usages:
|
|||
|
description: |-
|
|||
|
Requested key usages and extended key usages.
|
|||
|
These usages are used to set the `usages` field on the created CertificateRequest
|
|||
|
resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
|
|||
|
will additionally be encoded in the `request` field which contains the CSR blob.
|
|||
|
|
|||
|
|
|||
|
If unset, defaults to `digital signature` and `key encipherment`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
KeyUsage specifies valid usage contexts for keys.
|
|||
|
See:
|
|||
|
https://tools.ietf.org/html/rfc5280#section-4.2.1.3
|
|||
|
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|||
|
|
|||
|
|
|||
|
Valid KeyUsage values are as follows:
|
|||
|
"signing",
|
|||
|
"digital signature",
|
|||
|
"content commitment",
|
|||
|
"key encipherment",
|
|||
|
"key agreement",
|
|||
|
"data encipherment",
|
|||
|
"cert sign",
|
|||
|
"crl sign",
|
|||
|
"encipher only",
|
|||
|
"decipher only",
|
|||
|
"any",
|
|||
|
"server auth",
|
|||
|
"client auth",
|
|||
|
"code signing",
|
|||
|
"email protection",
|
|||
|
"s/mime",
|
|||
|
"ipsec end system",
|
|||
|
"ipsec tunnel",
|
|||
|
"ipsec user",
|
|||
|
"timestamping",
|
|||
|
"ocsp signing",
|
|||
|
"microsoft sgc",
|
|||
|
"netscape sgc"
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- signing
|
|||
|
- digital signature
|
|||
|
- content commitment
|
|||
|
- key encipherment
|
|||
|
- key agreement
|
|||
|
- data encipherment
|
|||
|
- cert sign
|
|||
|
- crl sign
|
|||
|
- encipher only
|
|||
|
- decipher only
|
|||
|
- any
|
|||
|
- server auth
|
|||
|
- client auth
|
|||
|
- code signing
|
|||
|
- email protection
|
|||
|
- s/mime
|
|||
|
- ipsec end system
|
|||
|
- ipsec tunnel
|
|||
|
- ipsec user
|
|||
|
- timestamping
|
|||
|
- ocsp signing
|
|||
|
- microsoft sgc
|
|||
|
- netscape sgc
|
|||
|
status:
|
|||
|
description: |-
|
|||
|
Status of the Certificate.
|
|||
|
This is set and managed automatically.
|
|||
|
Read-only.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
conditions:
|
|||
|
description: |-
|
|||
|
List of status conditions to indicate the status of certificates.
|
|||
|
Known condition types are `Ready` and `Issuing`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: CertificateCondition contains condition information for an Certificate.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- status
|
|||
|
- type
|
|||
|
properties:
|
|||
|
lastTransitionTime:
|
|||
|
description: |-
|
|||
|
LastTransitionTime is the timestamp corresponding to the last status
|
|||
|
change of this condition.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
message:
|
|||
|
description: |-
|
|||
|
Message is a human readable description of the details of the last
|
|||
|
transition, complementing reason.
|
|||
|
type: string
|
|||
|
observedGeneration:
|
|||
|
description: |-
|
|||
|
If set, this represents the .metadata.generation that the condition was
|
|||
|
set based upon.
|
|||
|
For instance, if .metadata.generation is currently 12, but the
|
|||
|
.status.condition[x].observedGeneration is 9, the condition is out of date
|
|||
|
with respect to the current state of the Certificate.
|
|||
|
type: integer
|
|||
|
format: int64
|
|||
|
reason:
|
|||
|
description: |-
|
|||
|
Reason is a brief machine readable explanation for the condition's last
|
|||
|
transition.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- "True"
|
|||
|
- "False"
|
|||
|
- Unknown
|
|||
|
type:
|
|||
|
description: Type of the condition, known values are (`Ready`, `Issuing`).
|
|||
|
type: string
|
|||
|
x-kubernetes-list-map-keys:
|
|||
|
- type
|
|||
|
x-kubernetes-list-type: map
|
|||
|
failedIssuanceAttempts:
|
|||
|
description: |-
|
|||
|
The number of continuous failed issuance attempts up till now. This
|
|||
|
field gets removed (if set) on a successful issuance and gets set to
|
|||
|
1 if unset and an issuance has failed. If an issuance has failed, the
|
|||
|
delay till the next issuance will be calculated using formula
|
|||
|
time.Hour * 2 ^ (failedIssuanceAttempts - 1).
|
|||
|
type: integer
|
|||
|
lastFailureTime:
|
|||
|
description: |-
|
|||
|
LastFailureTime is set only if the lastest issuance for this
|
|||
|
Certificate failed and contains the time of the failure. If an
|
|||
|
issuance has failed, the delay till the next issuance will be
|
|||
|
calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
|
|||
|
1). If the latest issuance has succeeded this field will be unset.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
nextPrivateKeySecretName:
|
|||
|
description: |-
|
|||
|
The name of the Secret resource containing the private key to be used
|
|||
|
for the next certificate iteration.
|
|||
|
The keymanager controller will automatically set this field if the
|
|||
|
`Issuing` condition is set to `True`.
|
|||
|
It will automatically unset this field when the Issuing condition is
|
|||
|
not set or False.
|
|||
|
type: string
|
|||
|
notAfter:
|
|||
|
description: |-
|
|||
|
The expiration time of the certificate stored in the secret named
|
|||
|
by this resource in `spec.secretName`.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
notBefore:
|
|||
|
description: |-
|
|||
|
The time after which the certificate stored in the secret named
|
|||
|
by this resource in `spec.secretName` is valid.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
renewalTime:
|
|||
|
description: |-
|
|||
|
RenewalTime is the time at which the certificate will be next
|
|||
|
renewed.
|
|||
|
If not set, no upcoming renewal is scheduled.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
revision:
|
|||
|
description: |-
|
|||
|
The current 'revision' of the certificate as issued.
|
|||
|
|
|||
|
|
|||
|
When a CertificateRequest resource is created, it will have the
|
|||
|
`cert-manager.io/certificate-revision` set to one greater than the
|
|||
|
current value of this field.
|
|||
|
|
|||
|
|
|||
|
Upon issuance, this field will be set to the value of the annotation
|
|||
|
on the CertificateRequest resource used to issue the certificate.
|
|||
|
|
|||
|
|
|||
|
Persisting the value on the CertificateRequest resource allows the
|
|||
|
certificates controller to know whether a request is part of an old
|
|||
|
issuance or if it is part of the ongoing revision's issuance by
|
|||
|
checking if the revision value in the annotation is greater than this
|
|||
|
field.
|
|||
|
type: integer
|
|||
|
served: true
|
|||
|
storage: true
|
|||
|
|
|||
|
# END crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
apiVersion: apiextensions.k8s.io/v1
|
|||
|
kind: CustomResourceDefinition
|
|||
|
metadata:
|
|||
|
name: challenges.acme.cert-manager.io
|
|||
|
# START annotations
|
|||
|
annotations:
|
|||
|
helm.sh/resource-policy: keep
|
|||
|
# END annotations
|
|||
|
labels:
|
|||
|
app: 'cert-manager'
|
|||
|
app.kubernetes.io/name: 'cert-manager'
|
|||
|
app.kubernetes.io/instance: 'cert-manager'
|
|||
|
# Generated labels
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
group: acme.cert-manager.io
|
|||
|
names:
|
|||
|
kind: Challenge
|
|||
|
listKind: ChallengeList
|
|||
|
plural: challenges
|
|||
|
singular: challenge
|
|||
|
categories:
|
|||
|
- cert-manager
|
|||
|
- cert-manager-acme
|
|||
|
scope: Namespaced
|
|||
|
versions:
|
|||
|
- additionalPrinterColumns:
|
|||
|
- jsonPath: .status.state
|
|||
|
name: State
|
|||
|
type: string
|
|||
|
- jsonPath: .spec.dnsName
|
|||
|
name: Domain
|
|||
|
type: string
|
|||
|
- jsonPath: .status.reason
|
|||
|
name: Reason
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|||
|
jsonPath: .metadata.creationTimestamp
|
|||
|
name: Age
|
|||
|
type: date
|
|||
|
name: v1
|
|||
|
schema:
|
|||
|
openAPIV3Schema:
|
|||
|
description: Challenge is a type to represent a Challenge request with an ACME server
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- metadata
|
|||
|
- spec
|
|||
|
properties:
|
|||
|
apiVersion:
|
|||
|
description: |-
|
|||
|
APIVersion defines the versioned schema of this representation of an object.
|
|||
|
Servers should convert recognized schemas to the latest internal value, and
|
|||
|
may reject unrecognized values.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is a string value representing the REST resource this object represents.
|
|||
|
Servers may infer this from the endpoint the client submits requests to.
|
|||
|
Cannot be updated.
|
|||
|
In CamelCase.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|||
|
type: string
|
|||
|
metadata:
|
|||
|
type: object
|
|||
|
spec:
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- authorizationURL
|
|||
|
- dnsName
|
|||
|
- issuerRef
|
|||
|
- key
|
|||
|
- solver
|
|||
|
- token
|
|||
|
- type
|
|||
|
- url
|
|||
|
properties:
|
|||
|
authorizationURL:
|
|||
|
description: |-
|
|||
|
The URL to the ACME Authorization resource that this
|
|||
|
challenge is a part of.
|
|||
|
type: string
|
|||
|
dnsName:
|
|||
|
description: |-
|
|||
|
dnsName is the identifier that this challenge is for, e.g. example.com.
|
|||
|
If the requested DNSName is a 'wildcard', this field MUST be set to the
|
|||
|
non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
|
|||
|
type: string
|
|||
|
issuerRef:
|
|||
|
description: |-
|
|||
|
References a properly configured ACME-type Issuer which should
|
|||
|
be used to create this Challenge.
|
|||
|
If the Issuer does not exist, processing will be retried.
|
|||
|
If the Issuer is not an 'ACME' Issuer, an error will be returned and the
|
|||
|
Challenge will be marked as failed.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: Group of the resource being referred to.
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: Kind of the resource being referred to.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the resource being referred to.
|
|||
|
type: string
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The ACME challenge key for this challenge
|
|||
|
For HTTP01 challenges, this is the value that must be responded with to
|
|||
|
complete the HTTP01 challenge in the format:
|
|||
|
`<private key JWK thumbprint>.<key from acme server for challenge>`.
|
|||
|
For DNS01 challenges, this is the base64 encoded SHA256 sum of the
|
|||
|
`<private key JWK thumbprint>.<key from acme server for challenge>`
|
|||
|
text that must be set as the TXT record content.
|
|||
|
type: string
|
|||
|
solver:
|
|||
|
description: |-
|
|||
|
Contains the domain solving configuration that should be used to
|
|||
|
solve this challenge resource.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dns01:
|
|||
|
description: |-
|
|||
|
Configures cert-manager to attempt to complete authorizations by
|
|||
|
performing the DNS01 challenge flow.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acmeDNS:
|
|||
|
description: |-
|
|||
|
Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
|
|||
|
DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- accountSecretRef
|
|||
|
- host
|
|||
|
properties:
|
|||
|
accountSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
host:
|
|||
|
type: string
|
|||
|
akamai:
|
|||
|
description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- accessTokenSecretRef
|
|||
|
- clientSecretSecretRef
|
|||
|
- clientTokenSecretRef
|
|||
|
- serviceConsumerDomain
|
|||
|
properties:
|
|||
|
accessTokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientSecretSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientTokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
serviceConsumerDomain:
|
|||
|
type: string
|
|||
|
azureDNS:
|
|||
|
description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- resourceGroupName
|
|||
|
- subscriptionID
|
|||
|
properties:
|
|||
|
clientID:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
|
|||
|
If set, ClientSecret and TenantID must also be set.
|
|||
|
type: string
|
|||
|
clientSecretSecretRef:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
A reference to a Secret containing the password associated with the Service Principal.
|
|||
|
If set, ClientID and TenantID must also be set.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
environment:
|
|||
|
description: name of the Azure environment (default AzurePublicCloud)
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- AzurePublicCloud
|
|||
|
- AzureChinaCloud
|
|||
|
- AzureGermanCloud
|
|||
|
- AzureUSGovernmentCloud
|
|||
|
hostedZoneName:
|
|||
|
description: name of the DNS zone that should be used
|
|||
|
type: string
|
|||
|
managedIdentity:
|
|||
|
description: |-
|
|||
|
Auth: Azure Workload Identity or Azure Managed Service Identity:
|
|||
|
Settings to enable Azure Workload Identity or Azure Managed Service Identity
|
|||
|
If set, ClientID, ClientSecret and TenantID must not be set.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
clientID:
|
|||
|
description: client ID of the managed identity, can not be used at the same time as resourceID
|
|||
|
type: string
|
|||
|
resourceID:
|
|||
|
description: |-
|
|||
|
resource ID of the managed identity, can not be used at the same time as clientID
|
|||
|
Cannot be used for Azure Managed Service Identity
|
|||
|
type: string
|
|||
|
resourceGroupName:
|
|||
|
description: resource group the DNS zone is located in
|
|||
|
type: string
|
|||
|
subscriptionID:
|
|||
|
description: ID of the Azure subscription
|
|||
|
type: string
|
|||
|
tenantID:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
|
|||
|
If set, ClientID and ClientSecret must also be set.
|
|||
|
type: string
|
|||
|
cloudDNS:
|
|||
|
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- project
|
|||
|
properties:
|
|||
|
hostedZoneName:
|
|||
|
description: |-
|
|||
|
HostedZoneName is an optional field that tells cert-manager in which
|
|||
|
Cloud DNS zone the challenge record has to be created.
|
|||
|
If left empty cert-manager will automatically choose a zone.
|
|||
|
type: string
|
|||
|
project:
|
|||
|
type: string
|
|||
|
serviceAccountSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
cloudflare:
|
|||
|
description: Use the Cloudflare API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
apiKeySecretRef:
|
|||
|
description: |-
|
|||
|
API key to use to authenticate with Cloudflare.
|
|||
|
Note: using an API token to authenticate is now the recommended method
|
|||
|
as it allows greater control of permissions.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
apiTokenSecretRef:
|
|||
|
description: API token used to authenticate with Cloudflare.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
email:
|
|||
|
description: Email of the account, only required when using API key based authentication.
|
|||
|
type: string
|
|||
|
cnameStrategy:
|
|||
|
description: |-
|
|||
|
CNAMEStrategy configures how the DNS01 provider should handle CNAME
|
|||
|
records when found in DNS zones.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- None
|
|||
|
- Follow
|
|||
|
digitalocean:
|
|||
|
description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- tokenSecretRef
|
|||
|
properties:
|
|||
|
tokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
rfc2136:
|
|||
|
description: |-
|
|||
|
Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|||
|
to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- nameserver
|
|||
|
properties:
|
|||
|
nameserver:
|
|||
|
description: |-
|
|||
|
The IP address or hostname of an authoritative DNS server supporting
|
|||
|
RFC2136 in the form host:port. If the host is an IPv6 address it must be
|
|||
|
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
|
|||
|
This field is required.
|
|||
|
type: string
|
|||
|
tsigAlgorithm:
|
|||
|
description: |-
|
|||
|
The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
|
|||
|
when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
|
|||
|
Supported values are (case-insensitive): ``HMACMD5`` (default),
|
|||
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
|
|||
|
type: string
|
|||
|
tsigKeyName:
|
|||
|
description: |-
|
|||
|
The TSIG Key name configured in the DNS.
|
|||
|
If ``tsigSecretSecretRef`` is defined, this field is required.
|
|||
|
type: string
|
|||
|
tsigSecretSecretRef:
|
|||
|
description: |-
|
|||
|
The name of the secret containing the TSIG value.
|
|||
|
If ``tsigKeyName`` is defined, this field is required.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
route53:
|
|||
|
description: Use the AWS Route53 API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- region
|
|||
|
properties:
|
|||
|
accessKeyID:
|
|||
|
description: |-
|
|||
|
The AccessKeyID is used for authentication.
|
|||
|
Cannot be set when SecretAccessKeyID is set.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: string
|
|||
|
accessKeyIDSecretRef:
|
|||
|
description: |-
|
|||
|
The SecretAccessKey is used for authentication. If set, pull the AWS
|
|||
|
access key ID from a key within a Kubernetes Secret.
|
|||
|
Cannot be set when AccessKeyID is set.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
auth:
|
|||
|
description: Auth configures how cert-manager authenticates.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- kubernetes
|
|||
|
properties:
|
|||
|
kubernetes:
|
|||
|
description: |-
|
|||
|
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
|
|||
|
by passing a bound ServiceAccount token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- serviceAccountRef
|
|||
|
properties:
|
|||
|
serviceAccountRef:
|
|||
|
description: |-
|
|||
|
A reference to a service account that will be used to request a bound
|
|||
|
token (also known as "projected token"). To use this field, you must
|
|||
|
configure an RBAC rule to let cert-manager request a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
audiences:
|
|||
|
description: |-
|
|||
|
TokenAudiences is an optional list of audiences to include in the
|
|||
|
token passed to AWS. The default token consisting of the issuer's namespace
|
|||
|
and name is always included.
|
|||
|
If unset the audience defaults to `sts.amazonaws.com`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the ServiceAccount used to request a token.
|
|||
|
type: string
|
|||
|
hostedZoneID:
|
|||
|
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
|
|||
|
type: string
|
|||
|
region:
|
|||
|
description: Always set the region when using AccessKeyID and SecretAccessKey
|
|||
|
type: string
|
|||
|
role:
|
|||
|
description: |-
|
|||
|
Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
|||
|
or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
|
|||
|
type: string
|
|||
|
secretAccessKeySecretRef:
|
|||
|
description: |-
|
|||
|
The SecretAccessKey is used for authentication.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
webhook:
|
|||
|
description: |-
|
|||
|
Configure an external webhook based DNS01 challenge solver to manage
|
|||
|
DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- groupName
|
|||
|
- solverName
|
|||
|
properties:
|
|||
|
config:
|
|||
|
description: |-
|
|||
|
Additional configuration that should be passed to the webhook apiserver
|
|||
|
when challenges are processed.
|
|||
|
This can contain arbitrary JSON data.
|
|||
|
Secret values should not be specified in this stanza.
|
|||
|
If secret values are needed (e.g. credentials for a DNS service), you
|
|||
|
should use a SecretKeySelector to reference a Secret resource.
|
|||
|
For details on the schema of this field, consult the webhook provider
|
|||
|
implementation's documentation.
|
|||
|
x-kubernetes-preserve-unknown-fields: true
|
|||
|
groupName:
|
|||
|
description: |-
|
|||
|
The API group name that should be used when POSTing ChallengePayload
|
|||
|
resources to the webhook apiserver.
|
|||
|
This should be the same as the GroupName specified in the webhook
|
|||
|
provider implementation.
|
|||
|
type: string
|
|||
|
solverName:
|
|||
|
description: |-
|
|||
|
The name of the solver to use, as defined in the webhook provider
|
|||
|
implementation.
|
|||
|
This will typically be the name of the provider, e.g. 'cloudflare'.
|
|||
|
type: string
|
|||
|
http01:
|
|||
|
description: |-
|
|||
|
Configures cert-manager to attempt to complete authorizations by
|
|||
|
performing the HTTP01 challenge flow.
|
|||
|
It is not possible to obtain certificates for wildcard domain names
|
|||
|
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
gatewayHTTPRoute:
|
|||
|
description: |-
|
|||
|
The Gateway API is a sig-network community API that models service networking
|
|||
|
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
|
|||
|
create HTTPRoutes with the specified labels in the same namespace as the challenge.
|
|||
|
This solver is experimental, and fields / behaviour may change in the future.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
labels:
|
|||
|
description: |-
|
|||
|
Custom labels that will be applied to HTTPRoutes created by cert-manager
|
|||
|
while solving HTTP-01 challenges.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
parentRefs:
|
|||
|
description: |-
|
|||
|
When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
|
|||
|
cert-manager needs to know which parentRefs should be used when creating
|
|||
|
the HTTPRoute. Usually, the parentRef references a Gateway. See:
|
|||
|
https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
ParentReference identifies an API object (usually a Gateway) that can be considered
|
|||
|
a parent of this resource (usually a route). There are two kinds of parent resources
|
|||
|
with "Core" support:
|
|||
|
|
|||
|
|
|||
|
* Gateway (Gateway conformance profile)
|
|||
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|||
|
|
|||
|
|
|||
|
This API may be extended in the future to support additional kinds of parent
|
|||
|
resources.
|
|||
|
|
|||
|
|
|||
|
The API object must be valid in the cluster; the Group and Kind must
|
|||
|
be registered in the cluster for this reference to be valid.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: |-
|
|||
|
Group is the group of the referent.
|
|||
|
When unspecified, "gateway.networking.k8s.io" is inferred.
|
|||
|
To set the core API group (such as for a "Service" kind referent),
|
|||
|
Group must be explicitly set to "" (empty string).
