diff --git a/internal/operator/installers/v0.0.1-alpha.25.yaml b/internal/operator/installers/v0.0.1-alpha.25.yaml new file mode 100644 index 0000000..723a1c8 --- /dev/null +++ b/internal/operator/installers/v0.0.1-alpha.25.yaml @@ -0,0 +1,6606 @@ +# This manifest was generated by running helm template js-operator oci://eu.gcr.io/jetstack-secure-enterprise/charts/js-operator --namespace jetstack-secure --set images.secret.enabled=true --version v0.0.1-alpha.25 > internal/operator/installers/v0.0.1-alpha.25.yaml +# and making some changes: +# - sed -i '/helm\.sh/d' internal/operator/installers/v0.0.1-alpha.25.yaml +# - sed -i '/app.kubernetes.io\/managed-by: Helm/d' internal/operator/installers/v0.0.1-alpha.25.yaml +# - parameterize js-operator and cainjector images +# - ensure that namespaced resources are created in jetstack-secure namespace +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: js-operator-cainjector + namespace: jetstack-secure + labels: + app.kubernetes.io/name: js-operator + app.kubernetes.io/instance: js-operator + app.kubernetes.io/version: "v0.0.1-alpha.25" + app.kubernetes.io/component: "cainjector" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: js-operator-operator + namespace: jetstack-secure + labels: + app.kubernetes.io/name: js-operator + app.kubernetes.io/instance: js-operator + app.kubernetes.io/version: "v0.0.1-alpha.25" + app.kubernetes.io/component: "operator" +--- +apiVersion: v1 +kind: Secret +metadata: + name: js-operator-webhook-tls + namespace: jetstack-secure + annotations: + cert-manager.io/allow-direct-injection: "true" + labels: + app.kubernetes.io/name: js-operator + app.kubernetes.io/instance: js-operator + app.kubernetes.io/version: "v0.0.1-alpha.25" + app.kubernetes.io/component: "operator" +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: installations.operator.jetstack.io +spec: + group: operator.jetstack.io + names: + kind: Installation + listKind: InstallationList + plural: installations + singular: installation + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Installation Ready + jsonPath: .status.conditions[?(@.type == "Ready")].status + name: Ready + type: string + - description: Timestamp Installation was created + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Installation represents an installation of Jetstack Secure components + and resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: InstallationSpec defines the desired state of Installation + properties: + approverPolicy: + description: ApproverPolicy contains configuration options for the + Installation's approver-policy installation. This field or approverPolicyEnterprise + must be set as approver-policy is a required component. https://platform.jetstack.io/documentation/installation/approver-policy + properties: + replicas: + description: ReplicaCount is the number of approver-policy instances + to run. Defaults to 2 instances. + minimum: 1 + type: integer + version: + description: 'Version is the version of approver-policy to install + https://github.com/cert-manager/approver-policy/releases. Default + version: v0.6.3. Supported Versions: v0.6.3, v0.6.2' + type: string + type: object + approverPolicyEnterprise: + description: ApproverPolicyEnterprise contains configuration options + for the Installation's approver-policy-enterprise installation. + This is mutually exclusive with the approverPolicy field. https://platform.jetstack.io/documentation/installation/approver-policy + properties: + replicas: + description: ReplicaCount is the number of approver-policy instances + to run. Defaults to 2 instances. + minimum: 1 + type: integer + version: + description: 'Version is the version of approver-policy to install + https://github.com/cert-manager/approver-policy/releases Default: + v0.8.0 Supported Versions: v0.8.0, v0.7.2' + type: string + type: object + certDiscoveryVenafi: + description: CertDiscoveryVenafi contains configuration options for + cert-discovery-venafi. See https://platform.jetstack.io/documentation/installation/cert-discovery-venafi + to learn more about cert-discovery-venafi. If unset (default) cert-discovery-venafi + will not be installed. + properties: + replicas: + description: ReplicaCount is the number of cert-discovery-venafi + instances to run. Defaults to 1 instance. + minimum: 1 + type: integer + tpp: + description: Venafi TPP server configuration options. + properties: + tokenSecretRef: + description: TokenSecretRef is a reference to a key in a Kubernetes + Secret with the TPP access token that cert-discovery-venafi + will use to authenticate. Secret must be in the same namespace + as cert-discovery-venafi (by default cert-manager). Defaults + to a Secret named 'access-token' with a key named 'access-token'. + properties: + key: + description: Key is a key in a Secret + type: string + name: + description: Name is the name of a Secret + type: string + required: + - key + - name + type: object + url: + description: URL of the TPP server where cert-discovery-venafi + should upload discovered certs. + type: string + zone: + description: Zone (policy folder) where cert-discovery-venafi + should upload discovered certs. + type: string + required: + - url + - zone + type: object + version: + description: Version is the version of cert-discovery-venafi to + install Defaults to v0.2.0 Supported versions are v0.2.0 + type: string + required: + - tpp + type: object + certManager: + description: CertManager contains configuration options for the Installation's + cert-manager installation This field must be set as cert-manager + is a required component. + properties: + controller: + description: Controller wraps the configuration options for the + cert-manager controller + properties: + replicas: + description: ReplicaCount is the number of controller instances + to run. Only one instance at a time will be a leader. Defaults + to 2. + minimum: 1 + type: integer + type: object + version: + description: 'Version is the version of cert-manager release to + install https://github.com/cert-manager/cert-manager/releases. + Default: v1.11.1 Supported Versions: v1.11.1, v1.11.0' + type: string + webhook: + description: Webhook wraps the configuration options for the cert-manager + webhook deployment + properties: + replicas: + description: ReplicaCount is the number of webhook instances + to run, default 2 + minimum: 1 + type: integer + type: object + type: object + componentNamespace: + description: ComponentNamespace allows to configure a namespace in + which Jetstack Secure components should be deployed. The namespace + will be created if it does not exist. Defaults to jetstack-secure. + This will also be component leader election namespace and cluster + resource namespace. + type: string + csiDrivers: + description: CSIDrivers contains configuration for the different CSI + Drivers available for installation + properties: + certManager: + description: certManager refers to the configuration of a cert-manager.io/csi-driver + https://cert-manager.io/docs/projects/csi-driver/ + properties: + version: + description: 'Version is the version of csi-driver to install + https://github.com/cert-manager/csi-driver/releases Default: + v0.50 Supported Versions: v0.5.0' + type: string + type: object + certManagerSpiffe: + description: CertManagerSpiffe refers to the configuration of + cert-manager/csi-driver-spiffe that can be used to issue SPIFFE + certs for workloads https://cert-manager.io/docs/projects/csi-driver-spiffe/ + properties: + issuerRef: + description: IssuerRef is a reference to the issuer that will + be used to issue certs by csi-spiffe. This must correspond + to an issuer configured in Installation.spec.issuers and + must be either a cluster-scoped issuer or be in the same + namespace as the pods that will request the certificate + volumes. Defaults to a cert-manager.io ClusterIssuer named + spiffe-ca. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + replicas: + description: ReplicaCount is the number of approver (component + responsible for verifying requests for SVID certs from the + configured issuer) instances to run. Defaults to 2. + minimum: 1 + type: integer + version: + description: 'Version is the version of cert-manager/csi-driver-spiffe + to install https://github.com/cert-manager/csi-driver-spiffe/releases + Default: v0.4.0 Supported Versions: v0.4.0, v0.2.0' + type: string + type: object + type: object + images: + description: Images contains configuration for component images. + properties: + registry: + description: Registry allows to configure a custom registry for + all images for components managed by the operator. It is user's + responsibility to ensure that the images exist in the registry. + By default all images will be pulled from Jetstack Secure Enterprise + GCR. + type: string + secret: + description: Name of an image pull secret to be used to pull images + in the registry. This will be added to all component pod specs + in component resource configurations. It is user's responsibility + to ensure that the secret exists in jetstack-secure namespace. + type: string + type: object + issuers: + description: Issuers can be used to configure cert-manager issuers + that the operator will deploy. Currently only cert-manager.io Issuer + and ClusterIssuer types are supported. + items: + properties: + acme: + description: ACME configures this issuer to communicate with + a RFC8555 (ACME) server to obtain signed x509 certificates. + https://cert-manager.io/docs/configuration/acme/ + properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can + be used to validate the certificate chain presented by + the ACME server. Mutually exclusive with SkipTLSVerify; + prefer using CABundle to prevent various kinds of security + vulnerabilities. If CABundle and SkipTLSVerify are unset, + the system certificate bundle inside the container is + used to validate the TLS connection. + format: byte + type: string + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a + new account but will expect the account key to be supplied + via an existing secret. If false, the cert-manager system + will generate a new ACME account key for the Issuer. Defaults + to false. + type: boolean + email: + description: Email is the email address to be associated + with the ACME account. This field is optional, but it + is strongly recommended to be set. It will be used to + contact you in case of issues with your account or certificates, + including expiry notification emails. This field may be + updated after the account is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is + not supported by all ACME servers like Let's Encrypt. + If set to true when the ACME server does not support it + it will create an error on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a + CA external account of the ACME server. If set, upon registration + cert-manager will attempt to associate the given external + account credentials with the registered ACME account. + properties: + keyAlgorithm: + description: 'Deprecated: keyAlgorithm field exists + for historical compatibility reasons and should not + be used. The algorithm is now hardcoded to HS256 in + golang/x/crypto/acme.' + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the + External Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the + symmetric MAC key of the External Account Binding. + The `key` is the index string that is paired with + the key data in the Secret and should not be confused + with the key data itself, or indeed with the External + Account Binding keyID above. The secret key stored + in the Secret **must** be un-padded, base64 URL encoded + data. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it may + be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the + ACME server outputs multiple. PreferredChain is no guarantee + that this one gets delivered by the ACME endpoint. For + example, for Let''s Encrypt''s DST crosssign you would + use: "DST Root CA X3" or "ISRG Root X1" for the newer + Let''s Encrypt root CA. This value picks the first certificate + bundle in the ACME alternative chains that has a certificate + with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret + resource that will be used to store the automatically + generated ACME account private key. Optionally, a `key` + may be specified to select a specific entry within the + named Secret resource. If `key` is not specified, a default + of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME + server''s ''directory'' endpoint. For example, for Let''s + Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: 'INSECURE: Enables or disables validation of + the ACME server TLS certificate. If true, requests to + the ACME server will not have the TLS certificate chain + validated. Mutually exclusive with CABundle; prefer using + CABundle to prevent various kinds of security vulnerabilities. + Only enable this option in development environments. If + CABundle and SkipTLSVerify are unset, the system certificate + bundle inside the container is used to validate the TLS + connection. Defaults to false.' + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that + will be used to solve ACME challenges for the matching + domains. Solver configurations must be provided in order + to obtain certificates from an ACME server. For more information, + see: https://cert-manager.io/docs/configuration/acme/' + items: + description: An ACMEChallengeSolver describes how to solve + ACME challenges for the issuer it is part of. A selector + may be provided to use different solving strategies + for different DNS names. Only one of HTTP01 or DNS01 + must be provided. + properties: + dns01: + description: Configures cert-manager to attempt to + complete authorizations by performing the DNS01 + challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' + within a Secret resource. In some instances, + `key` is a required field. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management + API to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' + within a Secret resource. In some instances, + `key` is a required field. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' + within a Secret resource. In some instances, + `key` is a required field. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' + within a Secret resource. In some instances, + `key` is a required field. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to + manage DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret + are left unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are + left unset MSI will be used + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + description: name of the Azure environment + (default AzurePublicCloud) + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + description: name of the DNS zone that should + be used + type: string + managedIdentity: + description: managed identity configuration, + can not be used at the same time as clientID, + clientSecretSecretRef or tenantID + properties: + clientID: + description: client ID of the managed + identity, can not be used at the same + time as resourceID + type: string + resourceID: + description: resource ID of the managed + identity, can not be used at the same + time as clientID + type: string + type: object + resourceGroupName: + description: resource group the DNS zone is + located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: when specifying ClientID and + ClientSecret then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional + field that tells cert-manager in which Cloud + DNS zone the challenge record has to be + created. If left empty cert-manager will + automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' + within a Secret resource. In some instances, + `key` is a required field. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage + DNS01 challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate + with Cloudflare. Note: using an API token + to authenticate is now the recommended method + as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate + with Cloudflare. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the + DNS01 provider should handle CNAME records when + found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' + within a Secret resource. In some instances, + `key` is a required field. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in + the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of + an authoritative DNS server supporting RFC2136 + in the form host:port. If the host is an + IPv6 address it must be enclosed in square + brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured + in the DNS supporting RFC2136. Used only + when ``tsigSecretSecretRef`` and ``tsigKeyName`` + are defined. Supported values are (case-insensitive): + ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` + or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured + in the DNS. If ``tsigSecretSecretRef`` is + defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing + the TSIG value. If ``tsigKeyName`` is defined, + this field is required. + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage + DNS01 challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for + authentication. Cannot be set when SecretAccessKeyID + is set. If neither the Access Key nor Key + ID are set, we fall-back to using env vars, + shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used + for authentication. If set, pull the AWS + access key ID from a key within a Kubernetes + Secret. Cannot be set when AccessKeyID is + set. If neither the Access Key nor Key ID + are set, we fall-back to using env vars, + shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + hostedZoneID: + description: If set, the provider will manage + only this zone in Route53 and will not do + an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using + AccessKeyID and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the + Route53 provider will assume using either + the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment + variables, shared credentials file or AWS + Instance metadata + type: string + secretAccessKeySecretRef: + description: 'The SecretAccessKey is used + for authentication. If neither the Access + Key nor Key ID are set, we fall-back to + using env vars, shared credentials file + or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the + Secret resource's `data` field to be + used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being + referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based + DNS01 challenge solver to manage DNS01 challenge + records. + properties: + config: + description: Additional configuration that + should be passed to the webhook apiserver + when challenges are processed. This can + contain arbitrary JSON data. Secret values + should not be specified in this stanza. + If secret values are needed (e.g. credentials + for a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details + on the schema of this field, consult the + webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should + be used when POSTing ChallengePayload resources + to the webhook apiserver. This should be + the same as the GroupName specified in the + webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, + as defined in the webhook provider implementation. + This will typically be the name of the provider, + e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to + complete authorizations by performing the HTTP01 + challenge flow. It is not possible to obtain certificates + for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + gatewayHTTPRoute: + description: The Gateway API is a sig-network + community API that models service networking + in Kubernetes (https://gateway-api.sigs.k8s.io/). + The Gateway solver will create HTTPRoutes with + the specified labels in the same namespace as + the challenge. This solver is experimental, + and fields / behaviour may change in the future. + properties: + labels: + additionalProperties: + type: string + description: Custom labels that will be applied + to HTTPRoutes created by cert-manager while + solving HTTP-01 challenges. + type: object + parentRefs: + description: 'When solving an HTTP-01 challenge, + cert-manager creates an HTTPRoute. cert-manager + needs to know which parentRefs should be + used when creating the HTTPRoute. Usually, + the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' + items: + description: "ParentReference identifies + an API object (usually a Gateway) that + can be considered a parent of this resource + (usually a route). The only kind of parent + resource with \"Core\" support is Gateway. + This API may be extended in the future + to support additional kinds of parent + resources, such as HTTPRoute. \n The API + object must be valid in the cluster; the + Group and Kind must be registered in the + cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of + the referent. When unspecified, \"gateway.networking.k8s.io\" + is inferred. To set the core API group + (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" + (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. + \n Support: Core (Gateway) \n Support: + Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the + referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the referent. When unspecified, + this refers to the local namespace + of the Route. \n Note that there are + specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace + references are only valid if they + are explicitly allowed by something + in the namespace they are referring + to. For example: Gateway has the AllowedRoutes + field, and ReferenceGrant provides + a generic way to enable any other + kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port + this Route targets. It can be interpreted + differently based on the type of parent + resource. \n When the parent resource + is a Gateway, this targets all listeners + listening on the specified port that + also support this kind of Route(and + select this Route). It's not recommended + to set `Port` unless the networking + behaviors specified in a Route must + apply to a specific port as opposed + to a listener(s) whose port(s) may + be changed. When both Port and SectionName + are specified, the name and port of + the selected listener must match both + specified values. \n Implementations + MAY choose to support other parent + resources. Implementations supporting + other types of parent resources MUST + clearly document how/if Port is interpreted. + \n For the purpose of status, an attachment + is considered successful as long as + the parent resource accepts it partially. + For example, Gateway listeners can + restrict which Routes can attach to + them by Route kind, namespace, or + hostname. If 1 of 2 Gateway listeners + accept attachment from the referencing + Route, the Route MUST be considered + successfully attached. If no Gateway + listeners accept attachment from this + Route, the Route MUST be considered + detached from the Gateway. \n Support: + Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name + of a section within the target resource. + In the following resources, SectionName + is interpreted as the following: \n + * Gateway: Listener Name. When both + Port (experimental) and SectionName + are specified, the name and port of + the selected listener must match both + specified values. \n Implementations + MAY choose to support attaching Routes + to other resources. If that is the + case, they MUST clearly document how + SectionName is interpreted. \n When + unspecified (empty string), this will + reference the entire resource. For + the purpose of status, an attachment + is considered successful if at least + one section in the parent resource + accepts it. For example, Gateway listeners + can restrict which Routes can attach + to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners + accept attachment from the referencing + Route, the Route MUST be considered + successfully attached. If no Gateway + listeners accept attachment from this + Route, the Route MUST be considered + detached from the Gateway. \n Support: + Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + type: array + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + ingress: + description: The ingress based HTTP01 challenge + solver will solve challenges by creating or + modifying Ingress resources in order to route + requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned + by cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when + creating Ingress resources to solve ACME + challenges that use this challenge solver. + Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used + to configure the ACME challenge solver ingress + used for HTTP01 challenges. + properties: + metadata: + description: ObjectMeta overrides for + the ingress used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' + fields may be set. If labels or annotations + overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should + be added to the created ACME HTTP01 + solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be + added to the created ACME HTTP01 + solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource + that should have ACME challenge solving + routes inserted into it in order to solve + HTTP01 challenges. This is typically used + in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 + mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to + configure the ACME challenge solver pods + used for HTTP01 challenges. + properties: + metadata: + description: ObjectMeta overrides for + the pod used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' + fields may be set. If labels or annotations + overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should + be added to the create ACME HTTP01 + solver pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be + added to the created ACME HTTP01 + solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides + for the HTTP01 challenge solver pod. + Only the 'priorityClassName', 'nodeSelector', + 'affinity', 'serviceAccountName' and + 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's + scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler + will prefer to schedule + pods to nodes that satisfy + the affinity expressions + specified by this field, + but it may choose a node + that violates one or more + of the expressions. The + node that is most preferred + is the one with the greatest + sum of weights, i.e. for + each node that meets all + of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), + compute a sum by iterating + through the elements of + this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest + sum are the most preferred. + items: + description: An empty preferred + scheduling term matches + all objects with implicit + weight 0 (i.e. it's a + no-op). A null preferred + scheduling term matches + no objects (i.e. is also + a no-op). + properties: + preference: + description: A node + selector term, associated + with the corresponding + weight. + properties: + matchExpressions: + description: A list + of node selector + requirements by + node's labels. + items: + description: A + node selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: The + label key + that the + selector + applies + to. + type: string + operator: + description: Represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists, + DoesNotExist. + Gt, and + Lt. + type: string + values: + description: An + array of + string values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + If the operator + is Gt or + Lt, the + values array + must have + a single + element, + which will + be interpreted + as an integer. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list + of node selector + requirements by + node's fields. + items: + description: A + node selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: The + label key + that the + selector + applies + to. + type: string + operator: + description: Represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists, + DoesNotExist. + Gt, and + Lt. + type: string + values: + description: An + array of + string values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + If the operator + is Gt or + Lt, the + values array + must have + a single + element, + which will + be interpreted + as an integer. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight + associated with matching + the corresponding + nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity + requirements specified by + this field are not met at + scheduling time, the pod + will not be scheduled onto + the node. If the affinity + requirements specified by + this field cease to be met + at some point during pod + execution (e.g. due to an + update), the system may + or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. + A list of node selector + terms. The terms are + ORed. + items: + description: A null + or empty node selector + term matches no objects. + The requirements of + them are ANDed. The + TopologySelectorTerm + type implements a + subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list + of node selector + requirements by + node's labels. + items: + description: A + node selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: The + label key + that the + selector + applies + to. + type: string + operator: + description: Represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists, + DoesNotExist. + Gt, and + Lt. + type: string + values: + description: An + array of + string values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + If the operator + is Gt or + Lt, the + values array + must have + a single + element, + which will + be interpreted + as an integer. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list + of node selector + requirements by + node's fields. + items: + description: A + node selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: The + label key + that the + selector + applies + to. + type: string + operator: + description: Represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists, + DoesNotExist. + Gt, and + Lt. + type: string + values: + description: An + array of + string values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + If the operator + is Gt or + Lt, the + values array + must have + a single + element, + which will + be interpreted + as an integer. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate + this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler + will prefer to schedule + pods to nodes that satisfy + the affinity expressions + specified by this field, + but it may choose a node + that violates one or more + of the expressions. The + node that is most preferred + is the one with the greatest + sum of weights, i.e. for + each node that meets all + of the scheduling requirements + (resource request, requiredDuringScheduling + affinity expressions, etc.), + compute a sum by iterating + through the elements of + this field and adding "weight" + to the sum if the node has + pods which matches the corresponding + podAffinityTerm; the node(s) + with the highest sum are + the most preferred. + items: + description: The weights + of all of the matched + WeightedPodAffinityTerm + fields are added per-node + to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. + A pod affinity term, + associated with the + corresponding weight. + properties: + labelSelector: + description: A label + query over a set + of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list + of label selector + requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, + a key, and + an operator + that relates + the key + and values. + properties: + key: + description: key + is the + label + key + that + the + selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a + set + of values. + Valid + operators + are + In, + NotIn, + Exists + and + DoesNotExist. + type: string + values: + description: values + is an + array + of string + values. + If the + operator + is In + or NotIn, + the + values + array + must + be non-empty. + If the + operator + is Exists + or DoesNotExist, + the + values + array + must + be empty. + This + array + is replaced + during + a strategic + merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of + {key,value} + pairs. A single + {key,value} + in the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key + field is "key", + the operator + is "In", and + the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label + query over the + set of namespaces + that the term + applies to. The + term is applied + to the union of + the namespaces + selected by this + field and the + ones listed in + the namespaces + field. null selector + and null or empty + namespaces list + means "this pod's + namespace". An + empty selector + ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list + of label selector + requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, + a key, and + an operator + that relates + the key + and values. + properties: + key: + description: key + is the + label + key + that + the + selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a + set + of values. + Valid + operators + are + In, + NotIn, + Exists + and + DoesNotExist. + type: string + values: + description: values + is an + array + of string + values. + If the + operator + is In + or NotIn, + the + values + array + must + be non-empty. + If the + operator + is Exists + or DoesNotExist, + the + values + array + must + be empty. + This + array + is replaced + during + a strategic + merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of + {key,value} + pairs. A single + {key,value} + in the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key + field is "key", + the operator + is "In", and + the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static + list of namespace + names that the + term applies to. + The term is applied + to the union of + the namespaces + listed in this + field and the + ones selected + by namespaceSelector. + null or empty + namespaces list + and null namespaceSelector + means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This + pod should be + co-located (affinity) + or not co-located + (anti-affinity) + with the pods + matching the labelSelector + in the specified + namespaces, where + co-located is + defined as running + on a node whose + value of the label + with key topologyKey + matches that of + any node on which + any of the selected + pods is running. + Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight + associated with matching + the corresponding + podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity + requirements specified by + this field are not met at + scheduling time, the pod + will not be scheduled onto + the node. If the affinity + requirements specified by + this field cease to be met + at some point during pod + execution (e.g. due to a + pod label update), the system + may or may not try to eventually + evict the pod from its node. + When there are multiple + elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all + terms must be satisfied. + items: + description: Defines a set + of pods (namely those + matching the labelSelector + relative to the given + namespace(s)) that this + pod should be co-located + (affinity) or not co-located + (anti-affinity) with, + where co-located is defined + as running on a node whose + value of the label with + key matches + that of any node on which + a pod of the set of pods + is running + properties: + labelSelector: + description: A label + query over a set of + resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: key + is the label + key that + the selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string + values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in + the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key field + is "key", the + operator is "In", + and the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label + query over the set + of namespaces that + the term applies to. + The term is applied + to the union of the + namespaces selected + by this field and + the ones listed in + the namespaces field. + null selector and + null or empty namespaces + list means "this pod's + namespace". An empty + selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: key + is the label + key that + the selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string + values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in + the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key field + is "key", the + operator is "In", + and the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static + list of namespace + names that the term + applies to. The term + is applied to the + union of the namespaces + listed in this field + and the ones selected + by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not + co-located (anti-affinity) + with the pods matching + the labelSelector + in the specified namespaces, + where co-located is + defined as running + on a node whose value + of the label with + key topologyKey matches + that of any node on + which any of the selected + pods is running. Empty + topologyKey is not + allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid + putting this pod in the same + node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler + will prefer to schedule + pods to nodes that satisfy + the anti-affinity expressions + specified by this field, + but it may choose a node + that violates one or more + of the expressions. The + node that is most preferred + is the one with the greatest + sum of weights, i.e. for + each node that meets all + of the scheduling requirements + (resource request, requiredDuringScheduling + anti-affinity expressions, + etc.), compute a sum by + iterating through the elements + of this field and adding + "weight" to the sum if the + node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest + sum are the most preferred. + items: + description: The weights + of all of the matched + WeightedPodAffinityTerm + fields are added per-node + to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. + A pod affinity term, + associated with the + corresponding weight. + properties: + labelSelector: + description: A label + query over a set + of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list + of label selector + requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, + a key, and + an operator + that relates + the key + and values. + properties: + key: + description: key + is the + label + key + that + the + selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a + set + of values. + Valid + operators + are + In, + NotIn, + Exists + and + DoesNotExist. + type: string + values: + description: values + is an + array + of string + values. + If the + operator + is In + or NotIn, + the + values + array + must + be non-empty. + If the + operator + is Exists + or DoesNotExist, + the + values + array + must + be empty. + This + array + is replaced + during + a strategic + merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of + {key,value} + pairs. A single + {key,value} + in the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key + field is "key", + the operator + is "In", and + the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label + query over the + set of namespaces + that the term + applies to. The + term is applied + to the union of + the namespaces + selected by this + field and the + ones listed in + the namespaces + field. null selector + and null or empty + namespaces list + means "this pod's + namespace". An + empty selector + ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list + of label selector + requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, + a key, and + an operator + that relates + the key + and values. + properties: + key: + description: key + is the + label + key + that + the + selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a + set + of values. + Valid + operators + are + In, + NotIn, + Exists + and + DoesNotExist. + type: string + values: + description: values + is an + array + of string + values. + If the + operator + is In + or NotIn, + the + values + array + must + be non-empty. + If the + operator + is Exists + or DoesNotExist, + the + values + array + must + be empty. + This + array + is replaced + during + a strategic + merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of + {key,value} + pairs. A single + {key,value} + in the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key + field is "key", + the operator + is "In", and + the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static + list of namespace + names that the + term applies to. + The term is applied + to the union of + the namespaces + listed in this + field and the + ones selected + by namespaceSelector. + null or empty + namespaces list + and null namespaceSelector + means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This + pod should be + co-located (affinity) + or not co-located + (anti-affinity) + with the pods + matching the labelSelector + in the specified + namespaces, where + co-located is + defined as running + on a node whose + value of the label + with key topologyKey + matches that of + any node on which + any of the selected + pods is running. + Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight + associated with matching + the corresponding + podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by + this field are not met at + scheduling time, the pod + will not be scheduled onto + the node. If the anti-affinity + requirements specified by + this field cease to be met + at some point during pod + execution (e.g. due to a + pod label update), the system + may or may not try to eventually + evict the pod from its node. + When there are multiple + elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all + terms must be satisfied. + items: + description: Defines a set + of pods (namely those + matching the labelSelector + relative to the given + namespace(s)) that this + pod should be co-located + (affinity) or not co-located + (anti-affinity) with, + where co-located is defined + as running on a node whose + value of the label with + key matches + that of any node on which + a pod of the set of pods + is running + properties: + labelSelector: + description: A label + query over a set of + resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: key + is the label + key that + the selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string + values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in + the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key field + is "key", the + operator is "In", + and the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label + query over the set + of namespaces that + the term applies to. + The term is applied + to the union of the + namespaces selected + by this field and + the ones listed in + the namespaces field. + null selector and + null or empty namespaces + list means "this pod's + namespace". An empty + selector ({}) matches + all namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A + label selector + requirement + is a selector + that contains + values, a key, + and an operator + that relates + the key and + values. + properties: + key: + description: key + is the label + key that + the selector + applies + to. + type: string + operator: + description: operator + represents + a key's + relationship + to a set + of values. + Valid operators + are In, + NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string + values. + If the operator + is In or + NotIn, the + values array + must be + non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a + strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in + the matchLabels + map is equivalent + to an element + of matchExpressions, + whose key field + is "key", the + operator is "In", + and the values + array contains + only "value". + The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces + specifies a static + list of namespace + names that the term + applies to. The term + is applied to the + union of the namespaces + listed in this field + and the ones selected + by namespaceSelector. + null or empty namespaces + list and null namespaceSelector + means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not + co-located (anti-affinity) + with the pods matching + the labelSelector + in the specified namespaces, + where co-located is + defined as running + on a node whose value + of the label with + key topologyKey matches + that of any node on + which any of the selected + pods is running. Empty + topologyKey is not + allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to + fit on a node. Selector which must + match a node''s labels for the pod + to be scheduled on that node. More + info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's + priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's + service account + type: string + tolerations: + description: If specified, the pod's + tolerations. + items: + description: The pod this Toleration + is attached to tolerates any taint + that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates + the taint effect to match. + Empty means match all taint + effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint + key that the toleration applies + to. Empty means match all + taint keys. If the key is + empty, operator must be Exists; + this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents + a key's relationship to the + value. Valid operators are + Exists and Equal. Defaults + to Equal. Exists is equivalent + to wildcard for value, so + that a pod can tolerate all + taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds + represents the period of time + the toleration (which must + be of effect NoExecute, otherwise + this field is ignored) tolerates + the taint. By default, it + is not set, which means tolerate + the taint forever (do not + evict). Zero and negative + values will be treated as + 0 (evict immediately) by the + system. + format: int64 + type: integer + value: + description: Value is the taint + value the toleration matches + to. If the operator is Exists, + the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service. Supported values are NodePort + or ClusterIP. If unset, defaults to NodePort. + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on + the Certificate resource that should be solved using + this challenge solver. If not specified, the solver + will be treated as the 'default' solver with the + lowest priority, i.e. if any other solver has a + more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver + will be used to solve. If specified and a match + is found, a dnsNames selector will take precedence + over a dnsZones selector. If multiple solvers + match with the same dnsNames value, the solver + with the most matching labels in matchLabels + will be selected. If neither has more matches, + the solver defined earlier in the list will + be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver + will be used to solve. The most specific DNS + zone match specified here will take precedence + over other DNS zone matches, so a solver specifying + sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones + value, the solver with the most matching labels + in matchLabels will be selected. If neither + has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to + refine the set of certificate's that this challenge + solver will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + annotations: + additionalProperties: + type: string + description: 'Annotations to set on the created issuer. More + info: http://kubernetes.io/docs/user-guide/annotations' + type: object + ca: + description: CA configures this issuer to sign certificates + using a signing CA keypair stored in a Secret resource. This + is used to build internal PKIs that are managed by cert-manager. + https://cert-manager.io/docs/configuration/ca/ + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 + certificate extension which identifies the location of + the CRL from which the revocation of this certificate + can be checked. If not set, certificates will be issued + without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension + that defines a list of URLs of OCSP responders. The OCSP + responders can be queried for the revocation status of + an issued certificate. If not set, the certificate will + be issued with no OCSP servers set. For example, an OCSP + server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to + sign Certificates issued by this Issuer. + type: string + selfSignedCA: + description: SelfSignedCA can be used to bootstrap the CA + issuer with a CA cert issued by self-signed issuer. If + this field is set, the operator will create a self-signed + issuer and use that to issue a self-signed CA cert which + will be stored in SecretName secret. + properties: + commonName: + description: CommonName is a common name to be used + on the Certificate. The CommonName should have a length + of 64 characters or fewer to avoid generating invalid + CSRs. + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on + the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the + Certificate. + items: + type: string + type: array + type: object + type: object + required: + - secretName + type: object + clusterScope: + description: Whether a cluster-scoped resource should be created. + In case of core cert-manager.io issuers setting this to true + will result to a ClusterIssuer being created, setting this + to false will result in an Issuer being created. (Default + value is false). + type: boolean + labels: + additionalProperties: + type: string + description: 'Labels to set on the created issuer. More info: + http://kubernetes.io/docs/user-guide/labels' + type: object + name: + description: Name is the name of the Issuer. + type: string + namespace: + description: Namespace for an Issuer. Cannot be set if ClusterScope + is set to true and must be set if ClusterScope is set to false. + Namespace needs to already exist. + type: string + policy: + description: Policy is the configuration of the for this CertificateRequestPolicy + for issuer. Currently a default 'allow-all' policy will be + configured for each issuer that does not have a custom policy + configured. https://github.com/cert-manager/approver-policy/tree/main + properties: + allowAll: + description: AllowAll configures whether an allow-all policy + should be created for an issuer. + type: boolean + allowed: + description: Allowed is the set of attributes that are "allowed" + by this policy. A CertificateRequest will only be considered + permissible for this policy if the CertificateRequest + has the same or less as what is allowed. Empty or `nil` + allowed fields mean CertificateRequests are not allowed + to have that field present to be permissible. This field + corresponds to the Allowed block in CertificateRequestPolicy + API https://github.com/cert-manager/approver-policy#allowed + Only one of Allowed, AllowAll can be set. + properties: + commonName: + description: CommonName defines the X.509 Common Name + that is permissible. + properties: + required: + description: Required marks this field as being + a required value on the request. May only be set + to true if Value is also defined. + type: boolean + value: + description: Value defines the value that is permissible + to be present on the request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + the value from being requested. An empty string + is equivalent to `nil`, however an empty string + pared with Required as `true` is an impossible + condition that always denies. Value may not be + `nil` if Required is `true`. + type: string + type: object + dnsNames: + description: DNSNames defines the X.509 DNS SANs that + may be requested for. Accepts wildcards "*". + properties: + required: + description: Required marks this field as being + a required value on the request. May only be set + to true if Values is also defined. Default is + nil which marks the field as not required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards "*". + An omitted field or value of `nil` forbids any + value on the related field in the request from + being requested. An empty slice `[]` is equivalent + to `nil`, however an empty slice pared with Required + `true` is an impossible condition that always + denies. Values may not be `nil` if Required is + `true`. + items: + type: string + type: array + type: object + emailAddresses: + description: EmailAddresses defines the X.509 Email + SANs that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only be set + to true if Values is also defined. Default is + nil which marks the field as not required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards "*". + An omitted field or value of `nil` forbids any + value on the related field in the request from + being requested. An empty slice `[]` is equivalent + to `nil`, however an empty slice pared with Required + `true` is an impossible condition that always + denies. Values may not be `nil` if Required is + `true`. + items: + type: string + type: array + type: object + ipAddresses: + description: IPAddresses defines the X.509 IP SANs that + may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only be set + to true if Values is also defined. Default is + nil which marks the field as not required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards "*". + An omitted field or value of `nil` forbids any + value on the related field in the request from + being requested. An empty slice `[]` is equivalent + to `nil`, however an empty slice pared with Required + `true` is an impossible condition that always + denies. Values may not be `nil` if Required is + `true`. + items: + type: string + type: array + type: object + isCA: + description: IsCA defines whether it is permissible + for a CertificateRequest to have the `spec.IsCA` field + set to `true`. An omitted field, value of `nil` or + `false`, forbids the `spec.IsCA` field from bring + `true`. A value of `true` permits CertificateRequests + setting the `spec.IsCA` field to `true`. + type: boolean + subject: + description: Subject defines the X.509 subject that + is permissible. An omitted field or value of `nil` + forbids any Subject being requested. + properties: + countries: + description: Countries define the X.509 Subject + Countries that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + localities: + description: Localities defines the X.509 Subject + Localities that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + organizationalUnits: + description: OrganizationalUnits defines the X.509 + Subject Organizational Units that may be requested + for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + organizations: + description: Organizations define the X.509 Subject + Organizations that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + postalCodes: + description: PostalCodes defines the X.509 Subject + Postal Codes that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + provinces: + description: Provinces defines the X.509 Subject + Provinces that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + serialNumber: + description: SerialNumber defines the X.509 Subject + Serial Number that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Value is also defined. + type: boolean + value: + description: Value defines the value that is + permissible to be present on the request. + Accepts wildcards "*". An omitted field or + value of `nil` forbids the value from being + requested. An empty string is equivalent to + `nil`, however an empty string pared with + Required as `true` is an impossible condition + that always denies. Value may not be `nil` + if Required is `true`. + type: string + type: object + streetAddresses: + description: StreetAddresses defines the X.509 Subject + Street Addresses that may be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only + be set to true if Values is also defined. + Default is nil which marks the field as not + required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards + "*". An omitted field or value of `nil` forbids + any value on the related field in the request + from being requested. An empty slice `[]` + is equivalent to `nil`, however an empty slice + pared with Required `true` is an impossible + condition that always denies. Values may not + be `nil` if Required is `true`. + items: + type: string + type: array + type: object + type: object + uris: + description: URIs defines the X.509 URI SANs that may + be requested for. + properties: + required: + description: Required marks this field as being + a required value on the request. May only be set + to true if Values is also defined. Default is + nil which marks the field as not required. + type: boolean + values: + description: Defines the values that are permissible + to be present on request. Accepts wildcards "*". + An omitted field or value of `nil` forbids any + value on the related field in the request from + being requested. An empty slice `[]` is equivalent + to `nil`, however an empty slice pared with Required + `true` is an impossible condition that always + denies. Values may not be `nil` if Required is + `true`. + items: + type: string + type: array + type: object + usages: + description: Usages defines the list of permissible + key usages that may appear on the CertificateRequest + `spec.keyUsages` field. An omitted field or value + of `nil` forbids any Usages being requested. An empty + slice `[]` is equivalent to `nil`. + items: + description: "KeyUsage specifies valid usage contexts + for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", + \"digital signature\", \"content commitment\", \"key + encipherment\", \"key agreement\", \"data encipherment\", + \"cert sign\", \"crl sign\", \"encipher only\", + \"decipher only\", \"any\", \"server auth\", \"client + auth\", \"code signing\", \"email protection\", + \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", + \"ipsec user\", \"timestamping\", \"ocsp signing\", + \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + type: object + constraints: + description: Constraints is the set of attributes that _must_ + be satisfied by the CertificateRequest for the request + to be permissible by the policy. Empty or `nil` constraint + fields mean CertificateRequests satisfy that field with + any value of their corresponding attribute. This field + corresponds to the Constraints block in CertificateRequestPolicyAPI + https://github.com/cert-manager/approver-policy#constraints + Only one of Constraints, AllowAll can be set. + properties: + maxDuration: + description: MaxDuration defines the maximum duration + a certificate may be requested for. Values are inclusive + (i.e. a max value of `1h` will accept a duration of + `1h`). MaxDuration and MinDuration may be the same + value. An omitted field or value of `nil` permits + any maximum duration. If MaxDuration is defined, a + duration _must_ be requested on the CertificateRequest. + type: string + minDuration: + description: MinDuration defines the minimum duration + a certificate may be requested for. Values are inclusive + (i.e. a min value of `1h` will accept a duration of + `1h`). MinDuration and MaxDuration may be the same + value. An omitted field or value of `nil` permits + any minimum duration. If MinDuration is defined, a + duration _must_ be requested on the CertificateRequest. + type: string + privateKey: + description: PrivateKey defines the shape of permissible + private keys that may be used for the request with + this policy. An omitted field or value of `nil` permits + the use of any private key by the requestor. + properties: + algorithm: + description: Algorithm defines the allowed crypto + algorithm that is used by the requestor for their + private key in their request. An omitted field + or value of `nil` permits any Algorithm. + enum: + - RSA + - ECDSA + - Ed25519 + type: string + maxSize: + description: MaxSize defines the maximum key size + a requestor may use for their private key. Values + are inclusive (i.e. a min value of `2048` will + accept a size of `2048`). MaxSize and MinSize + may be the same value. An omitted field or value + of `nil` permits any maximum size. + type: integer + minSize: + description: MinSize defines the minimum key size + a requestor may use for their private key. Values + are inclusive (i.e. a min value of `2048` will + accept a size of `2048`). MinSize and MaxSize + may be the same value. An omitted field or value + of `nil` permits any minimum size. + type: integer + type: object + type: object + plugins: + description: Plugins defines additional, optional plugins + to use with this policy. + properties: + venafi: + description: Venafi plugin is used to pull a policy + defined in a zone in Venafi server and use that to + evaluate a CertificateRequest. This plugin is bundled + with the approver-policy-enterprise only, so you must + make sure that you have set approverPolicyEnterprise + field on Installation spec. + properties: + venafiConnectionName: + description: VenafiConnectionName is the name of + the Venafi connection to use when retrieving the + policy. + type: string + zone: + description: "For VaaS: Zone = \"\\