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
default: gateway.networking.k8s.io
|
|||
|
maxLength: 253
|
|||
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is kind of the referent.
|
|||
|
|
|||
|
|
|||
|
There are two kinds of parent resources with "Core" support:
|
|||
|
|
|||
|
|
|||
|
* Gateway (Gateway conformance profile)
|
|||
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|||
|
|
|||
|
|
|||
|
Support for other resources is Implementation-Specific.
|
|||
|
type: string
|
|||
|
default: Gateway
|
|||
|
maxLength: 63
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name is the name of the referent.
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 253
|
|||
|
minLength: 1
|
|||
|
namespace:
|
|||
|
description: |-
|
|||
|
Namespace is the namespace of the referent. When unspecified, this refers
|
|||
|
to the local namespace of the Route.
|
|||
|
|
|||
|
|
|||
|
Note that there are specific rules for ParentRefs which cross namespace
|
|||
|
boundaries. Cross-namespace references are only valid if they are explicitly
|
|||
|
allowed by something in the namespace they are referring to. For example:
|
|||
|
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
|
|||
|
generic way to enable any other kind of cross-namespace reference.
|
|||
|
|
|||
|
|
|||
|
<gateway:experimental:description>
|
|||
|
ParentRefs from a Route to a Service in the same namespace are "producer"
|
|||
|
routes, which apply default routing rules to inbound connections from
|
|||
|
any namespace to the Service.
|
|||
|
|
|||
|
|
|||
|
ParentRefs from a Route to a Service in a different namespace are
|
|||
|
"consumer" routes, and these routing rules are only applied to outbound
|
|||
|
connections originating from the same namespace as the Route, for which
|
|||
|
the intended destination of the connections are a Service targeted as a
|
|||
|
ParentRef of the Route.
|
|||
|
</gateway:experimental:description>
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 63
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|||
|
port:
|
|||
|
description: |-
|
|||
|
Port is the network port this Route targets. It can be interpreted
|
|||
|
differently based on the type of parent resource.
|
|||
|
|
|||
|
|
|||
|
When the parent resource is a Gateway, this targets all listeners
|
|||
|
listening on the specified port that also support this kind of Route(and
|
|||
|
select this Route). It's not recommended to set `Port` unless the
|
|||
|
networking behaviors specified in a Route must apply to a specific port
|
|||
|
as opposed to a listener(s) whose port(s) may be changed. When both Port
|
|||
|
and SectionName are specified, the name and port of the selected listener
|
|||
|
must match both specified values.
|
|||
|
|
|||
|
|
|||
|
<gateway:experimental:description>
|
|||
|
When the parent resource is a Service, this targets a specific port in the
|
|||
|
Service spec. When both Port (experimental) and SectionName are specified,
|
|||
|
the name and port of the selected port must match both specified values.
|
|||
|
</gateway:experimental:description>
|
|||
|
|
|||
|
|
|||
|
Implementations MAY choose to support other parent resources.
|
|||
|
Implementations supporting other types of parent resources MUST clearly
|
|||
|
document how/if Port is interpreted.
|
|||
|
|
|||
|
|
|||
|
For the purpose of status, an attachment is considered successful as
|
|||
|
long as the parent resource accepts it partially. For example, Gateway
|
|||
|
listeners can restrict which Routes can attach to them by Route kind,
|
|||
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
|
|||
|
from the referencing Route, the Route MUST be considered successfully
|
|||
|
attached. If no Gateway listeners accept attachment from this Route,
|
|||
|
the Route MUST be considered detached from the Gateway.
|
|||
|
|
|||
|
|
|||
|
Support: Extended
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
maximum: 65535
|
|||
|
minimum: 1
|
|||
|
sectionName:
|
|||
|
description: |-
|
|||
|
SectionName is the name of a section within the target resource. In the
|
|||
|
following resources, SectionName is interpreted as the following:
|
|||
|
|
|||
|
|
|||
|
* Gateway: Listener name. When both Port (experimental) and SectionName
|
|||
|
are specified, the name and port of the selected listener must match
|
|||
|
both specified values.
|
|||
|
* Service: Port name. When both Port (experimental) and SectionName
|
|||
|
are specified, the name and port of the selected listener must match
|
|||
|
both specified values.
|
|||
|
|
|||
|
|
|||
|
Implementations MAY choose to support attaching Routes to other resources.
|
|||
|
If that is the case, they MUST clearly document how SectionName is
|
|||
|
interpreted.
|
|||
|
|
|||
|
|
|||
|
When unspecified (empty string), this will reference the entire resource.
|
|||
|
For the purpose of status, an attachment is considered successful if at
|
|||
|
least one section in the parent resource accepts it. For example, Gateway
|
|||
|
listeners can restrict which Routes can attach to them by Route kind,
|
|||
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
|
|||
|
the referencing Route, the Route MUST be considered successfully
|
|||
|
attached. If no Gateway listeners accept attachment from this Route, the
|
|||
|
Route MUST be considered detached from the Gateway.
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 253
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|||
|
serviceType:
|
|||
|
description: |-
|
|||
|
Optional service type for Kubernetes solver service. Supported values
|
|||
|
are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|||
|
type: string
|
|||
|
ingress:
|
|||
|
description: |-
|
|||
|
The ingress based HTTP01 challenge solver will solve challenges by
|
|||
|
creating or modifying Ingress resources in order to route requests for
|
|||
|
'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
|
|||
|
provisioned by cert-manager for each Challenge to be completed.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
class:
|
|||
|
description: |-
|
|||
|
This field configures the annotation `kubernetes.io/ingress.class` when
|
|||
|
creating Ingress resources to solve ACME challenges that use this
|
|||
|
challenge solver. Only one of `class`, `name` or `ingressClassName` may
|
|||
|
be specified.
|
|||
|
type: string
|
|||
|
ingressClassName:
|
|||
|
description: |-
|
|||
|
This field configures the field `ingressClassName` on the created Ingress
|
|||
|
resources used to solve ACME challenges that use this challenge solver.
|
|||
|
This is the recommended way of configuring the ingress class. Only one of
|
|||
|
`class`, `name` or `ingressClassName` may be specified.
|
|||
|
type: string
|
|||
|
ingressTemplate:
|
|||
|
description: |-
|
|||
|
Optional ingress template used to configure the ACME challenge solver
|
|||
|
ingress used for HTTP01 challenges.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
metadata:
|
|||
|
description: |-
|
|||
|
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
|
|||
|
Only the 'labels' and 'annotations' fields may be set.
|
|||
|
If labels or annotations overlap with in-built values, the values here
|
|||
|
will override the in-built values.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations that should be added to the created ACME HTTP01 solver ingress.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels that should be added to the created ACME HTTP01 solver ingress.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
The name of the ingress resource that should have ACME challenge solving
|
|||
|
routes inserted into it in order to solve HTTP01 challenges.
|
|||
|
This is typically used in conjunction with ingress controllers like
|
|||
|
ingress-gce, which maintains a 1:1 mapping between external IPs and
|
|||
|
ingress resources. Only one of `class`, `name` or `ingressClassName` may
|
|||
|
be specified.
|
|||
|
type: string
|
|||
|
podTemplate:
|
|||
|
description: |-
|
|||
|
Optional pod template used to configure the ACME challenge solver pods
|
|||
|
used for HTTP01 challenges.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
metadata:
|
|||
|
description: |-
|
|||
|
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
|
|||
|
Only the 'labels' and 'annotations' fields may be set.
|
|||
|
If labels or annotations overlap with in-built values, the values here
|
|||
|
will override the in-built values.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations that should be added to the create ACME HTTP01 solver pods.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels that should be added to the created ACME HTTP01 solver pods.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
spec:
|
|||
|
description: |-
|
|||
|
PodSpec defines overrides for the HTTP01 challenge solver pod.
|
|||
|
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
|
|||
|
All other fields will be ignored.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
affinity:
|
|||
|
description: If specified, the pod's scheduling constraints
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
nodeAffinity:
|
|||
|
description: Describes node affinity scheduling rules for the pod.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node matches the corresponding matchExpressions; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
An empty preferred scheduling term matches all objects with implicit weight 0
|
|||
|
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- preference
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
preference:
|
|||
|
description: A node selector term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: A list of node selector requirements by node's labels.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchFields:
|
|||
|
description: A list of node selector requirements by node's fields.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
weight:
|
|||
|
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to an update), the system
|
|||
|
may or may not try to eventually evict the pod from its node.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- nodeSelectorTerms
|
|||
|
properties:
|
|||
|
nodeSelectorTerms:
|
|||
|
description: Required. A list of node selector terms. The terms are ORed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A null or empty node selector term matches no objects. The requirements of
|
|||
|
them are ANDed.
|
|||
|
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: A list of node selector requirements by node's labels.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchFields:
|
|||
|
description: A list of node selector requirements by node's fields.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
podAffinity:
|
|||
|
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- podAffinityTerm
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
podAffinityTerm:
|
|||
|
description: Required. A pod affinity term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
weight:
|
|||
|
description: |-
|
|||
|
weight associated with matching the corresponding podAffinityTerm,
|
|||
|
in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to a pod label update), the
|
|||
|
system may or may not try to eventually evict the pod from its node.
|
|||
|
When there are multiple elements, the lists of nodes corresponding to each
|
|||
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Defines a set of pods (namely those matching the labelSelector
|
|||
|
relative to the given namespace(s)) that this pod should be
|
|||
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|||
|
where co-located is defined as running on a node whose value of
|
|||
|
the label with key <topologyKey> matches that of any node on which
|
|||
|
a pod of the set of pods is running
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
podAntiAffinity:
|
|||
|
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the anti-affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling anti-affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- podAffinityTerm
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
podAffinityTerm:
|
|||
|
description: Required. A pod affinity term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
weight:
|
|||
|
description: |-
|
|||
|
weight associated with matching the corresponding podAffinityTerm,
|
|||
|
in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the anti-affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the anti-affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to a pod label update), the
|
|||
|
system may or may not try to eventually evict the pod from its node.
|
|||
|
When there are multiple elements, the lists of nodes corresponding to each
|
|||
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Defines a set of pods (namely those matching the labelSelector
|
|||
|
relative to the given namespace(s)) that this pod should be
|
|||
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|||
|
where co-located is defined as running on a node whose value of
|
|||
|
the label with key <topologyKey> matches that of any node on which
|
|||
|
a pod of the set of pods is running
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
imagePullSecrets:
|
|||
|
description: If specified, the pod's imagePullSecrets
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
LocalObjectReference contains enough information to let you locate the
|
|||
|
referenced object inside the same namespace.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the referent.
|
|||
|
This field is effectively required, but due to backwards compatibility is
|
|||
|
allowed to be empty. Instances of this type with an empty value here are
|
|||
|
almost certainly wrong.
|
|||
|
TODO: Add other useful fields. apiVersion, kind, uid?
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
|
|||
|
type: string
|
|||
|
default: ""
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
nodeSelector:
|
|||
|
description: |-
|
|||
|
NodeSelector is a selector which must be true for the pod to fit on a node.
|
|||
|
Selector which must match a node's labels for the pod to be scheduled on that node.
|
|||
|
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
priorityClassName:
|
|||
|
description: If specified, the pod's priorityClassName.
|
|||
|
type: string
|
|||
|
serviceAccountName:
|
|||
|
description: If specified, the pod's service account
|
|||
|
type: string
|
|||
|
tolerations:
|
|||
|
description: If specified, the pod's tolerations.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
The pod this Toleration is attached to tolerates any taint that matches
|
|||
|
the triple <key,value,effect> using the matching operator <operator>.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
effect:
|
|||
|
description: |-
|
|||
|
Effect indicates the taint effect to match. Empty means match all taint effects.
|
|||
|
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
|||
|
type: string
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
Key is the taint key that the toleration applies to. Empty means match all taint keys.
|
|||
|
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Operator represents a key's relationship to the value.
|
|||
|
Valid operators are Exists and Equal. Defaults to Equal.
|
|||
|
Exists is equivalent to wildcard for value, so that a pod can
|
|||
|
tolerate all taints of a particular category.
|
|||
|
type: string
|
|||
|
tolerationSeconds:
|
|||
|
description: |-
|
|||
|
TolerationSeconds represents the period of time the toleration (which must be
|
|||
|
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
|
|||
|
it is not set, which means tolerate the taint forever (do not evict). Zero and
|
|||
|
negative values will be treated as 0 (evict immediately) by the system.
|
|||
|
type: integer
|
|||
|
format: int64
|
|||
|
value:
|
|||
|
description: |-
|
|||
|
Value is the taint value the toleration matches to.
|
|||
|
If the operator is Exists, the value should be empty, otherwise just a regular string.
|
|||
|
type: string
|
|||
|
serviceType:
|
|||
|
description: |-
|
|||
|
Optional service type for Kubernetes solver service. Supported values
|
|||
|
are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|||
|
type: string
|
|||
|
selector:
|
|||
|
description: |-
|
|||
|
Selector selects a set of DNSNames on the Certificate resource that
|
|||
|
should be solved using this challenge solver.
|
|||
|
If not specified, the solver will be treated as the 'default' solver
|
|||
|
with the lowest priority, i.e. if any other solver has a more specific
|
|||
|
match, it will be used instead.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dnsNames:
|
|||
|
description: |-
|
|||
|
List of DNSNames that this solver will be used to solve.
|
|||
|
If specified and a match is found, a dnsNames selector will take
|
|||
|
precedence over a dnsZones selector.
|
|||
|
If multiple solvers match with the same dnsNames value, the solver
|
|||
|
with the most matching labels in matchLabels will be selected.
|
|||
|
If neither has more matches, the solver defined earlier in the list
|
|||
|
will be selected.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
dnsZones:
|
|||
|
description: |-
|
|||
|
List of DNSZones that this solver will be used to solve.
|
|||
|
The most specific DNS zone match specified here will take precedence
|
|||
|
over other DNS zone matches, so a solver specifying sys.example.com
|
|||
|
will be selected over one specifying example.com for the domain
|
|||
|
www.sys.example.com.
|
|||
|
If multiple solvers match with the same dnsZones value, the solver
|
|||
|
with the most matching labels in matchLabels will be selected.
|
|||
|
If neither has more matches, the solver defined earlier in the list
|
|||
|
will be selected.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
A label selector that is used to refine the set of certificate's that
|
|||
|
this challenge solver will apply to.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
token:
|
|||
|
description: |-
|
|||
|
The ACME challenge token for this challenge.
|
|||
|
This is the raw value returned from the ACME server.
|
|||
|
type: string
|
|||
|
type:
|
|||
|
description: |-
|
|||
|
The type of ACME challenge this resource represents.
|
|||
|
One of "HTTP-01" or "DNS-01".
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- HTTP-01
|
|||
|
- DNS-01
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
The URL of the ACME Challenge resource for this challenge.
|
|||
|
This can be used to lookup details about the status of this challenge.
|
|||
|
type: string
|
|||
|
wildcard:
|
|||
|
description: |-
|
|||
|
wildcard will be true if this challenge is for a wildcard identifier,
|
|||
|
for example '*.example.com'.
|
|||
|
type: boolean
|
|||
|
status:
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
presented:
|
|||
|
description: |-
|
|||
|
presented will be set to true if the challenge values for this challenge
|
|||
|
are currently 'presented'.
|
|||
|
This *does not* imply the self check is passing. Only that the values
|
|||
|
have been 'submitted' for the appropriate challenge mechanism (i.e. the
|
|||
|
DNS01 TXT record has been presented, or the HTTP01 configuration has been
|
|||
|
configured).
|
|||
|
type: boolean
|
|||
|
processing:
|
|||
|
description: |-
|
|||
|
Used to denote whether this challenge should be processed or not.
|
|||
|
This field will only be set to true by the 'scheduling' component.
|
|||
|
It will only be set to false by the 'challenges' controller, after the
|
|||
|
challenge has reached a final state or timed out.
|
|||
|
If this field is set to false, the challenge controller will not take
|
|||
|
any more action.
|
|||
|
type: boolean
|
|||
|
reason:
|
|||
|
description: |-
|
|||
|
Contains human readable information on why the Challenge is in the
|
|||
|
current state.
|
|||
|
type: string
|
|||
|
state:
|
|||
|
description: |-
|
|||
|
Contains the current 'state' of the challenge.
|
|||
|
If not set, the state of the challenge is unknown.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- valid
|
|||
|
- ready
|
|||
|
- pending
|
|||
|
- processing
|
|||
|
- invalid
|
|||
|
- expired
|
|||
|
- errored
|
|||
|
served: true
|
|||
|
storage: true
|
|||
|
subresources:
|
|||
|
status: {}
|
|||
|
|
|||
|
# END crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
apiVersion: apiextensions.k8s.io/v1
|
|||
|
kind: CustomResourceDefinition
|
|||
|
metadata:
|
|||
|
name: clusterissuers.cert-manager.io
|
|||
|
# START annotations
|
|||
|
annotations:
|
|||
|
helm.sh/resource-policy: keep
|
|||
|
# END annotations
|
|||
|
labels:
|
|||
|
app: 'cert-manager'
|
|||
|
app.kubernetes.io/name: 'cert-manager'
|
|||
|
app.kubernetes.io/instance: 'cert-manager'
|
|||
|
# Generated labels
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
group: cert-manager.io
|
|||
|
names:
|
|||
|
kind: ClusterIssuer
|
|||
|
listKind: ClusterIssuerList
|
|||
|
plural: clusterissuers
|
|||
|
singular: clusterissuer
|
|||
|
categories:
|
|||
|
- cert-manager
|
|||
|
scope: Cluster
|
|||
|
versions:
|
|||
|
- name: v1
|
|||
|
subresources:
|
|||
|
status: {}
|
|||
|
additionalPrinterColumns:
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|||
|
name: Ready
|
|||
|
type: string
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|||
|
name: Status
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .metadata.creationTimestamp
|
|||
|
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|||
|
name: Age
|
|||
|
type: date
|
|||
|
schema:
|
|||
|
openAPIV3Schema:
|
|||
|
description: |-
|
|||
|
A ClusterIssuer represents a certificate issuing authority which can be
|
|||
|
referenced as part of `issuerRef` fields.
|
|||
|
It is similar to an Issuer, however it is cluster-scoped and therefore can
|
|||
|
be referenced by resources that exist in *any* namespace, not just the same
|
|||
|
namespace as the referent.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- spec
|
|||
|
properties:
|
|||
|
apiVersion:
|
|||
|
description: |-
|
|||
|
APIVersion defines the versioned schema of this representation of an object.
|
|||
|
Servers should convert recognized schemas to the latest internal value, and
|
|||
|
may reject unrecognized values.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is a string value representing the REST resource this object represents.
|
|||
|
Servers may infer this from the endpoint the client submits requests to.
|
|||
|
Cannot be updated.
|
|||
|
In CamelCase.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|||
|
type: string
|
|||
|
metadata:
|
|||
|
type: object
|
|||
|
spec:
|
|||
|
description: Desired state of the ClusterIssuer resource.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acme:
|
|||
|
description: |-
|
|||
|
ACME configures this issuer to communicate with a RFC8555 (ACME) server
|
|||
|
to obtain signed x509 certificates.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- privateKeySecretRef
|
|||
|
- server
|
|||
|
properties:
|
|||
|
caBundle:
|
|||
|
description: |-
|
|||
|
Base64-encoded bundle of PEM CAs which can be used to validate the certificate
|
|||
|
chain presented by the ACME server.
|
|||
|
Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
|
|||
|
kinds of security vulnerabilities.
|
|||
|
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
|
|||
|
the container is used to validate the TLS connection.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
disableAccountKeyGeneration:
|
|||
|
description: |-
|
|||
|
Enables or disables generating a new ACME account key.
|
|||
|
If true, the Issuer resource will *not* request a new account but will expect
|
|||
|
the account key to be supplied via an existing secret.
|
|||
|
If false, the cert-manager system will generate a new ACME account key
|
|||
|
for the Issuer.
|
|||
|
Defaults to false.
|
|||
|
type: boolean
|
|||
|
email:
|
|||
|
description: |-
|
|||
|
Email is the email address to be associated with the ACME account.
|
|||
|
This field is optional, but it is strongly recommended to be set.
|
|||
|
It will be used to contact you in case of issues with your account or
|
|||
|
certificates, including expiry notification emails.
|
|||
|
This field may be updated after the account is initially registered.
|
|||
|
type: string
|
|||
|
enableDurationFeature:
|
|||
|
description: |-
|
|||
|
Enables requesting a Not After date on certificates that matches the
|
|||
|
duration of the certificate. This is not supported by all ACME servers
|
|||
|
like Let's Encrypt. If set to true when the ACME server does not support
|
|||
|
it, it will create an error on the Order.
|
|||
|
Defaults to false.
|
|||
|
type: boolean
|
|||
|
externalAccountBinding:
|
|||
|
description: |-
|
|||
|
ExternalAccountBinding is a reference to a CA external account of the ACME
|
|||
|
server.
|
|||
|
If set, upon registration cert-manager will attempt to associate the given
|
|||
|
external account credentials with the registered ACME account.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- keyID
|
|||
|
- keySecretRef
|
|||
|
properties:
|
|||
|
keyAlgorithm:
|
|||
|
description: |-
|
|||
|
Deprecated: keyAlgorithm field exists for historical compatibility
|
|||
|
reasons and should not be used. The algorithm is now hardcoded to HS256
|
|||
|
in golang/x/crypto/acme.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- HS256
|
|||
|
- HS384
|
|||
|
- HS512
|
|||
|
keyID:
|
|||
|
description: keyID is the ID of the CA key that the External Account is bound to.
|
|||
|
type: string
|
|||
|
keySecretRef:
|
|||
|
description: |-
|
|||
|
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
|
|||
|
Secret which holds the symmetric MAC key of the External Account Binding.
|
|||
|
The `key` is the index string that is paired with the key data in the
|
|||
|
Secret and should not be confused with the key data itself, or indeed with
|
|||
|
the External Account Binding keyID above.
|
|||
|
The secret key stored in the Secret **must** be un-padded, base64 URL
|
|||
|
encoded data.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
preferredChain:
|
|||
|
description: |-
|
|||
|
PreferredChain is the chain to use if the ACME server outputs multiple.
|
|||
|
PreferredChain is no guarantee that this one gets delivered by the ACME
|
|||
|
endpoint.
|
|||
|
For example, for Let's Encrypt's DST crosssign you would use:
|
|||
|
"DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
|
|||
|
This value picks the first certificate bundle in the combined set of
|
|||
|
ACME default and alternative chains that has a root-most certificate with
|
|||
|
this value as its issuer's commonname.
|
|||
|
type: string
|
|||
|
maxLength: 64
|
|||
|
privateKeySecretRef:
|
|||
|
description: |-
|
|||
|
PrivateKey is the name of a Kubernetes Secret resource that will be used to
|
|||
|
store the automatically generated ACME account private key.
|
|||
|
Optionally, a `key` may be specified to select a specific entry within
|
|||
|
the named Secret resource.
|
|||
|
If `key` is not specified, a default of `tls.key` will be used.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
server:
|
|||
|
description: |-
|
|||
|
Server is the URL used to access the ACME server's 'directory' endpoint.
|
|||
|
For example, for Let's Encrypt's staging endpoint, you would use:
|
|||
|
"https://acme-staging-v02.api.letsencrypt.org/directory".
|
|||
|
Only ACME v2 endpoints (i.e. RFC 8555) are supported.
|
|||
|
type: string
|
|||
|
skipTLSVerify:
|
|||
|
description: |-
|
|||
|
INSECURE: Enables or disables validation of the ACME server TLS certificate.
|
|||
|
If true, requests to the ACME server will not have the TLS certificate chain
|
|||
|
validated.
|
|||
|
Mutually exclusive with CABundle; prefer using CABundle to prevent various
|
|||
|
kinds of security vulnerabilities.
|
|||
|
Only enable this option in development environments.
|
|||
|
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
|
|||
|
the container is used to validate the TLS connection.
|
|||
|
Defaults to false.
|
|||
|
type: boolean
|
|||
|
solvers:
|
|||
|
description: |-
|
|||
|
Solvers is a list of challenge solvers that will be used to solve
|
|||
|
ACME challenges for the matching domains.
|
|||
|
Solver configurations must be provided in order to obtain certificates
|
|||
|
from an ACME server.
|
|||
|
For more information, see: https://cert-manager.io/docs/configuration/acme/
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
|
|||
|
A selector may be provided to use different solving strategies for different DNS names.
|
|||
|
Only one of HTTP01 or DNS01 must be provided.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dns01:
|
|||
|
description: |-
|
|||
|
Configures cert-manager to attempt to complete authorizations by
|
|||
|
performing the DNS01 challenge flow.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acmeDNS:
|
|||
|
description: |-
|
|||
|
Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
|
|||
|
DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- accountSecretRef
|
|||
|
- host
|
|||
|
properties:
|
|||
|
accountSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
host:
|
|||
|
type: string
|
|||
|
akamai:
|
|||
|
description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- accessTokenSecretRef
|
|||
|
- clientSecretSecretRef
|
|||
|
- clientTokenSecretRef
|
|||
|
- serviceConsumerDomain
|
|||
|
properties:
|
|||
|
accessTokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientSecretSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientTokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
serviceConsumerDomain:
|
|||
|
type: string
|
|||
|
azureDNS:
|
|||
|
description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- resourceGroupName
|
|||
|
- subscriptionID
|
|||
|
properties:
|
|||
|
clientID:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
|
|||
|
If set, ClientSecret and TenantID must also be set.
|
|||
|
type: string
|
|||
|
clientSecretSecretRef:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
A reference to a Secret containing the password associated with the Service Principal.
|
|||
|
If set, ClientID and TenantID must also be set.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
environment:
|
|||
|
description: name of the Azure environment (default AzurePublicCloud)
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- AzurePublicCloud
|
|||
|
- AzureChinaCloud
|
|||
|
- AzureGermanCloud
|
|||
|
- AzureUSGovernmentCloud
|
|||
|
hostedZoneName:
|
|||
|
description: name of the DNS zone that should be used
|
|||
|
type: string
|
|||
|
managedIdentity:
|
|||
|
description: |-
|
|||
|
Auth: Azure Workload Identity or Azure Managed Service Identity:
|
|||
|
Settings to enable Azure Workload Identity or Azure Managed Service Identity
|
|||
|
If set, ClientID, ClientSecret and TenantID must not be set.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
clientID:
|
|||
|
description: client ID of the managed identity, can not be used at the same time as resourceID
|
|||
|
type: string
|
|||
|
resourceID:
|
|||
|
description: |-
|
|||
|
resource ID of the managed identity, can not be used at the same time as clientID
|
|||
|
Cannot be used for Azure Managed Service Identity
|
|||
|
type: string
|
|||
|
resourceGroupName:
|
|||
|
description: resource group the DNS zone is located in
|
|||
|
type: string
|
|||
|
subscriptionID:
|
|||
|
description: ID of the Azure subscription
|
|||
|
type: string
|
|||
|
tenantID:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
|
|||
|
If set, ClientID and ClientSecret must also be set.
|
|||
|
type: string
|
|||
|
cloudDNS:
|
|||
|
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- project
|
|||
|
properties:
|
|||
|
hostedZoneName:
|
|||
|
description: |-
|
|||
|
HostedZoneName is an optional field that tells cert-manager in which
|
|||
|
Cloud DNS zone the challenge record has to be created.
|
|||
|
If left empty cert-manager will automatically choose a zone.
|
|||
|
type: string
|
|||
|
project:
|
|||
|
type: string
|
|||
|
serviceAccountSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
cloudflare:
|
|||
|
description: Use the Cloudflare API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
apiKeySecretRef:
|
|||
|
description: |-
|
|||
|
API key to use to authenticate with Cloudflare.
|
|||
|
Note: using an API token to authenticate is now the recommended method
|
|||
|
as it allows greater control of permissions.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
apiTokenSecretRef:
|
|||
|
description: API token used to authenticate with Cloudflare.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
email:
|
|||
|
description: Email of the account, only required when using API key based authentication.
|
|||
|
type: string
|
|||
|
cnameStrategy:
|
|||
|
description: |-
|
|||
|
CNAMEStrategy configures how the DNS01 provider should handle CNAME
|
|||
|
records when found in DNS zones.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- None
|
|||
|
- Follow
|
|||
|
digitalocean:
|
|||
|
description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- tokenSecretRef
|
|||
|
properties:
|
|||
|
tokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
rfc2136:
|
|||
|
description: |-
|
|||
|
Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|||
|
to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- nameserver
|
|||
|
properties:
|
|||
|
nameserver:
|
|||
|
description: |-
|
|||
|
The IP address or hostname of an authoritative DNS server supporting
|
|||
|
RFC2136 in the form host:port. If the host is an IPv6 address it must be
|
|||
|
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
|
|||
|
This field is required.
|
|||
|
type: string
|
|||
|
tsigAlgorithm:
|
|||
|
description: |-
|
|||
|
The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
|
|||
|
when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
|
|||
|
Supported values are (case-insensitive): ``HMACMD5`` (default),
|
|||
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
|
|||
|
type: string
|
|||
|
tsigKeyName:
|
|||
|
description: |-
|
|||
|
The TSIG Key name configured in the DNS.
|
|||
|
If ``tsigSecretSecretRef`` is defined, this field is required.
|
|||
|
type: string
|
|||
|
tsigSecretSecretRef:
|
|||
|
description: |-
|
|||
|
The name of the secret containing the TSIG value.
|
|||
|
If ``tsigKeyName`` is defined, this field is required.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
route53:
|
|||
|
description: Use the AWS Route53 API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- region
|
|||
|
properties:
|
|||
|
accessKeyID:
|
|||
|
description: |-
|
|||
|
The AccessKeyID is used for authentication.
|
|||
|
Cannot be set when SecretAccessKeyID is set.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: string
|
|||
|
accessKeyIDSecretRef:
|
|||
|
description: |-
|
|||
|
The SecretAccessKey is used for authentication. If set, pull the AWS
|
|||
|
access key ID from a key within a Kubernetes Secret.
|
|||
|
Cannot be set when AccessKeyID is set.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
auth:
|
|||
|
description: Auth configures how cert-manager authenticates.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- kubernetes
|
|||
|
properties:
|
|||
|
kubernetes:
|
|||
|
description: |-
|
|||
|
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
|
|||
|
by passing a bound ServiceAccount token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- serviceAccountRef
|
|||
|
properties:
|
|||
|
serviceAccountRef:
|
|||
|
description: |-
|
|||
|
A reference to a service account that will be used to request a bound
|
|||
|
token (also known as "projected token"). To use this field, you must
|
|||
|
configure an RBAC rule to let cert-manager request a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
audiences:
|
|||
|
description: |-
|
|||
|
TokenAudiences is an optional list of audiences to include in the
|
|||
|
token passed to AWS. The default token consisting of the issuer's namespace
|
|||
|
and name is always included.
|
|||
|
If unset the audience defaults to `sts.amazonaws.com`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the ServiceAccount used to request a token.
|
|||
|
type: string
|
|||
|
hostedZoneID:
|
|||
|
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
|
|||
|
type: string
|
|||
|
region:
|
|||
|
description: Always set the region when using AccessKeyID and SecretAccessKey
|
|||
|
type: string
|
|||
|
role:
|
|||
|
description: |-
|
|||
|
Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
|||
|
or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
|
|||
|
type: string
|
|||
|
secretAccessKeySecretRef:
|
|||
|
description: |-
|
|||
|
The SecretAccessKey is used for authentication.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
webhook:
|
|||
|
description: |-
|
|||
|
Configure an external webhook based DNS01 challenge solver to manage
|
|||
|
DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- groupName
|
|||
|
- solverName
|
|||
|
properties:
|
|||
|
config:
|
|||
|
description: |-
|
|||
|
Additional configuration that should be passed to the webhook apiserver
|
|||
|
when challenges are processed.
|
|||
|
This can contain arbitrary JSON data.
|
|||
|
Secret values should not be specified in this stanza.
|
|||
|
If secret values are needed (e.g. credentials for a DNS service), you
|
|||
|
should use a SecretKeySelector to reference a Secret resource.
|
|||
|
For details on the schema of this field, consult the webhook provider
|
|||
|
implementation's documentation.
|
|||
|
x-kubernetes-preserve-unknown-fields: true
|
|||
|
groupName:
|
|||
|
description: |-
|
|||
|
The API group name that should be used when POSTing ChallengePayload
|
|||
|
resources to the webhook apiserver.
|
|||
|
This should be the same as the GroupName specified in the webhook
|
|||
|
provider implementation.
|
|||
|
type: string
|
|||
|
solverName:
|
|||
|
description: |-
|
|||
|
The name of the solver to use, as defined in the webhook provider
|
|||
|
implementation.
|
|||
|
This will typically be the name of the provider, e.g. 'cloudflare'.
|
|||
|
type: string
|
|||
|
http01:
|
|||
|
description: |-
|
|||
|
Configures cert-manager to attempt to complete authorizations by
|
|||
|
performing the HTTP01 challenge flow.
|
|||
|
It is not possible to obtain certificates for wildcard domain names
|
|||
|
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
gatewayHTTPRoute:
|
|||
|
description: |-
|
|||
|
The Gateway API is a sig-network community API that models service networking
|
|||
|
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
|
|||
|
create HTTPRoutes with the specified labels in the same namespace as the challenge.
|
|||
|
This solver is experimental, and fields / behaviour may change in the future.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
labels:
|
|||
|
description: |-
|
|||
|
Custom labels that will be applied to HTTPRoutes created by cert-manager
|
|||
|
while solving HTTP-01 challenges.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
parentRefs:
|
|||
|
description: |-
|
|||
|
When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
|
|||
|
cert-manager needs to know which parentRefs should be used when creating
|
|||
|
the HTTPRoute. Usually, the parentRef references a Gateway. See:
|
|||
|
https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
ParentReference identifies an API object (usually a Gateway) that can be considered
|
|||
|
a parent of this resource (usually a route). There are two kinds of parent resources
|
|||
|
with "Core" support:
|
|||
|
|
|||
|
|
|||
|
* Gateway (Gateway conformance profile)
|
|||
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|||
|
|
|||
|
|
|||
|
This API may be extended in the future to support additional kinds of parent
|
|||
|
resources.
|
|||
|
|
|||
|
|
|||
|
The API object must be valid in the cluster; the Group and Kind must
|
|||
|
be registered in the cluster for this reference to be valid.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: |-
|
|||
|
Group is the group of the referent.
|
|||
|
When unspecified, "gateway.networking.k8s.io" is inferred.
|
|||
|
To set the core API group (such as for a "Service" kind referent),
|
|||
|
Group must be explicitly set to "" (empty string).
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
default: gateway.networking.k8s.io
|
|||
|
maxLength: 253
|
|||
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is kind of the referent.
|
|||
|
|
|||
|
|
|||
|
There are two kinds of parent resources with "Core" support:
|
|||
|
|
|||
|
|
|||
|
* Gateway (Gateway conformance profile)
|
|||
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|||
|
|
|||
|
|
|||
|
Support for other resources is Implementation-Specific.
|
|||
|
type: string
|
|||
|
default: Gateway
|
|||
|
maxLength: 63
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name is the name of the referent.
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 253
|
|||
|
minLength: 1
|
|||
|
namespace:
|
|||
|
description: |-
|
|||
|
Namespace is the namespace of the referent. When unspecified, this refers
|
|||
|
to the local namespace of the Route.
|
|||
|
|
|||
|
|
|||
|
Note that there are specific rules for ParentRefs which cross namespace
|
|||
|
boundaries. Cross-namespace references are only valid if they are explicitly
|
|||
|
allowed by something in the namespace they are referring to. For example:
|
|||
|
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
|
|||
|
generic way to enable any other kind of cross-namespace reference.
|
|||
|
|
|||
|
|
|||
|
<gateway:experimental:description>
|
|||
|
ParentRefs from a Route to a Service in the same namespace are "producer"
|
|||
|
routes, which apply default routing rules to inbound connections from
|
|||
|
any namespace to the Service.
|
|||
|
|
|||
|
|
|||
|
ParentRefs from a Route to a Service in a different namespace are
|
|||
|
"consumer" routes, and these routing rules are only applied to outbound
|
|||
|
connections originating from the same namespace as the Route, for which
|
|||
|
the intended destination of the connections are a Service targeted as a
|
|||
|
ParentRef of the Route.
|
|||
|
</gateway:experimental:description>
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 63
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|||
|
port:
|
|||
|
description: |-
|
|||
|
Port is the network port this Route targets. It can be interpreted
|
|||
|
differently based on the type of parent resource.
|
|||
|
|
|||
|
|
|||
|
When the parent resource is a Gateway, this targets all listeners
|
|||
|
listening on the specified port that also support this kind of Route(and
|
|||
|
select this Route). It's not recommended to set `Port` unless the
|
|||
|
networking behaviors specified in a Route must apply to a specific port
|
|||
|
as opposed to a listener(s) whose port(s) may be changed. When both Port
|
|||
|
and SectionName are specified, the name and port of the selected listener
|
|||
|
must match both specified values.
|
|||
|
|
|||
|
|
|||
|
<gateway:experimental:description>
|
|||
|
When the parent resource is a Service, this targets a specific port in the
|
|||
|
Service spec. When both Port (experimental) and SectionName are specified,
|
|||
|
the name and port of the selected port must match both specified values.
|
|||
|
</gateway:experimental:description>
|
|||
|
|
|||
|
|
|||
|
Implementations MAY choose to support other parent resources.
|
|||
|
Implementations supporting other types of parent resources MUST clearly
|
|||
|
document how/if Port is interpreted.
|
|||
|
|
|||
|
|
|||
|
For the purpose of status, an attachment is considered successful as
|
|||
|
long as the parent resource accepts it partially. For example, Gateway
|
|||
|
listeners can restrict which Routes can attach to them by Route kind,
|
|||
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
|
|||
|
from the referencing Route, the Route MUST be considered successfully
|
|||
|
attached. If no Gateway listeners accept attachment from this Route,
|
|||
|
the Route MUST be considered detached from the Gateway.
|
|||
|
|
|||
|
|
|||
|
Support: Extended
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
maximum: 65535
|
|||
|
minimum: 1
|
|||
|
sectionName:
|
|||
|
description: |-
|
|||
|
SectionName is the name of a section within the target resource. In the
|
|||
|
following resources, SectionName is interpreted as the following:
|
|||
|
|
|||
|
|
|||
|
* Gateway: Listener name. When both Port (experimental) and SectionName
|
|||
|
are specified, the name and port of the selected listener must match
|
|||
|
both specified values.
|
|||
|
* Service: Port name. When both Port (experimental) and SectionName
|
|||
|
are specified, the name and port of the selected listener must match
|
|||
|
both specified values.
|
|||
|
|
|||
|
|
|||
|
Implementations MAY choose to support attaching Routes to other resources.
|
|||
|
If that is the case, they MUST clearly document how SectionName is
|
|||
|
interpreted.
|
|||
|
|
|||
|
|
|||
|
When unspecified (empty string), this will reference the entire resource.
|
|||
|
For the purpose of status, an attachment is considered successful if at
|
|||
|
least one section in the parent resource accepts it. For example, Gateway
|
|||
|
listeners can restrict which Routes can attach to them by Route kind,
|
|||
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
|
|||
|
the referencing Route, the Route MUST be considered successfully
|
|||
|
attached. If no Gateway listeners accept attachment from this Route, the
|
|||
|
Route MUST be considered detached from the Gateway.
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 253
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|||
|
serviceType:
|
|||
|
description: |-
|
|||
|
Optional service type for Kubernetes solver service. Supported values
|
|||
|
are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|||
|
type: string
|
|||
|
ingress:
|
|||
|
description: |-
|
|||
|
The ingress based HTTP01 challenge solver will solve challenges by
|
|||
|
creating or modifying Ingress resources in order to route requests for
|
|||
|
'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
|
|||
|
provisioned by cert-manager for each Challenge to be completed.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
class:
|
|||
|
description: |-
|
|||
|
This field configures the annotation `kubernetes.io/ingress.class` when
|
|||
|
creating Ingress resources to solve ACME challenges that use this
|
|||
|
challenge solver. Only one of `class`, `name` or `ingressClassName` may
|
|||
|
be specified.
|
|||
|
type: string
|
|||
|
ingressClassName:
|
|||
|
description: |-
|
|||
|
This field configures the field `ingressClassName` on the created Ingress
|
|||
|
resources used to solve ACME challenges that use this challenge solver.
|
|||
|
This is the recommended way of configuring the ingress class. Only one of
|
|||
|
`class`, `name` or `ingressClassName` may be specified.
|
|||
|
type: string
|
|||
|
ingressTemplate:
|
|||
|
description: |-
|
|||
|
Optional ingress template used to configure the ACME challenge solver
|
|||
|
ingress used for HTTP01 challenges.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
metadata:
|
|||
|
description: |-
|
|||
|
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
|
|||
|
Only the 'labels' and 'annotations' fields may be set.
|
|||
|
If labels or annotations overlap with in-built values, the values here
|
|||
|
will override the in-built values.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations that should be added to the created ACME HTTP01 solver ingress.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels that should be added to the created ACME HTTP01 solver ingress.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
The name of the ingress resource that should have ACME challenge solving
|
|||
|
routes inserted into it in order to solve HTTP01 challenges.
|
|||
|
This is typically used in conjunction with ingress controllers like
|
|||
|
ingress-gce, which maintains a 1:1 mapping between external IPs and
|
|||
|
ingress resources. Only one of `class`, `name` or `ingressClassName` may
|
|||
|
be specified.
|
|||
|
type: string
|
|||
|
podTemplate:
|
|||
|
description: |-
|
|||
|
Optional pod template used to configure the ACME challenge solver pods
|
|||
|
used for HTTP01 challenges.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
metadata:
|
|||
|
description: |-
|
|||
|
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
|
|||
|
Only the 'labels' and 'annotations' fields may be set.
|
|||
|
If labels or annotations overlap with in-built values, the values here
|
|||
|
will override the in-built values.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations that should be added to the create ACME HTTP01 solver pods.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels that should be added to the created ACME HTTP01 solver pods.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
spec:
|
|||
|
description: |-
|
|||
|
PodSpec defines overrides for the HTTP01 challenge solver pod.
|
|||
|
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
|
|||
|
All other fields will be ignored.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
affinity:
|
|||
|
description: If specified, the pod's scheduling constraints
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
nodeAffinity:
|
|||
|
description: Describes node affinity scheduling rules for the pod.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node matches the corresponding matchExpressions; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
An empty preferred scheduling term matches all objects with implicit weight 0
|
|||
|
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- preference
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
preference:
|
|||
|
description: A node selector term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: A list of node selector requirements by node's labels.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchFields:
|
|||
|
description: A list of node selector requirements by node's fields.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
weight:
|
|||
|
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to an update), the system
|
|||
|
may or may not try to eventually evict the pod from its node.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- nodeSelectorTerms
|
|||
|
properties:
|
|||
|
nodeSelectorTerms:
|
|||
|
description: Required. A list of node selector terms. The terms are ORed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A null or empty node selector term matches no objects. The requirements of
|
|||
|
them are ANDed.
|
|||
|
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: A list of node selector requirements by node's labels.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchFields:
|
|||
|
description: A list of node selector requirements by node's fields.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
podAffinity:
|
|||
|
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- podAffinityTerm
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
podAffinityTerm:
|
|||
|
description: Required. A pod affinity term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
weight:
|
|||
|
description: |-
|
|||
|
weight associated with matching the corresponding podAffinityTerm,
|
|||
|
in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to a pod label update), the
|
|||
|
system may or may not try to eventually evict the pod from its node.
|
|||
|
When there are multiple elements, the lists of nodes corresponding to each
|
|||
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Defines a set of pods (namely those matching the labelSelector
|
|||
|
relative to the given namespace(s)) that this pod should be
|
|||
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|||
|
where co-located is defined as running on a node whose value of
|
|||
|
the label with key <topologyKey> matches that of any node on which
|
|||
|
a pod of the set of pods is running
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
podAntiAffinity:
|
|||
|
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the anti-affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling anti-affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- podAffinityTerm
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
podAffinityTerm:
|
|||
|
description: Required. A pod affinity term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
weight:
|
|||
|
description: |-
|
|||
|
weight associated with matching the corresponding podAffinityTerm,
|
|||
|
in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the anti-affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the anti-affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to a pod label update), the
|
|||
|
system may or may not try to eventually evict the pod from its node.
|
|||
|
When there are multiple elements, the lists of nodes corresponding to each
|
|||
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Defines a set of pods (namely those matching the labelSelector
|
|||
|
relative to the given namespace(s)) that this pod should be
|
|||
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|||
|
where co-located is defined as running on a node whose value of
|
|||
|
the label with key <topologyKey> matches that of any node on which
|
|||
|
a pod of the set of pods is running
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
imagePullSecrets:
|
|||
|
description: If specified, the pod's imagePullSecrets
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
LocalObjectReference contains enough information to let you locate the
|
|||
|
referenced object inside the same namespace.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the referent.
|
|||
|
This field is effectively required, but due to backwards compatibility is
|
|||
|
allowed to be empty. Instances of this type with an empty value here are
|
|||
|
almost certainly wrong.
|
|||
|
TODO: Add other useful fields. apiVersion, kind, uid?
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
|
|||
|
type: string
|
|||
|
default: ""
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
nodeSelector:
|
|||
|
description: |-
|
|||
|
NodeSelector is a selector which must be true for the pod to fit on a node.
|
|||
|
Selector which must match a node's labels for the pod to be scheduled on that node.
|
|||
|
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
priorityClassName:
|
|||
|
description: If specified, the pod's priorityClassName.
|
|||
|
type: string
|
|||
|
serviceAccountName:
|
|||
|
description: If specified, the pod's service account
|
|||
|
type: string
|
|||
|
tolerations:
|
|||
|
description: If specified, the pod's tolerations.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
The pod this Toleration is attached to tolerates any taint that matches
|
|||
|
the triple <key,value,effect> using the matching operator <operator>.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
effect:
|
|||
|
description: |-
|
|||
|
Effect indicates the taint effect to match. Empty means match all taint effects.
|
|||
|
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
|||
|
type: string
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
Key is the taint key that the toleration applies to. Empty means match all taint keys.
|
|||
|
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Operator represents a key's relationship to the value.
|
|||
|
Valid operators are Exists and Equal. Defaults to Equal.
|
|||
|
Exists is equivalent to wildcard for value, so that a pod can
|
|||
|
tolerate all taints of a particular category.
|
|||
|
type: string
|
|||
|
tolerationSeconds:
|
|||
|
description: |-
|
|||
|
TolerationSeconds represents the period of time the toleration (which must be
|
|||
|
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
|
|||
|
it is not set, which means tolerate the taint forever (do not evict). Zero and
|
|||
|
negative values will be treated as 0 (evict immediately) by the system.
|
|||
|
type: integer
|
|||
|
format: int64
|
|||
|
value:
|
|||
|
description: |-
|
|||
|
Value is the taint value the toleration matches to.
|
|||
|
If the operator is Exists, the value should be empty, otherwise just a regular string.
|
|||
|
type: string
|
|||
|
serviceType:
|
|||
|
description: |-
|
|||
|
Optional service type for Kubernetes solver service. Supported values
|
|||
|
are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|||
|
type: string
|
|||
|
selector:
|
|||
|
description: |-
|
|||
|
Selector selects a set of DNSNames on the Certificate resource that
|
|||
|
should be solved using this challenge solver.
|
|||
|
If not specified, the solver will be treated as the 'default' solver
|
|||
|
with the lowest priority, i.e. if any other solver has a more specific
|
|||
|
match, it will be used instead.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dnsNames:
|
|||
|
description: |-
|
|||
|
List of DNSNames that this solver will be used to solve.
|
|||
|
If specified and a match is found, a dnsNames selector will take
|
|||
|
precedence over a dnsZones selector.
|
|||
|
If multiple solvers match with the same dnsNames value, the solver
|
|||
|
with the most matching labels in matchLabels will be selected.
|
|||
|
If neither has more matches, the solver defined earlier in the list
|
|||
|
will be selected.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
dnsZones:
|
|||
|
description: |-
|
|||
|
List of DNSZones that this solver will be used to solve.
|
|||
|
The most specific DNS zone match specified here will take precedence
|
|||
|
over other DNS zone matches, so a solver specifying sys.example.com
|
|||
|
will be selected over one specifying example.com for the domain
|
|||
|
www.sys.example.com.
|
|||
|
If multiple solvers match with the same dnsZones value, the solver
|
|||
|
with the most matching labels in matchLabels will be selected.
|
|||
|
If neither has more matches, the solver defined earlier in the list
|
|||
|
will be selected.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
A label selector that is used to refine the set of certificate's that
|
|||
|
this challenge solver will apply to.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
ca:
|
|||
|
description: |-
|
|||
|
CA configures this issuer to sign certificates using a signing CA keypair
|
|||
|
stored in a Secret resource.
|
|||
|
This is used to build internal PKIs that are managed by cert-manager.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- secretName
|
|||
|
properties:
|
|||
|
crlDistributionPoints:
|
|||
|
description: |-
|
|||
|
The CRL distribution points is an X.509 v3 certificate extension which identifies
|
|||
|
the location of the CRL from which the revocation of this certificate can be checked.
|
|||
|
If not set, certificates will be issued without distribution points set.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
issuingCertificateURLs:
|
|||
|
description: |-
|
|||
|
IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
|
|||
|
it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
|
|||
|
As an example, such a URL might be "http://ca.domain.com/ca.crt".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
ocspServers:
|
|||
|
description: |-
|
|||
|
The OCSP server list is an X.509 v3 extension that defines a list of
|
|||
|
URLs of OCSP responders. The OCSP responders can be queried for the
|
|||
|
revocation status of an issued certificate. If not set, the
|
|||
|
certificate will be issued with no OCSP servers set. For example, an
|
|||
|
OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
secretName:
|
|||
|
description: |-
|
|||
|
SecretName is the name of the secret used to sign Certificates issued
|
|||
|
by this Issuer.
|
|||
|
type: string
|
|||
|
selfSigned:
|
|||
|
description: |-
|
|||
|
SelfSigned configures this issuer to 'self sign' certificates using the
|
|||
|
private key used to create the CertificateRequest object.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
crlDistributionPoints:
|
|||
|
description: |-
|
|||
|
The CRL distribution points is an X.509 v3 certificate extension which identifies
|
|||
|
the location of the CRL from which the revocation of this certificate can be checked.
|
|||
|
If not set certificate will be issued without CDP. Values are strings.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
vault:
|
|||
|
description: |-
|
|||
|
Vault configures this issuer to sign certificates using a HashiCorp Vault
|
|||
|
PKI backend.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- auth
|
|||
|
- path
|
|||
|
- server
|
|||
|
properties:
|
|||
|
auth:
|
|||
|
description: Auth configures how cert-manager authenticates with the Vault server.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
appRole:
|
|||
|
description: |-
|
|||
|
AppRole authenticates with Vault using the App Role auth mechanism,
|
|||
|
with the role and secret stored in a Kubernetes Secret resource.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- path
|
|||
|
- roleId
|
|||
|
- secretRef
|
|||
|
properties:
|
|||
|
path:
|
|||
|
description: |-
|
|||
|
Path where the App Role authentication backend is mounted in Vault, e.g:
|
|||
|
"approle"
|
|||
|
type: string
|
|||
|
roleId:
|
|||
|
description: |-
|
|||
|
RoleID configured in the App Role authentication backend when setting
|
|||
|
up the authentication backend in Vault.
|
|||
|
type: string
|
|||
|
secretRef:
|
|||
|
description: |-
|
|||
|
Reference to a key in a Secret that contains the App Role secret used
|
|||
|
to authenticate with Vault.
|
|||
|
The `key` field must be specified and denotes which entry within the Secret
|
|||
|
resource is used as the app role secret.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
kubernetes:
|
|||
|
description: |-
|
|||
|
Kubernetes authenticates with Vault by passing the ServiceAccount
|
|||
|
token stored in the named Secret resource to the Vault server.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- role
|
|||
|
properties:
|
|||
|
mountPath:
|
|||
|
description: |-
|
|||
|
The Vault mountPath here is the mount path to use when authenticating with
|
|||
|
Vault. For example, setting a value to `/v1/auth/foo`, will use the path
|
|||
|
`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
|
|||
|
default value "/v1/auth/kubernetes" will be used.
|
|||
|
type: string
|
|||
|
role:
|
|||
|
description: |-
|
|||
|
A required field containing the Vault Role to assume. A Role binds a
|
|||
|
Kubernetes ServiceAccount with a set of Vault policies.
|
|||
|
type: string
|
|||
|
secretRef:
|
|||
|
description: |-
|
|||
|
The required Secret field containing a Kubernetes ServiceAccount JWT used
|
|||
|
for authenticating with Vault. Use of 'ambient credentials' is not
|
|||
|
supported.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
serviceAccountRef:
|
|||
|
description: |-
|
|||
|
A reference to a service account that will be used to request a bound
|
|||
|
token (also known as "projected token"). Compared to using "secretRef",
|
|||
|
using this field means that you don't rely on statically bound tokens. To
|
|||
|
use this field, you must configure an RBAC rule to let cert-manager
|
|||
|
request a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
audiences:
|
|||
|
description: |-
|
|||
|
TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
|
|||
|
consisting of the issuer's namespace and name is always included.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the ServiceAccount used to request a token.
|
|||
|
type: string
|
|||
|
tokenSecretRef:
|
|||
|
description: TokenSecretRef authenticates with Vault by presenting a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
caBundle:
|
|||
|
description: |-
|
|||
|
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
|
|||
|
chain presented by Vault. Only used if using HTTPS to connect to Vault and
|
|||
|
ignored for HTTP connections.
|
|||
|
Mutually exclusive with CABundleSecretRef.
|
|||
|
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
|
|||
|
the cert-manager controller container is used to validate the TLS connection.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
caBundleSecretRef:
|
|||
|
description: |-
|
|||
|
Reference to a Secret containing a bundle of PEM-encoded CAs to use when
|
|||
|
verifying the certificate chain presented by Vault when using HTTPS.
|
|||
|
Mutually exclusive with CABundle.
|
|||
|
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
|
|||
|
the cert-manager controller container is used to validate the TLS connection.
|
|||
|
If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientCertSecretRef:
|
|||
|
description: |-
|
|||
|
Reference to a Secret containing a PEM-encoded Client Certificate to use when the
|
|||
|
Vault server requires mTLS.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientKeySecretRef:
|
|||
|
description: |-
|
|||
|
Reference to a Secret containing a PEM-encoded Client Private Key to use when the
|
|||
|
Vault server requires mTLS.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
namespace:
|
|||
|
description: |-
|
|||
|
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
|
|||
|
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
|
|||
|
type: string
|
|||
|
path:
|
|||
|
description: |-
|
|||
|
Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
|
|||
|
"my_pki_mount/sign/my-role-name".
|
|||
|
type: string
|
|||
|
server:
|
|||
|
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
|
|||
|
type: string
|
|||
|
venafi:
|
|||
|
description: |-
|
|||
|
Venafi configures this issuer to sign certificates using a Venafi TPP
|
|||
|
or Venafi Cloud policy zone.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- zone
|
|||
|
properties:
|
|||
|
cloud:
|
|||
|
description: |-
|
|||
|
Cloud specifies the Venafi cloud configuration settings.
|
|||
|
Only one of TPP or Cloud may be specified.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- apiTokenSecretRef
|
|||
|
properties:
|
|||
|
apiTokenSecretRef:
|
|||
|
description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
URL is the base URL for Venafi Cloud.
|
|||
|
Defaults to "https://api.venafi.cloud/v1".
|
|||
|
type: string
|
|||
|
tpp:
|
|||
|
description: |-
|
|||
|
TPP specifies Trust Protection Platform configuration settings.
|
|||
|
Only one of TPP or Cloud may be specified.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- credentialsRef
|
|||
|
- url
|
|||
|
properties:
|
|||
|
caBundle:
|
|||
|
description: |-
|
|||
|
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
|
|||
|
chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
|
|||
|
If undefined, the certificate bundle in the cert-manager controller container
|
|||
|
is used to validate the chain.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
credentialsRef:
|
|||
|
description: |-
|
|||
|
CredentialsRef is a reference to a Secret containing the username and
|
|||
|
password for the TPP server.
|
|||
|
The secret must contain two keys, 'username' and 'password'.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
|
|||
|
for example: "https://tpp.example.com/vedsdk".
|
|||
|
type: string
|
|||
|
zone:
|
|||
|
description: |-
|
|||
|
Zone is the Venafi Policy Zone to use for this issuer.
|
|||
|
All requests made to the Venafi platform will be restricted by the named
|
|||
|
zone policy.
|
|||
|
This field is required.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: Status of the ClusterIssuer. This is set and managed automatically.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acme:
|
|||
|
description: |-
|
|||
|
ACME specific status options.
|
|||
|
This field should only be set if the Issuer is configured to use an ACME
|
|||
|
server to issue certificates.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
lastPrivateKeyHash:
|
|||
|
description: |-
|
|||
|
LastPrivateKeyHash is a hash of the private key associated with the latest
|
|||
|
registered ACME account, in order to track changes made to registered account
|
|||
|
associated with the Issuer
|
|||
|
type: string
|
|||
|
lastRegisteredEmail:
|
|||
|
description: |-
|
|||
|
LastRegisteredEmail is the email associated with the latest registered
|
|||
|
ACME account, in order to track changes made to registered account
|
|||
|
associated with the Issuer
|
|||
|
type: string
|
|||
|
uri:
|
|||
|
description: |-
|
|||
|
URI is the unique account identifier, which can also be used to retrieve
|
|||
|
account details from the CA
|
|||
|
type: string
|
|||
|
conditions:
|
|||
|
description: |-
|
|||
|
List of status conditions to indicate the status of a CertificateRequest.
|
|||
|
Known condition types are `Ready`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: IssuerCondition contains condition information for an Issuer.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- status
|
|||
|
- type
|
|||
|
properties:
|
|||
|
lastTransitionTime:
|
|||
|
description: |-
|
|||
|
LastTransitionTime is the timestamp corresponding to the last status
|
|||
|
change of this condition.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
message:
|
|||
|
description: |-
|
|||
|
Message is a human readable description of the details of the last
|
|||
|
transition, complementing reason.
|
|||
|
type: string
|
|||
|
observedGeneration:
|
|||
|
description: |-
|
|||
|
If set, this represents the .metadata.generation that the condition was
|
|||
|
set based upon.
|
|||
|
For instance, if .metadata.generation is currently 12, but the
|
|||
|
.status.condition[x].observedGeneration is 9, the condition is out of date
|
|||
|
with respect to the current state of the Issuer.
|
|||
|
type: integer
|
|||
|
format: int64
|
|||
|
reason:
|
|||
|
description: |-
|
|||
|
Reason is a brief machine readable explanation for the condition's last
|
|||
|
transition.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- "True"
|
|||
|
- "False"
|
|||
|
- Unknown
|
|||
|
type:
|
|||
|
description: Type of the condition, known values are (`Ready`).
|
|||
|
type: string
|
|||
|
x-kubernetes-list-map-keys:
|
|||
|
- type
|
|||
|
x-kubernetes-list-type: map
|
|||
|
served: true
|
|||
|
storage: true
|
|||
|
|
|||
|
# END crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
apiVersion: apiextensions.k8s.io/v1
|
|||
|
kind: CustomResourceDefinition
|
|||
|
metadata:
|
|||
|
name: issuers.cert-manager.io
|
|||
|
# START annotations
|
|||
|
annotations:
|
|||
|
helm.sh/resource-policy: keep
|
|||
|
# END annotations
|
|||
|
labels:
|
|||
|
app: 'cert-manager'
|
|||
|
app.kubernetes.io/name: 'cert-manager'
|
|||
|
app.kubernetes.io/instance: 'cert-manager'
|
|||
|
app.kubernetes.io/component: "crds"
|
|||
|
# Generated labels
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
group: cert-manager.io
|
|||
|
names:
|
|||
|
kind: Issuer
|
|||
|
listKind: IssuerList
|
|||
|
plural: issuers
|
|||
|
singular: issuer
|
|||
|
categories:
|
|||
|
- cert-manager
|
|||
|
scope: Namespaced
|
|||
|
versions:
|
|||
|
- name: v1
|
|||
|
subresources:
|
|||
|
status: {}
|
|||
|
additionalPrinterColumns:
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].status
|
|||
|
name: Ready
|
|||
|
type: string
|
|||
|
- jsonPath: .status.conditions[?(@.type=="Ready")].message
|
|||
|
name: Status
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .metadata.creationTimestamp
|
|||
|
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|||
|
name: Age
|
|||
|
type: date
|
|||
|
schema:
|
|||
|
openAPIV3Schema:
|
|||
|
description: |-
|
|||
|
An Issuer represents a certificate issuing authority which can be
|
|||
|
referenced as part of `issuerRef` fields.
|
|||
|
It is scoped to a single namespace and can therefore only be referenced by
|
|||
|
resources within the same namespace.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- spec
|
|||
|
properties:
|
|||
|
apiVersion:
|
|||
|
description: |-
|
|||
|
APIVersion defines the versioned schema of this representation of an object.
|
|||
|
Servers should convert recognized schemas to the latest internal value, and
|
|||
|
may reject unrecognized values.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is a string value representing the REST resource this object represents.
|
|||
|
Servers may infer this from the endpoint the client submits requests to.
|
|||
|
Cannot be updated.
|
|||
|
In CamelCase.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|||
|
type: string
|
|||
|
metadata:
|
|||
|
type: object
|
|||
|
spec:
|
|||
|
description: Desired state of the Issuer resource.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acme:
|
|||
|
description: |-
|
|||
|
ACME configures this issuer to communicate with a RFC8555 (ACME) server
|
|||
|
to obtain signed x509 certificates.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- privateKeySecretRef
|
|||
|
- server
|
|||
|
properties:
|
|||
|
caBundle:
|
|||
|
description: |-
|
|||
|
Base64-encoded bundle of PEM CAs which can be used to validate the certificate
|
|||
|
chain presented by the ACME server.
|
|||
|
Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
|
|||
|
kinds of security vulnerabilities.
|
|||
|
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
|
|||
|
the container is used to validate the TLS connection.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
disableAccountKeyGeneration:
|
|||
|
description: |-
|
|||
|
Enables or disables generating a new ACME account key.
|
|||
|
If true, the Issuer resource will *not* request a new account but will expect
|
|||
|
the account key to be supplied via an existing secret.
|
|||
|
If false, the cert-manager system will generate a new ACME account key
|
|||
|
for the Issuer.
|
|||
|
Defaults to false.
|
|||
|
type: boolean
|
|||
|
email:
|
|||
|
description: |-
|
|||
|
Email is the email address to be associated with the ACME account.
|
|||
|
This field is optional, but it is strongly recommended to be set.
|
|||
|
It will be used to contact you in case of issues with your account or
|
|||
|
certificates, including expiry notification emails.
|
|||
|
This field may be updated after the account is initially registered.
|
|||
|
type: string
|
|||
|
enableDurationFeature:
|
|||
|
description: |-
|
|||
|
Enables requesting a Not After date on certificates that matches the
|
|||
|
duration of the certificate. This is not supported by all ACME servers
|
|||
|
like Let's Encrypt. If set to true when the ACME server does not support
|
|||
|
it, it will create an error on the Order.
|
|||
|
Defaults to false.
|
|||
|
type: boolean
|
|||
|
externalAccountBinding:
|
|||
|
description: |-
|
|||
|
ExternalAccountBinding is a reference to a CA external account of the ACME
|
|||
|
server.
|
|||
|
If set, upon registration cert-manager will attempt to associate the given
|
|||
|
external account credentials with the registered ACME account.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- keyID
|
|||
|
- keySecretRef
|
|||
|
properties:
|
|||
|
keyAlgorithm:
|
|||
|
description: |-
|
|||
|
Deprecated: keyAlgorithm field exists for historical compatibility
|
|||
|
reasons and should not be used. The algorithm is now hardcoded to HS256
|
|||
|
in golang/x/crypto/acme.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- HS256
|
|||
|
- HS384
|
|||
|
- HS512
|
|||
|
keyID:
|
|||
|
description: keyID is the ID of the CA key that the External Account is bound to.
|
|||
|
type: string
|
|||
|
keySecretRef:
|
|||
|
description: |-
|
|||
|
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
|
|||
|
Secret which holds the symmetric MAC key of the External Account Binding.
|
|||
|
The `key` is the index string that is paired with the key data in the
|
|||
|
Secret and should not be confused with the key data itself, or indeed with
|
|||
|
the External Account Binding keyID above.
|
|||
|
The secret key stored in the Secret **must** be un-padded, base64 URL
|
|||
|
encoded data.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
preferredChain:
|
|||
|
description: |-
|
|||
|
PreferredChain is the chain to use if the ACME server outputs multiple.
|
|||
|
PreferredChain is no guarantee that this one gets delivered by the ACME
|
|||
|
endpoint.
|
|||
|
For example, for Let's Encrypt's DST crosssign you would use:
|
|||
|
"DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
|
|||
|
This value picks the first certificate bundle in the combined set of
|
|||
|
ACME default and alternative chains that has a root-most certificate with
|
|||
|
this value as its issuer's commonname.
|
|||
|
type: string
|
|||
|
maxLength: 64
|
|||
|
privateKeySecretRef:
|
|||
|
description: |-
|
|||
|
PrivateKey is the name of a Kubernetes Secret resource that will be used to
|
|||
|
store the automatically generated ACME account private key.
|
|||
|
Optionally, a `key` may be specified to select a specific entry within
|
|||
|
the named Secret resource.
|
|||
|
If `key` is not specified, a default of `tls.key` will be used.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
server:
|
|||
|
description: |-
|
|||
|
Server is the URL used to access the ACME server's 'directory' endpoint.
|
|||
|
For example, for Let's Encrypt's staging endpoint, you would use:
|
|||
|
"https://acme-staging-v02.api.letsencrypt.org/directory".
|
|||
|
Only ACME v2 endpoints (i.e. RFC 8555) are supported.
|
|||
|
type: string
|
|||
|
skipTLSVerify:
|
|||
|
description: |-
|
|||
|
INSECURE: Enables or disables validation of the ACME server TLS certificate.
|
|||
|
If true, requests to the ACME server will not have the TLS certificate chain
|
|||
|
validated.
|
|||
|
Mutually exclusive with CABundle; prefer using CABundle to prevent various
|
|||
|
kinds of security vulnerabilities.
|
|||
|
Only enable this option in development environments.
|
|||
|
If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
|
|||
|
the container is used to validate the TLS connection.
|
|||
|
Defaults to false.
|
|||
|
type: boolean
|
|||
|
solvers:
|
|||
|
description: |-
|
|||
|
Solvers is a list of challenge solvers that will be used to solve
|
|||
|
ACME challenges for the matching domains.
|
|||
|
Solver configurations must be provided in order to obtain certificates
|
|||
|
from an ACME server.
|
|||
|
For more information, see: https://cert-manager.io/docs/configuration/acme/
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
|
|||
|
A selector may be provided to use different solving strategies for different DNS names.
|
|||
|
Only one of HTTP01 or DNS01 must be provided.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dns01:
|
|||
|
description: |-
|
|||
|
Configures cert-manager to attempt to complete authorizations by
|
|||
|
performing the DNS01 challenge flow.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acmeDNS:
|
|||
|
description: |-
|
|||
|
Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
|
|||
|
DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- accountSecretRef
|
|||
|
- host
|
|||
|
properties:
|
|||
|
accountSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
host:
|
|||
|
type: string
|
|||
|
akamai:
|
|||
|
description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- accessTokenSecretRef
|
|||
|
- clientSecretSecretRef
|
|||
|
- clientTokenSecretRef
|
|||
|
- serviceConsumerDomain
|
|||
|
properties:
|
|||
|
accessTokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientSecretSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientTokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
serviceConsumerDomain:
|
|||
|
type: string
|
|||
|
azureDNS:
|
|||
|
description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- resourceGroupName
|
|||
|
- subscriptionID
|
|||
|
properties:
|
|||
|
clientID:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
|
|||
|
If set, ClientSecret and TenantID must also be set.
|
|||
|
type: string
|
|||
|
clientSecretSecretRef:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
A reference to a Secret containing the password associated with the Service Principal.
|
|||
|
If set, ClientID and TenantID must also be set.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
environment:
|
|||
|
description: name of the Azure environment (default AzurePublicCloud)
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- AzurePublicCloud
|
|||
|
- AzureChinaCloud
|
|||
|
- AzureGermanCloud
|
|||
|
- AzureUSGovernmentCloud
|
|||
|
hostedZoneName:
|
|||
|
description: name of the DNS zone that should be used
|
|||
|
type: string
|
|||
|
managedIdentity:
|
|||
|
description: |-
|
|||
|
Auth: Azure Workload Identity or Azure Managed Service Identity:
|
|||
|
Settings to enable Azure Workload Identity or Azure Managed Service Identity
|
|||
|
If set, ClientID, ClientSecret and TenantID must not be set.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
clientID:
|
|||
|
description: client ID of the managed identity, can not be used at the same time as resourceID
|
|||
|
type: string
|
|||
|
resourceID:
|
|||
|
description: |-
|
|||
|
resource ID of the managed identity, can not be used at the same time as clientID
|
|||
|
Cannot be used for Azure Managed Service Identity
|
|||
|
type: string
|
|||
|
resourceGroupName:
|
|||
|
description: resource group the DNS zone is located in
|
|||
|
type: string
|
|||
|
subscriptionID:
|
|||
|
description: ID of the Azure subscription
|
|||
|
type: string
|
|||
|
tenantID:
|
|||
|
description: |-
|
|||
|
Auth: Azure Service Principal:
|
|||
|
The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
|
|||
|
If set, ClientID and ClientSecret must also be set.
|
|||
|
type: string
|
|||
|
cloudDNS:
|
|||
|
description: Use the Google Cloud DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- project
|
|||
|
properties:
|
|||
|
hostedZoneName:
|
|||
|
description: |-
|
|||
|
HostedZoneName is an optional field that tells cert-manager in which
|
|||
|
Cloud DNS zone the challenge record has to be created.
|
|||
|
If left empty cert-manager will automatically choose a zone.
|
|||
|
type: string
|
|||
|
project:
|
|||
|
type: string
|
|||
|
serviceAccountSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
cloudflare:
|
|||
|
description: Use the Cloudflare API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
apiKeySecretRef:
|
|||
|
description: |-
|
|||
|
API key to use to authenticate with Cloudflare.
|
|||
|
Note: using an API token to authenticate is now the recommended method
|
|||
|
as it allows greater control of permissions.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
apiTokenSecretRef:
|
|||
|
description: API token used to authenticate with Cloudflare.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
email:
|
|||
|
description: Email of the account, only required when using API key based authentication.
|
|||
|
type: string
|
|||
|
cnameStrategy:
|
|||
|
description: |-
|
|||
|
CNAMEStrategy configures how the DNS01 provider should handle CNAME
|
|||
|
records when found in DNS zones.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- None
|
|||
|
- Follow
|
|||
|
digitalocean:
|
|||
|
description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- tokenSecretRef
|
|||
|
properties:
|
|||
|
tokenSecretRef:
|
|||
|
description: |-
|
|||
|
A reference to a specific 'key' within a Secret resource.
|
|||
|
In some instances, `key` is a required field.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
rfc2136:
|
|||
|
description: |-
|
|||
|
Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
|
|||
|
to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- nameserver
|
|||
|
properties:
|
|||
|
nameserver:
|
|||
|
description: |-
|
|||
|
The IP address or hostname of an authoritative DNS server supporting
|
|||
|
RFC2136 in the form host:port. If the host is an IPv6 address it must be
|
|||
|
enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
|
|||
|
This field is required.
|
|||
|
type: string
|
|||
|
tsigAlgorithm:
|
|||
|
description: |-
|
|||
|
The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
|
|||
|
when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
|
|||
|
Supported values are (case-insensitive): ``HMACMD5`` (default),
|
|||
|
``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
|
|||
|
type: string
|
|||
|
tsigKeyName:
|
|||
|
description: |-
|
|||
|
The TSIG Key name configured in the DNS.
|
|||
|
If ``tsigSecretSecretRef`` is defined, this field is required.
|
|||
|
type: string
|
|||
|
tsigSecretSecretRef:
|
|||
|
description: |-
|
|||
|
The name of the secret containing the TSIG value.
|
|||
|
If ``tsigKeyName`` is defined, this field is required.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
route53:
|
|||
|
description: Use the AWS Route53 API to manage DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- region
|
|||
|
properties:
|
|||
|
accessKeyID:
|
|||
|
description: |-
|
|||
|
The AccessKeyID is used for authentication.
|
|||
|
Cannot be set when SecretAccessKeyID is set.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: string
|
|||
|
accessKeyIDSecretRef:
|
|||
|
description: |-
|
|||
|
The SecretAccessKey is used for authentication. If set, pull the AWS
|
|||
|
access key ID from a key within a Kubernetes Secret.
|
|||
|
Cannot be set when AccessKeyID is set.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
auth:
|
|||
|
description: Auth configures how cert-manager authenticates.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- kubernetes
|
|||
|
properties:
|
|||
|
kubernetes:
|
|||
|
description: |-
|
|||
|
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
|
|||
|
by passing a bound ServiceAccount token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- serviceAccountRef
|
|||
|
properties:
|
|||
|
serviceAccountRef:
|
|||
|
description: |-
|
|||
|
A reference to a service account that will be used to request a bound
|
|||
|
token (also known as "projected token"). To use this field, you must
|
|||
|
configure an RBAC rule to let cert-manager request a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
audiences:
|
|||
|
description: |-
|
|||
|
TokenAudiences is an optional list of audiences to include in the
|
|||
|
token passed to AWS. The default token consisting of the issuer's namespace
|
|||
|
and name is always included.
|
|||
|
If unset the audience defaults to `sts.amazonaws.com`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the ServiceAccount used to request a token.
|
|||
|
type: string
|
|||
|
hostedZoneID:
|
|||
|
description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
|
|||
|
type: string
|
|||
|
region:
|
|||
|
description: Always set the region when using AccessKeyID and SecretAccessKey
|
|||
|
type: string
|
|||
|
role:
|
|||
|
description: |-
|
|||
|
Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
|
|||
|
or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
|
|||
|
type: string
|
|||
|
secretAccessKeySecretRef:
|
|||
|
description: |-
|
|||
|
The SecretAccessKey is used for authentication.
|
|||
|
If neither the Access Key nor Key ID are set, we fall-back to using env
|
|||
|
vars, shared credentials file or AWS Instance metadata,
|
|||
|
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
webhook:
|
|||
|
description: |-
|
|||
|
Configure an external webhook based DNS01 challenge solver to manage
|
|||
|
DNS01 challenge records.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- groupName
|
|||
|
- solverName
|
|||
|
properties:
|
|||
|
config:
|
|||
|
description: |-
|
|||
|
Additional configuration that should be passed to the webhook apiserver
|
|||
|
when challenges are processed.
|
|||
|
This can contain arbitrary JSON data.
|
|||
|
Secret values should not be specified in this stanza.
|
|||
|
If secret values are needed (e.g. credentials for a DNS service), you
|
|||
|
should use a SecretKeySelector to reference a Secret resource.
|
|||
|
For details on the schema of this field, consult the webhook provider
|
|||
|
implementation's documentation.
|
|||
|
x-kubernetes-preserve-unknown-fields: true
|
|||
|
groupName:
|
|||
|
description: |-
|
|||
|
The API group name that should be used when POSTing ChallengePayload
|
|||
|
resources to the webhook apiserver.
|
|||
|
This should be the same as the GroupName specified in the webhook
|
|||
|
provider implementation.
|
|||
|
type: string
|
|||
|
solverName:
|
|||
|
description: |-
|
|||
|
The name of the solver to use, as defined in the webhook provider
|
|||
|
implementation.
|
|||
|
This will typically be the name of the provider, e.g. 'cloudflare'.
|
|||
|
type: string
|
|||
|
http01:
|
|||
|
description: |-
|
|||
|
Configures cert-manager to attempt to complete authorizations by
|
|||
|
performing the HTTP01 challenge flow.
|
|||
|
It is not possible to obtain certificates for wildcard domain names
|
|||
|
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
gatewayHTTPRoute:
|
|||
|
description: |-
|
|||
|
The Gateway API is a sig-network community API that models service networking
|
|||
|
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
|
|||
|
create HTTPRoutes with the specified labels in the same namespace as the challenge.
|
|||
|
This solver is experimental, and fields / behaviour may change in the future.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
labels:
|
|||
|
description: |-
|
|||
|
Custom labels that will be applied to HTTPRoutes created by cert-manager
|
|||
|
while solving HTTP-01 challenges.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
parentRefs:
|
|||
|
description: |-
|
|||
|
When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
|
|||
|
cert-manager needs to know which parentRefs should be used when creating
|
|||
|
the HTTPRoute. Usually, the parentRef references a Gateway. See:
|
|||
|
https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
ParentReference identifies an API object (usually a Gateway) that can be considered
|
|||
|
a parent of this resource (usually a route). There are two kinds of parent resources
|
|||
|
with "Core" support:
|
|||
|
|
|||
|
|
|||
|
* Gateway (Gateway conformance profile)
|
|||
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|||
|
|
|||
|
|
|||
|
This API may be extended in the future to support additional kinds of parent
|
|||
|
resources.
|
|||
|
|
|||
|
|
|||
|
The API object must be valid in the cluster; the Group and Kind must
|
|||
|
be registered in the cluster for this reference to be valid.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: |-
|
|||
|
Group is the group of the referent.
|
|||
|
When unspecified, "gateway.networking.k8s.io" is inferred.
|
|||
|
To set the core API group (such as for a "Service" kind referent),
|
|||
|
Group must be explicitly set to "" (empty string).
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
default: gateway.networking.k8s.io
|
|||
|
maxLength: 253
|
|||
|
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is kind of the referent.
|
|||
|
|
|||
|
|
|||
|
There are two kinds of parent resources with "Core" support:
|
|||
|
|
|||
|
|
|||
|
* Gateway (Gateway conformance profile)
|
|||
|
* Service (Mesh conformance profile, ClusterIP Services only)
|
|||
|
|
|||
|
|
|||
|
Support for other resources is Implementation-Specific.
|
|||
|
type: string
|
|||
|
default: Gateway
|
|||
|
maxLength: 63
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name is the name of the referent.
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 253
|
|||
|
minLength: 1
|
|||
|
namespace:
|
|||
|
description: |-
|
|||
|
Namespace is the namespace of the referent. When unspecified, this refers
|
|||
|
to the local namespace of the Route.
|
|||
|
|
|||
|
|
|||
|
Note that there are specific rules for ParentRefs which cross namespace
|
|||
|
boundaries. Cross-namespace references are only valid if they are explicitly
|
|||
|
allowed by something in the namespace they are referring to. For example:
|
|||
|
Gateway has the AllowedRoutes field, and ReferenceGrant provides a
|
|||
|
generic way to enable any other kind of cross-namespace reference.
|
|||
|
|
|||
|
|
|||
|
<gateway:experimental:description>
|
|||
|
ParentRefs from a Route to a Service in the same namespace are "producer"
|
|||
|
routes, which apply default routing rules to inbound connections from
|
|||
|
any namespace to the Service.
|
|||
|
|
|||
|
|
|||
|
ParentRefs from a Route to a Service in a different namespace are
|
|||
|
"consumer" routes, and these routing rules are only applied to outbound
|
|||
|
connections originating from the same namespace as the Route, for which
|
|||
|
the intended destination of the connections are a Service targeted as a
|
|||
|
ParentRef of the Route.
|
|||
|
</gateway:experimental:description>
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 63
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
|
|||
|
port:
|
|||
|
description: |-
|
|||
|
Port is the network port this Route targets. It can be interpreted
|
|||
|
differently based on the type of parent resource.
|
|||
|
|
|||
|
|
|||
|
When the parent resource is a Gateway, this targets all listeners
|
|||
|
listening on the specified port that also support this kind of Route(and
|
|||
|
select this Route). It's not recommended to set `Port` unless the
|
|||
|
networking behaviors specified in a Route must apply to a specific port
|
|||
|
as opposed to a listener(s) whose port(s) may be changed. When both Port
|
|||
|
and SectionName are specified, the name and port of the selected listener
|
|||
|
must match both specified values.
|
|||
|
|
|||
|
|
|||
|
<gateway:experimental:description>
|
|||
|
When the parent resource is a Service, this targets a specific port in the
|
|||
|
Service spec. When both Port (experimental) and SectionName are specified,
|
|||
|
the name and port of the selected port must match both specified values.
|
|||
|
</gateway:experimental:description>
|
|||
|
|
|||
|
|
|||
|
Implementations MAY choose to support other parent resources.
|
|||
|
Implementations supporting other types of parent resources MUST clearly
|
|||
|
document how/if Port is interpreted.
|
|||
|
|
|||
|
|
|||
|
For the purpose of status, an attachment is considered successful as
|
|||
|
long as the parent resource accepts it partially. For example, Gateway
|
|||
|
listeners can restrict which Routes can attach to them by Route kind,
|
|||
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
|
|||
|
from the referencing Route, the Route MUST be considered successfully
|
|||
|
attached. If no Gateway listeners accept attachment from this Route,
|
|||
|
the Route MUST be considered detached from the Gateway.
|
|||
|
|
|||
|
|
|||
|
Support: Extended
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
maximum: 65535
|
|||
|
minimum: 1
|
|||
|
sectionName:
|
|||
|
description: |-
|
|||
|
SectionName is the name of a section within the target resource. In the
|
|||
|
following resources, SectionName is interpreted as the following:
|
|||
|
|
|||
|
|
|||
|
* Gateway: Listener name. When both Port (experimental) and SectionName
|
|||
|
are specified, the name and port of the selected listener must match
|
|||
|
both specified values.
|
|||
|
* Service: Port name. When both Port (experimental) and SectionName
|
|||
|
are specified, the name and port of the selected listener must match
|
|||
|
both specified values.
|
|||
|
|
|||
|
|
|||
|
Implementations MAY choose to support attaching Routes to other resources.
|
|||
|
If that is the case, they MUST clearly document how SectionName is
|
|||
|
interpreted.
|
|||
|
|
|||
|
|
|||
|
When unspecified (empty string), this will reference the entire resource.
|
|||
|
For the purpose of status, an attachment is considered successful if at
|
|||
|
least one section in the parent resource accepts it. For example, Gateway
|
|||
|
listeners can restrict which Routes can attach to them by Route kind,
|
|||
|
namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
|
|||
|
the referencing Route, the Route MUST be considered successfully
|
|||
|
attached. If no Gateway listeners accept attachment from this Route, the
|
|||
|
Route MUST be considered detached from the Gateway.
|
|||
|
|
|||
|
|
|||
|
Support: Core
|
|||
|
type: string
|
|||
|
maxLength: 253
|
|||
|
minLength: 1
|
|||
|
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
|
|||
|
serviceType:
|
|||
|
description: |-
|
|||
|
Optional service type for Kubernetes solver service. Supported values
|
|||
|
are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|||
|
type: string
|
|||
|
ingress:
|
|||
|
description: |-
|
|||
|
The ingress based HTTP01 challenge solver will solve challenges by
|
|||
|
creating or modifying Ingress resources in order to route requests for
|
|||
|
'/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
|
|||
|
provisioned by cert-manager for each Challenge to be completed.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
class:
|
|||
|
description: |-
|
|||
|
This field configures the annotation `kubernetes.io/ingress.class` when
|
|||
|
creating Ingress resources to solve ACME challenges that use this
|
|||
|
challenge solver. Only one of `class`, `name` or `ingressClassName` may
|
|||
|
be specified.
|
|||
|
type: string
|
|||
|
ingressClassName:
|
|||
|
description: |-
|
|||
|
This field configures the field `ingressClassName` on the created Ingress
|
|||
|
resources used to solve ACME challenges that use this challenge solver.
|
|||
|
This is the recommended way of configuring the ingress class. Only one of
|
|||
|
`class`, `name` or `ingressClassName` may be specified.
|
|||
|
type: string
|
|||
|
ingressTemplate:
|
|||
|
description: |-
|
|||
|
Optional ingress template used to configure the ACME challenge solver
|
|||
|
ingress used for HTTP01 challenges.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
metadata:
|
|||
|
description: |-
|
|||
|
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
|
|||
|
Only the 'labels' and 'annotations' fields may be set.
|
|||
|
If labels or annotations overlap with in-built values, the values here
|
|||
|
will override the in-built values.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations that should be added to the created ACME HTTP01 solver ingress.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels that should be added to the created ACME HTTP01 solver ingress.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
The name of the ingress resource that should have ACME challenge solving
|
|||
|
routes inserted into it in order to solve HTTP01 challenges.
|
|||
|
This is typically used in conjunction with ingress controllers like
|
|||
|
ingress-gce, which maintains a 1:1 mapping between external IPs and
|
|||
|
ingress resources. Only one of `class`, `name` or `ingressClassName` may
|
|||
|
be specified.
|
|||
|
type: string
|
|||
|
podTemplate:
|
|||
|
description: |-
|
|||
|
Optional pod template used to configure the ACME challenge solver pods
|
|||
|
used for HTTP01 challenges.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
metadata:
|
|||
|
description: |-
|
|||
|
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
|
|||
|
Only the 'labels' and 'annotations' fields may be set.
|
|||
|
If labels or annotations overlap with in-built values, the values here
|
|||
|
will override the in-built values.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
annotations:
|
|||
|
description: Annotations that should be added to the create ACME HTTP01 solver pods.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
labels:
|
|||
|
description: Labels that should be added to the created ACME HTTP01 solver pods.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
spec:
|
|||
|
description: |-
|
|||
|
PodSpec defines overrides for the HTTP01 challenge solver pod.
|
|||
|
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
|
|||
|
All other fields will be ignored.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
affinity:
|
|||
|
description: If specified, the pod's scheduling constraints
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
nodeAffinity:
|
|||
|
description: Describes node affinity scheduling rules for the pod.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node matches the corresponding matchExpressions; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
An empty preferred scheduling term matches all objects with implicit weight 0
|
|||
|
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- preference
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
preference:
|
|||
|
description: A node selector term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: A list of node selector requirements by node's labels.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchFields:
|
|||
|
description: A list of node selector requirements by node's fields.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
weight:
|
|||
|
description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to an update), the system
|
|||
|
may or may not try to eventually evict the pod from its node.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- nodeSelectorTerms
|
|||
|
properties:
|
|||
|
nodeSelectorTerms:
|
|||
|
description: Required. A list of node selector terms. The terms are ORed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A null or empty node selector term matches no objects. The requirements of
|
|||
|
them are ANDed.
|
|||
|
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: A list of node selector requirements by node's labels.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchFields:
|
|||
|
description: A list of node selector requirements by node's fields.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|||
|
that relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: The label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
An array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|||
|
array must have a single element, which will be interpreted as an integer.
|
|||
|
This array is replaced during a strategic merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
podAffinity:
|
|||
|
description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- podAffinityTerm
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
podAffinityTerm:
|
|||
|
description: Required. A pod affinity term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
weight:
|
|||
|
description: |-
|
|||
|
weight associated with matching the corresponding podAffinityTerm,
|
|||
|
in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to a pod label update), the
|
|||
|
system may or may not try to eventually evict the pod from its node.
|
|||
|
When there are multiple elements, the lists of nodes corresponding to each
|
|||
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Defines a set of pods (namely those matching the labelSelector
|
|||
|
relative to the given namespace(s)) that this pod should be
|
|||
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|||
|
where co-located is defined as running on a node whose value of
|
|||
|
the label with key <topologyKey> matches that of any node on which
|
|||
|
a pod of the set of pods is running
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
podAntiAffinity:
|
|||
|
description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|||
|
the anti-affinity expressions specified by this field, but it may choose
|
|||
|
a node that violates one or more of the expressions. The node that is
|
|||
|
most preferred is the one with the greatest sum of weights, i.e.
|
|||
|
for each node that meets all of the scheduling requirements (resource
|
|||
|
request, requiredDuringScheduling anti-affinity expressions, etc.),
|
|||
|
compute a sum by iterating through the elements of this field and adding
|
|||
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|||
|
node(s) with the highest sum are the most preferred.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- podAffinityTerm
|
|||
|
- weight
|
|||
|
properties:
|
|||
|
podAffinityTerm:
|
|||
|
description: Required. A pod affinity term, associated with the corresponding weight.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
weight:
|
|||
|
description: |-
|
|||
|
weight associated with matching the corresponding podAffinityTerm,
|
|||
|
in the range 1-100.
|
|||
|
type: integer
|
|||
|
format: int32
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|||
|
description: |-
|
|||
|
If the anti-affinity requirements specified by this field are not met at
|
|||
|
scheduling time, the pod will not be scheduled onto the node.
|
|||
|
If the anti-affinity requirements specified by this field cease to be met
|
|||
|
at some point during pod execution (e.g. due to a pod label update), the
|
|||
|
system may or may not try to eventually evict the pod from its node.
|
|||
|
When there are multiple elements, the lists of nodes corresponding to each
|
|||
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Defines a set of pods (namely those matching the labelSelector
|
|||
|
relative to the given namespace(s)) that this pod should be
|
|||
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|||
|
where co-located is defined as running on a node whose value of
|
|||
|
the label with key <topologyKey> matches that of any node on which
|
|||
|
a pod of the set of pods is running
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- topologyKey
|
|||
|
properties:
|
|||
|
labelSelector:
|
|||
|
description: |-
|
|||
|
A label query over a set of resources, in this case pods.
|
|||
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
matchLabelKeys:
|
|||
|
description: |-
|
|||
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|||
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
mismatchLabelKeys:
|
|||
|
description: |-
|
|||
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|||
|
be taken into consideration. The keys are used to lookup values from the
|
|||
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|||
|
to select the group of existing pods which pods will be taken into consideration
|
|||
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|||
|
pod labels will be ignored. The default value is empty.
|
|||
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|||
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|||
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
namespaceSelector:
|
|||
|
description: |-
|
|||
|
A label query over the set of namespaces that the term applies to.
|
|||
|
The term is applied to the union of the namespaces selected by this field
|
|||
|
and the ones listed in the namespaces field.
|
|||
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|||
|
An empty selector ({}) matches all namespaces.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
matchExpressions:
|
|||
|
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|||
|
relates the key and values.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- key
|
|||
|
- operator
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: key is the label key that the selector applies to.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
operator represents a key's relationship to a set of values.
|
|||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|||
|
type: string
|
|||
|
values:
|
|||
|
description: |-
|
|||
|
values is an array of string values. If the operator is In or NotIn,
|
|||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|||
|
the values array must be empty. This array is replaced during a strategic
|
|||
|
merge patch.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
namespaces:
|
|||
|
description: |-
|
|||
|
namespaces specifies a static list of namespace names that the term applies to.
|
|||
|
The term is applied to the union of the namespaces listed in this field
|
|||
|
and the ones selected by namespaceSelector.
|
|||
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
topologyKey:
|
|||
|
description: |-
|
|||
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|||
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|||
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|||
|
selected pods is running.
|
|||
|
Empty topologyKey is not allowed.
|
|||
|
type: string
|
|||
|
x-kubernetes-list-type: atomic
|
|||
|
imagePullSecrets:
|
|||
|
description: If specified, the pod's imagePullSecrets
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
LocalObjectReference contains enough information to let you locate the
|
|||
|
referenced object inside the same namespace.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the referent.
|
|||
|
This field is effectively required, but due to backwards compatibility is
|
|||
|
allowed to be empty. Instances of this type with an empty value here are
|
|||
|
almost certainly wrong.
|
|||
|
TODO: Add other useful fields. apiVersion, kind, uid?
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
|
|||
|
type: string
|
|||
|
default: ""
|
|||
|
x-kubernetes-map-type: atomic
|
|||
|
nodeSelector:
|
|||
|
description: |-
|
|||
|
NodeSelector is a selector which must be true for the pod to fit on a node.
|
|||
|
Selector which must match a node's labels for the pod to be scheduled on that node.
|
|||
|
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
priorityClassName:
|
|||
|
description: If specified, the pod's priorityClassName.
|
|||
|
type: string
|
|||
|
serviceAccountName:
|
|||
|
description: If specified, the pod's service account
|
|||
|
type: string
|
|||
|
tolerations:
|
|||
|
description: If specified, the pod's tolerations.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
The pod this Toleration is attached to tolerates any taint that matches
|
|||
|
the triple <key,value,effect> using the matching operator <operator>.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
effect:
|
|||
|
description: |-
|
|||
|
Effect indicates the taint effect to match. Empty means match all taint effects.
|
|||
|
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
|
|||
|
type: string
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
Key is the taint key that the toleration applies to. Empty means match all taint keys.
|
|||
|
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
|
|||
|
type: string
|
|||
|
operator:
|
|||
|
description: |-
|
|||
|
Operator represents a key's relationship to the value.
|
|||
|
Valid operators are Exists and Equal. Defaults to Equal.
|
|||
|
Exists is equivalent to wildcard for value, so that a pod can
|
|||
|
tolerate all taints of a particular category.
|
|||
|
type: string
|
|||
|
tolerationSeconds:
|
|||
|
description: |-
|
|||
|
TolerationSeconds represents the period of time the toleration (which must be
|
|||
|
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
|
|||
|
it is not set, which means tolerate the taint forever (do not evict). Zero and
|
|||
|
negative values will be treated as 0 (evict immediately) by the system.
|
|||
|
type: integer
|
|||
|
format: int64
|
|||
|
value:
|
|||
|
description: |-
|
|||
|
Value is the taint value the toleration matches to.
|
|||
|
If the operator is Exists, the value should be empty, otherwise just a regular string.
|
|||
|
type: string
|
|||
|
serviceType:
|
|||
|
description: |-
|
|||
|
Optional service type for Kubernetes solver service. Supported values
|
|||
|
are NodePort or ClusterIP. If unset, defaults to NodePort.
|
|||
|
type: string
|
|||
|
selector:
|
|||
|
description: |-
|
|||
|
Selector selects a set of DNSNames on the Certificate resource that
|
|||
|
should be solved using this challenge solver.
|
|||
|
If not specified, the solver will be treated as the 'default' solver
|
|||
|
with the lowest priority, i.e. if any other solver has a more specific
|
|||
|
match, it will be used instead.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
dnsNames:
|
|||
|
description: |-
|
|||
|
List of DNSNames that this solver will be used to solve.
|
|||
|
If specified and a match is found, a dnsNames selector will take
|
|||
|
precedence over a dnsZones selector.
|
|||
|
If multiple solvers match with the same dnsNames value, the solver
|
|||
|
with the most matching labels in matchLabels will be selected.
|
|||
|
If neither has more matches, the solver defined earlier in the list
|
|||
|
will be selected.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
dnsZones:
|
|||
|
description: |-
|
|||
|
List of DNSZones that this solver will be used to solve.
|
|||
|
The most specific DNS zone match specified here will take precedence
|
|||
|
over other DNS zone matches, so a solver specifying sys.example.com
|
|||
|
will be selected over one specifying example.com for the domain
|
|||
|
www.sys.example.com.
|
|||
|
If multiple solvers match with the same dnsZones value, the solver
|
|||
|
with the most matching labels in matchLabels will be selected.
|
|||
|
If neither has more matches, the solver defined earlier in the list
|
|||
|
will be selected.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
matchLabels:
|
|||
|
description: |-
|
|||
|
A label selector that is used to refine the set of certificate's that
|
|||
|
this challenge solver will apply to.
|
|||
|
type: object
|
|||
|
additionalProperties:
|
|||
|
type: string
|
|||
|
ca:
|
|||
|
description: |-
|
|||
|
CA configures this issuer to sign certificates using a signing CA keypair
|
|||
|
stored in a Secret resource.
|
|||
|
This is used to build internal PKIs that are managed by cert-manager.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- secretName
|
|||
|
properties:
|
|||
|
crlDistributionPoints:
|
|||
|
description: |-
|
|||
|
The CRL distribution points is an X.509 v3 certificate extension which identifies
|
|||
|
the location of the CRL from which the revocation of this certificate can be checked.
|
|||
|
If not set, certificates will be issued without distribution points set.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
issuingCertificateURLs:
|
|||
|
description: |-
|
|||
|
IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
|
|||
|
it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
|
|||
|
As an example, such a URL might be "http://ca.domain.com/ca.crt".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
ocspServers:
|
|||
|
description: |-
|
|||
|
The OCSP server list is an X.509 v3 extension that defines a list of
|
|||
|
URLs of OCSP responders. The OCSP responders can be queried for the
|
|||
|
revocation status of an issued certificate. If not set, the
|
|||
|
certificate will be issued with no OCSP servers set. For example, an
|
|||
|
OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
secretName:
|
|||
|
description: |-
|
|||
|
SecretName is the name of the secret used to sign Certificates issued
|
|||
|
by this Issuer.
|
|||
|
type: string
|
|||
|
selfSigned:
|
|||
|
description: |-
|
|||
|
SelfSigned configures this issuer to 'self sign' certificates using the
|
|||
|
private key used to create the CertificateRequest object.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
crlDistributionPoints:
|
|||
|
description: |-
|
|||
|
The CRL distribution points is an X.509 v3 certificate extension which identifies
|
|||
|
the location of the CRL from which the revocation of this certificate can be checked.
|
|||
|
If not set certificate will be issued without CDP. Values are strings.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
vault:
|
|||
|
description: |-
|
|||
|
Vault configures this issuer to sign certificates using a HashiCorp Vault
|
|||
|
PKI backend.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- auth
|
|||
|
- path
|
|||
|
- server
|
|||
|
properties:
|
|||
|
auth:
|
|||
|
description: Auth configures how cert-manager authenticates with the Vault server.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
appRole:
|
|||
|
description: |-
|
|||
|
AppRole authenticates with Vault using the App Role auth mechanism,
|
|||
|
with the role and secret stored in a Kubernetes Secret resource.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- path
|
|||
|
- roleId
|
|||
|
- secretRef
|
|||
|
properties:
|
|||
|
path:
|
|||
|
description: |-
|
|||
|
Path where the App Role authentication backend is mounted in Vault, e.g:
|
|||
|
"approle"
|
|||
|
type: string
|
|||
|
roleId:
|
|||
|
description: |-
|
|||
|
RoleID configured in the App Role authentication backend when setting
|
|||
|
up the authentication backend in Vault.
|
|||
|
type: string
|
|||
|
secretRef:
|
|||
|
description: |-
|
|||
|
Reference to a key in a Secret that contains the App Role secret used
|
|||
|
to authenticate with Vault.
|
|||
|
The `key` field must be specified and denotes which entry within the Secret
|
|||
|
resource is used as the app role secret.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
kubernetes:
|
|||
|
description: |-
|
|||
|
Kubernetes authenticates with Vault by passing the ServiceAccount
|
|||
|
token stored in the named Secret resource to the Vault server.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- role
|
|||
|
properties:
|
|||
|
mountPath:
|
|||
|
description: |-
|
|||
|
The Vault mountPath here is the mount path to use when authenticating with
|
|||
|
Vault. For example, setting a value to `/v1/auth/foo`, will use the path
|
|||
|
`/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
|
|||
|
default value "/v1/auth/kubernetes" will be used.
|
|||
|
type: string
|
|||
|
role:
|
|||
|
description: |-
|
|||
|
A required field containing the Vault Role to assume. A Role binds a
|
|||
|
Kubernetes ServiceAccount with a set of Vault policies.
|
|||
|
type: string
|
|||
|
secretRef:
|
|||
|
description: |-
|
|||
|
The required Secret field containing a Kubernetes ServiceAccount JWT used
|
|||
|
for authenticating with Vault. Use of 'ambient credentials' is not
|
|||
|
supported.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
serviceAccountRef:
|
|||
|
description: |-
|
|||
|
A reference to a service account that will be used to request a bound
|
|||
|
token (also known as "projected token"). Compared to using "secretRef",
|
|||
|
using this field means that you don't rely on statically bound tokens. To
|
|||
|
use this field, you must configure an RBAC rule to let cert-manager
|
|||
|
request a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
audiences:
|
|||
|
description: |-
|
|||
|
TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
|
|||
|
consisting of the issuer's namespace and name is always included.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the ServiceAccount used to request a token.
|
|||
|
type: string
|
|||
|
tokenSecretRef:
|
|||
|
description: TokenSecretRef authenticates with Vault by presenting a token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
caBundle:
|
|||
|
description: |-
|
|||
|
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
|
|||
|
chain presented by Vault. Only used if using HTTPS to connect to Vault and
|
|||
|
ignored for HTTP connections.
|
|||
|
Mutually exclusive with CABundleSecretRef.
|
|||
|
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
|
|||
|
the cert-manager controller container is used to validate the TLS connection.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
caBundleSecretRef:
|
|||
|
description: |-
|
|||
|
Reference to a Secret containing a bundle of PEM-encoded CAs to use when
|
|||
|
verifying the certificate chain presented by Vault when using HTTPS.
|
|||
|
Mutually exclusive with CABundle.
|
|||
|
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
|
|||
|
the cert-manager controller container is used to validate the TLS connection.
|
|||
|
If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientCertSecretRef:
|
|||
|
description: |-
|
|||
|
Reference to a Secret containing a PEM-encoded Client Certificate to use when the
|
|||
|
Vault server requires mTLS.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
clientKeySecretRef:
|
|||
|
description: |-
|
|||
|
Reference to a Secret containing a PEM-encoded Client Private Key to use when the
|
|||
|
Vault server requires mTLS.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
namespace:
|
|||
|
description: |-
|
|||
|
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
|
|||
|
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
|
|||
|
type: string
|
|||
|
path:
|
|||
|
description: |-
|
|||
|
Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
|
|||
|
"my_pki_mount/sign/my-role-name".
|
|||
|
type: string
|
|||
|
server:
|
|||
|
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
|
|||
|
type: string
|
|||
|
venafi:
|
|||
|
description: |-
|
|||
|
Venafi configures this issuer to sign certificates using a Venafi TPP
|
|||
|
or Venafi Cloud policy zone.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- zone
|
|||
|
properties:
|
|||
|
cloud:
|
|||
|
description: |-
|
|||
|
Cloud specifies the Venafi cloud configuration settings.
|
|||
|
Only one of TPP or Cloud may be specified.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- apiTokenSecretRef
|
|||
|
properties:
|
|||
|
apiTokenSecretRef:
|
|||
|
description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
key:
|
|||
|
description: |-
|
|||
|
The key of the entry in the Secret resource's `data` field to be used.
|
|||
|
Some instances of this field may be defaulted, in others it may be
|
|||
|
required.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
URL is the base URL for Venafi Cloud.
|
|||
|
Defaults to "https://api.venafi.cloud/v1".
|
|||
|
type: string
|
|||
|
tpp:
|
|||
|
description: |-
|
|||
|
TPP specifies Trust Protection Platform configuration settings.
|
|||
|
Only one of TPP or Cloud may be specified.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- credentialsRef
|
|||
|
- url
|
|||
|
properties:
|
|||
|
caBundle:
|
|||
|
description: |-
|
|||
|
Base64-encoded bundle of PEM CAs which will be used to validate the certificate
|
|||
|
chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
|
|||
|
If undefined, the certificate bundle in the cert-manager controller container
|
|||
|
is used to validate the chain.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
credentialsRef:
|
|||
|
description: |-
|
|||
|
CredentialsRef is a reference to a Secret containing the username and
|
|||
|
password for the TPP server.
|
|||
|
The secret must contain two keys, 'username' and 'password'.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
name:
|
|||
|
description: |-
|
|||
|
Name of the resource being referred to.
|
|||
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|||
|
type: string
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
|
|||
|
for example: "https://tpp.example.com/vedsdk".
|
|||
|
type: string
|
|||
|
zone:
|
|||
|
description: |-
|
|||
|
Zone is the Venafi Policy Zone to use for this issuer.
|
|||
|
All requests made to the Venafi platform will be restricted by the named
|
|||
|
zone policy.
|
|||
|
This field is required.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: Status of the Issuer. This is set and managed automatically.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
acme:
|
|||
|
description: |-
|
|||
|
ACME specific status options.
|
|||
|
This field should only be set if the Issuer is configured to use an ACME
|
|||
|
server to issue certificates.
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
lastPrivateKeyHash:
|
|||
|
description: |-
|
|||
|
LastPrivateKeyHash is a hash of the private key associated with the latest
|
|||
|
registered ACME account, in order to track changes made to registered account
|
|||
|
associated with the Issuer
|
|||
|
type: string
|
|||
|
lastRegisteredEmail:
|
|||
|
description: |-
|
|||
|
LastRegisteredEmail is the email associated with the latest registered
|
|||
|
ACME account, in order to track changes made to registered account
|
|||
|
associated with the Issuer
|
|||
|
type: string
|
|||
|
uri:
|
|||
|
description: |-
|
|||
|
URI is the unique account identifier, which can also be used to retrieve
|
|||
|
account details from the CA
|
|||
|
type: string
|
|||
|
conditions:
|
|||
|
description: |-
|
|||
|
List of status conditions to indicate the status of a CertificateRequest.
|
|||
|
Known condition types are `Ready`.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: IssuerCondition contains condition information for an Issuer.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- status
|
|||
|
- type
|
|||
|
properties:
|
|||
|
lastTransitionTime:
|
|||
|
description: |-
|
|||
|
LastTransitionTime is the timestamp corresponding to the last status
|
|||
|
change of this condition.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
message:
|
|||
|
description: |-
|
|||
|
Message is a human readable description of the details of the last
|
|||
|
transition, complementing reason.
|
|||
|
type: string
|
|||
|
observedGeneration:
|
|||
|
description: |-
|
|||
|
If set, this represents the .metadata.generation that the condition was
|
|||
|
set based upon.
|
|||
|
For instance, if .metadata.generation is currently 12, but the
|
|||
|
.status.condition[x].observedGeneration is 9, the condition is out of date
|
|||
|
with respect to the current state of the Issuer.
|
|||
|
type: integer
|
|||
|
format: int64
|
|||
|
reason:
|
|||
|
description: |-
|
|||
|
Reason is a brief machine readable explanation for the condition's last
|
|||
|
transition.
|
|||
|
type: string
|
|||
|
status:
|
|||
|
description: Status of the condition, one of (`True`, `False`, `Unknown`).
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- "True"
|
|||
|
- "False"
|
|||
|
- Unknown
|
|||
|
type:
|
|||
|
description: Type of the condition, known values are (`Ready`).
|
|||
|
type: string
|
|||
|
x-kubernetes-list-map-keys:
|
|||
|
- type
|
|||
|
x-kubernetes-list-type: map
|
|||
|
served: true
|
|||
|
storage: true
|
|||
|
|
|||
|
# END crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
apiVersion: apiextensions.k8s.io/v1
|
|||
|
kind: CustomResourceDefinition
|
|||
|
metadata:
|
|||
|
name: orders.acme.cert-manager.io
|
|||
|
# START annotations
|
|||
|
annotations:
|
|||
|
helm.sh/resource-policy: keep
|
|||
|
# END annotations
|
|||
|
labels:
|
|||
|
app: 'cert-manager'
|
|||
|
app.kubernetes.io/name: 'cert-manager'
|
|||
|
app.kubernetes.io/instance: 'cert-manager'
|
|||
|
app.kubernetes.io/component: "crds"
|
|||
|
# Generated labels
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
group: acme.cert-manager.io
|
|||
|
names:
|
|||
|
kind: Order
|
|||
|
listKind: OrderList
|
|||
|
plural: orders
|
|||
|
singular: order
|
|||
|
categories:
|
|||
|
- cert-manager
|
|||
|
- cert-manager-acme
|
|||
|
scope: Namespaced
|
|||
|
versions:
|
|||
|
- name: v1
|
|||
|
subresources:
|
|||
|
status: {}
|
|||
|
additionalPrinterColumns:
|
|||
|
- jsonPath: .status.state
|
|||
|
name: State
|
|||
|
type: string
|
|||
|
- jsonPath: .spec.issuerRef.name
|
|||
|
name: Issuer
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .status.reason
|
|||
|
name: Reason
|
|||
|
priority: 1
|
|||
|
type: string
|
|||
|
- jsonPath: .metadata.creationTimestamp
|
|||
|
description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|||
|
name: Age
|
|||
|
type: date
|
|||
|
schema:
|
|||
|
openAPIV3Schema:
|
|||
|
description: Order is a type to represent an Order with an ACME server
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- metadata
|
|||
|
- spec
|
|||
|
properties:
|
|||
|
apiVersion:
|
|||
|
description: |-
|
|||
|
APIVersion defines the versioned schema of this representation of an object.
|
|||
|
Servers should convert recognized schemas to the latest internal value, and
|
|||
|
may reject unrecognized values.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: |-
|
|||
|
Kind is a string value representing the REST resource this object represents.
|
|||
|
Servers may infer this from the endpoint the client submits requests to.
|
|||
|
Cannot be updated.
|
|||
|
In CamelCase.
|
|||
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|||
|
type: string
|
|||
|
metadata:
|
|||
|
type: object
|
|||
|
spec:
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- issuerRef
|
|||
|
- request
|
|||
|
properties:
|
|||
|
commonName:
|
|||
|
description: |-
|
|||
|
CommonName is the common name as specified on the DER encoded CSR.
|
|||
|
If specified, this value must also be present in `dnsNames` or `ipAddresses`.
|
|||
|
This field must match the corresponding field on the DER encoded CSR.
|
|||
|
type: string
|
|||
|
dnsNames:
|
|||
|
description: |-
|
|||
|
DNSNames is a list of DNS names that should be included as part of the Order
|
|||
|
validation process.
|
|||
|
This field must match the corresponding field on the DER encoded CSR.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
duration:
|
|||
|
description: |-
|
|||
|
Duration is the duration for the not after date for the requested certificate.
|
|||
|
this is set on order creation as pe the ACME spec.
|
|||
|
type: string
|
|||
|
ipAddresses:
|
|||
|
description: |-
|
|||
|
IPAddresses is a list of IP addresses that should be included as part of the Order
|
|||
|
validation process.
|
|||
|
This field must match the corresponding field on the DER encoded CSR.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
type: string
|
|||
|
issuerRef:
|
|||
|
description: |-
|
|||
|
IssuerRef references a properly configured ACME-type Issuer which should
|
|||
|
be used to create this Order.
|
|||
|
If the Issuer does not exist, processing will be retried.
|
|||
|
If the Issuer is not an 'ACME' Issuer, an error will be returned and the
|
|||
|
Order will be marked as failed.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- name
|
|||
|
properties:
|
|||
|
group:
|
|||
|
description: Group of the resource being referred to.
|
|||
|
type: string
|
|||
|
kind:
|
|||
|
description: Kind of the resource being referred to.
|
|||
|
type: string
|
|||
|
name:
|
|||
|
description: Name of the resource being referred to.
|
|||
|
type: string
|
|||
|
request:
|
|||
|
description: |-
|
|||
|
Certificate signing request bytes in DER encoding.
|
|||
|
This will be used when finalizing the order.
|
|||
|
This field must be set on the order.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
status:
|
|||
|
type: object
|
|||
|
properties:
|
|||
|
authorizations:
|
|||
|
description: |-
|
|||
|
Authorizations contains data returned from the ACME server on what
|
|||
|
authorizations must be completed in order to validate the DNS names
|
|||
|
specified on the Order.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
ACMEAuthorization contains data returned from the ACME server on an
|
|||
|
authorization that must be completed in order validate a DNS name on an ACME
|
|||
|
Order resource.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- url
|
|||
|
properties:
|
|||
|
challenges:
|
|||
|
description: |-
|
|||
|
Challenges specifies the challenge types offered by the ACME server.
|
|||
|
One of these challenge types will be selected when validating the DNS
|
|||
|
name and an appropriate Challenge resource will be created to perform
|
|||
|
the ACME challenge process.
|
|||
|
type: array
|
|||
|
items:
|
|||
|
description: |-
|
|||
|
Challenge specifies a challenge offered by the ACME server for an Order.
|
|||
|
An appropriate Challenge resource can be created to perform the ACME
|
|||
|
challenge process.
|
|||
|
type: object
|
|||
|
required:
|
|||
|
- token
|
|||
|
- type
|
|||
|
- url
|
|||
|
properties:
|
|||
|
token:
|
|||
|
description: |-
|
|||
|
Token is the token that must be presented for this challenge.
|
|||
|
This is used to compute the 'key' that must also be presented.
|
|||
|
type: string
|
|||
|
type:
|
|||
|
description: |-
|
|||
|
Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
|
|||
|
'tls-sni-01', etc.
|
|||
|
This is the raw value retrieved from the ACME server.
|
|||
|
Only 'http-01' and 'dns-01' are supported by cert-manager, other values
|
|||
|
will be ignored.
|
|||
|
type: string
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
URL is the URL of this challenge. It can be used to retrieve additional
|
|||
|
metadata about the Challenge from the ACME server.
|
|||
|
type: string
|
|||
|
identifier:
|
|||
|
description: Identifier is the DNS name to be validated as part of this authorization
|
|||
|
type: string
|
|||
|
initialState:
|
|||
|
description: |-
|
|||
|
InitialState is the initial state of the ACME authorization when first
|
|||
|
fetched from the ACME server.
|
|||
|
If an Authorization is already 'valid', the Order controller will not
|
|||
|
create a Challenge resource for the authorization. This will occur when
|
|||
|
working with an ACME server that enables 'authz reuse' (such as Let's
|
|||
|
Encrypt's production endpoint).
|
|||
|
If not set and 'identifier' is set, the state is assumed to be pending
|
|||
|
and a Challenge will be created.
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- valid
|
|||
|
- ready
|
|||
|
- pending
|
|||
|
- processing
|
|||
|
- invalid
|
|||
|
- expired
|
|||
|
- errored
|
|||
|
url:
|
|||
|
description: URL is the URL of the Authorization that must be completed
|
|||
|
type: string
|
|||
|
wildcard:
|
|||
|
description: |-
|
|||
|
Wildcard will be true if this authorization is for a wildcard DNS name.
|
|||
|
If this is true, the identifier will be the *non-wildcard* version of
|
|||
|
the DNS name.
|
|||
|
For example, if '*.example.com' is the DNS name being validated, this
|
|||
|
field will be 'true' and the 'identifier' field will be 'example.com'.
|
|||
|
type: boolean
|
|||
|
certificate:
|
|||
|
description: |-
|
|||
|
Certificate is a copy of the PEM encoded certificate for this Order.
|
|||
|
This field will be populated after the order has been successfully
|
|||
|
finalized with the ACME server, and the order has transitioned to the
|
|||
|
'valid' state.
|
|||
|
type: string
|
|||
|
format: byte
|
|||
|
failureTime:
|
|||
|
description: |-
|
|||
|
FailureTime stores the time that this order failed.
|
|||
|
This is used to influence garbage collection and back-off.
|
|||
|
type: string
|
|||
|
format: date-time
|
|||
|
finalizeURL:
|
|||
|
description: |-
|
|||
|
FinalizeURL of the Order.
|
|||
|
This is used to obtain certificates for this order once it has been completed.
|
|||
|
type: string
|
|||
|
reason:
|
|||
|
description: |-
|
|||
|
Reason optionally provides more information about a why the order is in
|
|||
|
the current state.
|
|||
|
type: string
|
|||
|
state:
|
|||
|
description: |-
|
|||
|
State contains the current state of this Order resource.
|
|||
|
States 'success' and 'expired' are 'final'
|
|||
|
type: string
|
|||
|
enum:
|
|||
|
- valid
|
|||
|
- ready
|
|||
|
- pending
|
|||
|
- processing
|
|||
|
- invalid
|
|||
|
- expired
|
|||
|
- errored
|
|||
|
url:
|
|||
|
description: |-
|
|||
|
URL of the Order.
|
|||
|
This will initially be empty when the resource is first created.
|
|||
|
The Order controller will populate this field when the Order is first processed.
|
|||
|
This field will be immutable after it is initially set.
|
|||
|
type: string
|
|||
|
served: true
|
|||
|
storage: true
|
|||
|
|
|||
|
# END crd
|
|||
|
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
|
|||
|
apiVersion: v1
|
|||
|
kind: ServiceAccount
|
|||
|
automountServiceAccountToken: true
|
|||
|
metadata:
|
|||
|
name: cert-manager-cainjector
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/serviceaccount.yaml
|
|||
|
apiVersion: v1
|
|||
|
kind: ServiceAccount
|
|||
|
automountServiceAccountToken: true
|
|||
|
metadata:
|
|||
|
name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-serviceaccount.yaml
|
|||
|
apiVersion: v1
|
|||
|
kind: ServiceAccount
|
|||
|
automountServiceAccountToken: true
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/cainjector-rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-cainjector
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["get", "create", "update", "patch"]
|
|||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|||
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
|||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|||
|
- apiGroups: ["apiregistration.k8s.io"]
|
|||
|
resources: ["apiservices"]
|
|||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|||
|
- apiGroups: ["apiextensions.k8s.io"]
|
|||
|
resources: ["customresourcedefinitions"]
|
|||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# Issuer controller role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-issuers
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["issuers", "issuers/status"]
|
|||
|
verbs: ["update", "patch"]
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["issuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["create", "patch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# ClusterIssuer controller role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-clusterissuers
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["clusterissuers", "clusterissuers/status"]
|
|||
|
verbs: ["update", "patch"]
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["clusterissuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["create", "patch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# Certificates controller role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-certificates
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
|||
|
verbs: ["update", "patch"]
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|||
|
# admission controller enabled:
|
|||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
|||
|
verbs: ["update"]
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["orders"]
|
|||
|
verbs: ["create", "delete", "get", "list", "watch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["create", "patch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# Orders controller role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-orders
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["orders", "orders/status"]
|
|||
|
verbs: ["update", "patch"]
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["orders", "challenges"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["clusterissuers", "issuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["challenges"]
|
|||
|
verbs: ["create", "delete"]
|
|||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|||
|
# admission controller enabled:
|
|||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["orders/finalizers"]
|
|||
|
verbs: ["update"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["create", "patch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# Challenges controller role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-challenges
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
# Use to update challenge resource status
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["challenges", "challenges/status"]
|
|||
|
verbs: ["update", "patch"]
|
|||
|
# Used to watch challenge resources
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["challenges"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
# Used to watch challenges, issuer and clusterissuer resources
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["issuers", "clusterissuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
# Need to be able to retrieve ACME account private key to complete challenges
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
# Used to create events
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["create", "patch"]
|
|||
|
# HTTP01 rules
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["pods", "services"]
|
|||
|
verbs: ["get", "list", "watch", "create", "delete"]
|
|||
|
- apiGroups: ["networking.k8s.io"]
|
|||
|
resources: ["ingresses"]
|
|||
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
|||
|
- apiGroups: [ "gateway.networking.k8s.io" ]
|
|||
|
resources: [ "httproutes" ]
|
|||
|
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
|||
|
# We require the ability to specify a custom hostname when we are creating
|
|||
|
# new ingress resources.
|
|||
|
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
|||
|
- apiGroups: ["route.openshift.io"]
|
|||
|
resources: ["routes/custom-host"]
|
|||
|
verbs: ["create"]
|
|||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|||
|
# admission controller enabled:
|
|||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["challenges/finalizers"]
|
|||
|
verbs: ["update"]
|
|||
|
# DNS01 rules (duplicated above)
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# ingress-shim controller role
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-ingress-shim
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates", "certificaterequests"]
|
|||
|
verbs: ["create", "update", "delete"]
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: ["networking.k8s.io"]
|
|||
|
resources: ["ingresses"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
|||
|
# admission controller enabled:
|
|||
|
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
|||
|
- apiGroups: ["networking.k8s.io"]
|
|||
|
resources: ["ingresses/finalizers"]
|
|||
|
verbs: ["update"]
|
|||
|
- apiGroups: ["gateway.networking.k8s.io"]
|
|||
|
resources: ["gateways", "httproutes"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: ["gateway.networking.k8s.io"]
|
|||
|
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
|||
|
verbs: ["update"]
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["events"]
|
|||
|
verbs: ["create", "patch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-cluster-view
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["clusterissuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-view
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates", "certificaterequests", "issuers"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["challenges", "orders"]
|
|||
|
verbs: ["get", "list", "watch"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-edit
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates", "certificaterequests", "issuers"]
|
|||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["certificates/status"]
|
|||
|
verbs: ["update"]
|
|||
|
- apiGroups: ["acme.cert-manager.io"]
|
|||
|
resources: ["challenges", "orders"]
|
|||
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-approve:cert-manager-io
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cert-manager"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["cert-manager.io"]
|
|||
|
resources: ["signers"]
|
|||
|
verbs: ["approve"]
|
|||
|
resourceNames:
|
|||
|
- "issuers.cert-manager.io/*"
|
|||
|
- "clusterissuers.cert-manager.io/*"
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# Permission to:
|
|||
|
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
|
|||
|
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-certificatesigningrequests
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cert-manager"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["certificates.k8s.io"]
|
|||
|
resources: ["certificatesigningrequests"]
|
|||
|
verbs: ["get", "list", "watch", "update"]
|
|||
|
- apiGroups: ["certificates.k8s.io"]
|
|||
|
resources: ["certificatesigningrequests/status"]
|
|||
|
verbs: ["update", "patch"]
|
|||
|
- apiGroups: ["certificates.k8s.io"]
|
|||
|
resources: ["signers"]
|
|||
|
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
|||
|
verbs: ["sign"]
|
|||
|
- apiGroups: ["authorization.k8s.io"]
|
|||
|
resources: ["subjectaccessreviews"]
|
|||
|
verbs: ["create"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRole
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook:subjectaccessreviews
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["authorization.k8s.io"]
|
|||
|
resources: ["subjectaccessreviews"]
|
|||
|
verbs: ["create"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/cainjector-rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-cainjector
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-cainjector
|
|||
|
subjects:
|
|||
|
- name: cert-manager-cainjector
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-issuers
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-issuers
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-clusterissuers
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-clusterissuers
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-certificates
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-certificates
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-orders
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-orders
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-challenges
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-challenges
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-ingress-shim
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-ingress-shim
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-approve:cert-manager-io
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cert-manager"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-approve:cert-manager-io
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-controller-certificatesigningrequests
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cert-manager"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-controller-certificatesigningrequests
|
|||
|
subjects:
|
|||
|
- name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
kind: ServiceAccount
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: ClusterRoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook:subjectaccessreviews
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: ClusterRole
|
|||
|
name: cert-manager-webhook:subjectaccessreviews
|
|||
|
subjects:
|
|||
|
- apiGroup: ""
|
|||
|
kind: ServiceAccount
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/cainjector-rbac.yaml
|
|||
|
# leader election rules
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: Role
|
|||
|
metadata:
|
|||
|
name: cert-manager-cainjector:leaderelection
|
|||
|
namespace: kube-system
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
# Used for leader election by the controller
|
|||
|
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
|||
|
# see cmd/cainjector/start.go#L113
|
|||
|
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
|||
|
# see cmd/cainjector/start.go#L137
|
|||
|
- apiGroups: ["coordination.k8s.io"]
|
|||
|
resources: ["leases"]
|
|||
|
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
|||
|
verbs: ["get", "update", "patch"]
|
|||
|
- apiGroups: ["coordination.k8s.io"]
|
|||
|
resources: ["leases"]
|
|||
|
verbs: ["create"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: Role
|
|||
|
metadata:
|
|||
|
name: cert-manager:leaderelection
|
|||
|
namespace: kube-system
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: ["coordination.k8s.io"]
|
|||
|
resources: ["leases"]
|
|||
|
resourceNames: ["cert-manager-controller"]
|
|||
|
verbs: ["get", "update", "patch"]
|
|||
|
- apiGroups: ["coordination.k8s.io"]
|
|||
|
resources: ["leases"]
|
|||
|
verbs: ["create"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: Role
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook:dynamic-serving
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
rules:
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
resourceNames:
|
|||
|
- 'cert-manager-webhook-ca'
|
|||
|
verbs: ["get", "list", "watch", "update"]
|
|||
|
# It's not possible to grant CREATE permission on a single resourceName.
|
|||
|
- apiGroups: [""]
|
|||
|
resources: ["secrets"]
|
|||
|
verbs: ["create"]
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/cainjector-rbac.yaml
|
|||
|
# grant cert-manager permission to manage the leaderelection configmap in the
|
|||
|
# leader election namespace
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: RoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-cainjector:leaderelection
|
|||
|
namespace: kube-system
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: Role
|
|||
|
name: cert-manager-cainjector:leaderelection
|
|||
|
subjects:
|
|||
|
- kind: ServiceAccount
|
|||
|
name: cert-manager-cainjector
|
|||
|
namespace: cert-manager
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/rbac.yaml
|
|||
|
# grant cert-manager permission to manage the leaderelection configmap in the
|
|||
|
# leader election namespace
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: RoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager:leaderelection
|
|||
|
namespace: kube-system
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: Role
|
|||
|
name: cert-manager:leaderelection
|
|||
|
subjects:
|
|||
|
- apiGroup: ""
|
|||
|
kind: ServiceAccount
|
|||
|
name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-rbac.yaml
|
|||
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
kind: RoleBinding
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook:dynamic-serving
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
roleRef:
|
|||
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
kind: Role
|
|||
|
name: cert-manager-webhook:dynamic-serving
|
|||
|
subjects:
|
|||
|
- apiGroup: ""
|
|||
|
kind: ServiceAccount
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/service.yaml
|
|||
|
apiVersion: v1
|
|||
|
kind: Service
|
|||
|
metadata:
|
|||
|
name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
type: ClusterIP
|
|||
|
ports:
|
|||
|
- protocol: TCP
|
|||
|
port: 9402
|
|||
|
name: tcp-prometheus-servicemonitor
|
|||
|
targetPort: 9402
|
|||
|
selector:
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-service.yaml
|
|||
|
apiVersion: v1
|
|||
|
kind: Service
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
type: ClusterIP
|
|||
|
ports:
|
|||
|
- name: https
|
|||
|
port: 443
|
|||
|
protocol: TCP
|
|||
|
targetPort: "https"
|
|||
|
selector:
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/cainjector-deployment.yaml
|
|||
|
apiVersion: apps/v1
|
|||
|
kind: Deployment
|
|||
|
metadata:
|
|||
|
name: cert-manager-cainjector
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
replicas: 1
|
|||
|
selector:
|
|||
|
matchLabels:
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
template:
|
|||
|
metadata:
|
|||
|
labels:
|
|||
|
app: cainjector
|
|||
|
app.kubernetes.io/name: cainjector
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "cainjector"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
serviceAccountName: cert-manager-cainjector
|
|||
|
enableServiceLinks: false
|
|||
|
securityContext:
|
|||
|
runAsNonRoot: true
|
|||
|
seccompProfile:
|
|||
|
type: RuntimeDefault
|
|||
|
containers:
|
|||
|
- name: cert-manager-cainjector
|
|||
|
image: "quay.io/jetstack/cert-manager-cainjector:v1.15.0"
|
|||
|
imagePullPolicy: IfNotPresent
|
|||
|
args:
|
|||
|
- --v=2
|
|||
|
- --leader-election-namespace=kube-system
|
|||
|
env:
|
|||
|
- name: POD_NAMESPACE
|
|||
|
valueFrom:
|
|||
|
fieldRef:
|
|||
|
fieldPath: metadata.namespace
|
|||
|
securityContext:
|
|||
|
allowPrivilegeEscalation: false
|
|||
|
capabilities:
|
|||
|
drop:
|
|||
|
- ALL
|
|||
|
readOnlyRootFilesystem: true
|
|||
|
nodeSelector:
|
|||
|
kubernetes.io/os: linux
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/deployment.yaml
|
|||
|
apiVersion: apps/v1
|
|||
|
kind: Deployment
|
|||
|
metadata:
|
|||
|
name: cert-manager
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
replicas: 1
|
|||
|
selector:
|
|||
|
matchLabels:
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
template:
|
|||
|
metadata:
|
|||
|
labels:
|
|||
|
app: cert-manager
|
|||
|
app.kubernetes.io/name: cert-manager
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "controller"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
annotations:
|
|||
|
prometheus.io/path: "/metrics"
|
|||
|
prometheus.io/scrape: 'true'
|
|||
|
prometheus.io/port: '9402'
|
|||
|
spec:
|
|||
|
serviceAccountName: cert-manager
|
|||
|
enableServiceLinks: false
|
|||
|
securityContext:
|
|||
|
runAsNonRoot: true
|
|||
|
seccompProfile:
|
|||
|
type: RuntimeDefault
|
|||
|
containers:
|
|||
|
- name: cert-manager-controller
|
|||
|
image: "quay.io/jetstack/cert-manager-controller:v1.15.0"
|
|||
|
imagePullPolicy: IfNotPresent
|
|||
|
args:
|
|||
|
- --v=2
|
|||
|
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
|||
|
- --leader-election-namespace=kube-system
|
|||
|
- --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.0
|
|||
|
- --max-concurrent-challenges=60
|
|||
|
- --dns01-recursive-nameservers-only
|
|||
|
ports:
|
|||
|
- containerPort: 9402
|
|||
|
name: http-metrics
|
|||
|
protocol: TCP
|
|||
|
- containerPort: 9403
|
|||
|
name: http-healthz
|
|||
|
protocol: TCP
|
|||
|
securityContext:
|
|||
|
allowPrivilegeEscalation: false
|
|||
|
capabilities:
|
|||
|
drop:
|
|||
|
- ALL
|
|||
|
readOnlyRootFilesystem: true
|
|||
|
env:
|
|||
|
- name: POD_NAMESPACE
|
|||
|
valueFrom:
|
|||
|
fieldRef:
|
|||
|
fieldPath: metadata.namespace
|
|||
|
# LivenessProbe settings are based on those used for the Kubernetes
|
|||
|
# controller-manager. See:
|
|||
|
# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
|
|||
|
livenessProbe:
|
|||
|
httpGet:
|
|||
|
port: http-healthz
|
|||
|
path: /livez
|
|||
|
scheme: HTTP
|
|||
|
initialDelaySeconds: 10
|
|||
|
periodSeconds: 10
|
|||
|
timeoutSeconds: 15
|
|||
|
successThreshold: 1
|
|||
|
failureThreshold: 8
|
|||
|
nodeSelector:
|
|||
|
kubernetes.io/os: linux
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-deployment.yaml
|
|||
|
apiVersion: apps/v1
|
|||
|
kind: Deployment
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
replicas: 1
|
|||
|
selector:
|
|||
|
matchLabels:
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
template:
|
|||
|
metadata:
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
spec:
|
|||
|
serviceAccountName: cert-manager-webhook
|
|||
|
enableServiceLinks: false
|
|||
|
securityContext:
|
|||
|
runAsNonRoot: true
|
|||
|
seccompProfile:
|
|||
|
type: RuntimeDefault
|
|||
|
containers:
|
|||
|
- name: cert-manager-webhook
|
|||
|
image: "quay.io/jetstack/cert-manager-webhook:v1.15.0"
|
|||
|
imagePullPolicy: IfNotPresent
|
|||
|
args:
|
|||
|
- --v=2
|
|||
|
- --secure-port=10250
|
|||
|
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
|||
|
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
|
|||
|
- --dynamic-serving-dns-names=cert-manager-webhook
|
|||
|
- --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
|
|||
|
- --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
|
|||
|
|
|||
|
ports:
|
|||
|
- name: https
|
|||
|
protocol: TCP
|
|||
|
containerPort: 10250
|
|||
|
- name: healthcheck
|
|||
|
protocol: TCP
|
|||
|
containerPort: 6080
|
|||
|
livenessProbe:
|
|||
|
httpGet:
|
|||
|
path: /livez
|
|||
|
port: 6080
|
|||
|
scheme: HTTP
|
|||
|
initialDelaySeconds: 60
|
|||
|
periodSeconds: 10
|
|||
|
timeoutSeconds: 1
|
|||
|
successThreshold: 1
|
|||
|
failureThreshold: 3
|
|||
|
readinessProbe:
|
|||
|
httpGet:
|
|||
|
path: /healthz
|
|||
|
port: 6080
|
|||
|
scheme: HTTP
|
|||
|
initialDelaySeconds: 5
|
|||
|
periodSeconds: 5
|
|||
|
timeoutSeconds: 1
|
|||
|
successThreshold: 1
|
|||
|
failureThreshold: 3
|
|||
|
securityContext:
|
|||
|
allowPrivilegeEscalation: false
|
|||
|
capabilities:
|
|||
|
drop:
|
|||
|
- ALL
|
|||
|
readOnlyRootFilesystem: true
|
|||
|
env:
|
|||
|
- name: POD_NAMESPACE
|
|||
|
valueFrom:
|
|||
|
fieldRef:
|
|||
|
fieldPath: metadata.namespace
|
|||
|
nodeSelector:
|
|||
|
kubernetes.io/os: linux
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
#
|
|||
|
# START crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/crds.yaml
|
|||
|
# START crd
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
|
|||
|
apiVersion: admissionregistration.k8s.io/v1
|
|||
|
kind: MutatingWebhookConfiguration
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
annotations:
|
|||
|
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
|||
|
webhooks:
|
|||
|
- name: webhook.cert-manager.io
|
|||
|
rules:
|
|||
|
- apiGroups:
|
|||
|
- "cert-manager.io"
|
|||
|
apiVersions:
|
|||
|
- "v1"
|
|||
|
operations:
|
|||
|
- CREATE
|
|||
|
resources:
|
|||
|
- "certificaterequests"
|
|||
|
admissionReviewVersions: ["v1"]
|
|||
|
# This webhook only accepts v1 cert-manager resources.
|
|||
|
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
|||
|
# this webhook (after the resources have been converted to v1).
|
|||
|
matchPolicy: Equivalent
|
|||
|
timeoutSeconds: 30
|
|||
|
failurePolicy: Fail
|
|||
|
# Only include 'sideEffects' field in Kubernetes 1.12+
|
|||
|
sideEffects: None
|
|||
|
clientConfig:
|
|||
|
service:
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
path: /mutate
|
|||
|
---
|
|||
|
# Source: cert-manager/templates/webhook-validating-webhook.yaml
|
|||
|
apiVersion: admissionregistration.k8s.io/v1
|
|||
|
kind: ValidatingWebhookConfiguration
|
|||
|
metadata:
|
|||
|
name: cert-manager-webhook
|
|||
|
labels:
|
|||
|
app: webhook
|
|||
|
app.kubernetes.io/name: webhook
|
|||
|
app.kubernetes.io/instance: cert-manager
|
|||
|
app.kubernetes.io/component: "webhook"
|
|||
|
app.kubernetes.io/version: "v1.15.0"
|
|||
|
annotations:
|
|||
|
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
|||
|
webhooks:
|
|||
|
- name: webhook.cert-manager.io
|
|||
|
namespaceSelector:
|
|||
|
matchExpressions:
|
|||
|
- key: cert-manager.io/disable-validation
|
|||
|
operator: NotIn
|
|||
|
values:
|
|||
|
- "true"
|
|||
|
rules:
|
|||
|
- apiGroups:
|
|||
|
- "cert-manager.io"
|
|||
|
- "acme.cert-manager.io"
|
|||
|
apiVersions:
|
|||
|
- "v1"
|
|||
|
operations:
|
|||
|
- CREATE
|
|||
|
- UPDATE
|
|||
|
resources:
|
|||
|
- "*/*"
|
|||
|
admissionReviewVersions: ["v1"]
|
|||
|
# This webhook only accepts v1 cert-manager resources.
|
|||
|
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
|||
|
# this webhook (after the resources have been converted to v1).
|
|||
|
matchPolicy: Equivalent
|
|||
|
timeoutSeconds: 30
|
|||
|
failurePolicy: Fail
|
|||
|
sideEffects: None
|
|||
|
clientConfig:
|
|||
|
service:
|
|||
|
name: cert-manager-webhook
|
|||
|
namespace: cert-manager
|
|||
|
path: /validate
|