techaro.lol / hypercloud
this repo has no description
fork atom
hypercloud / cmd / hypercloud-installer / data / cert-manager.yaml
at main 13286 lines 989 kB view raw
Xe Iaso initial commit
e4417662
1# Copyright 2022 The cert-manager Authors. 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15apiVersion: v1 16kind: Namespace 17metadata: 18 name: cert-manager 19 20--- 21# Source: cert-manager/templates/crds.yaml 22# 23# START crd 24apiVersion: apiextensions.k8s.io/v1 25kind: CustomResourceDefinition 26metadata: 27 name: certificaterequests.cert-manager.io 28 # START annotations 29 annotations: 30 helm.sh/resource-policy: keep 31 # END annotations 32 labels: 33 app: 'cert-manager' 34 app.kubernetes.io/name: 'cert-manager' 35 app.kubernetes.io/instance: 'cert-manager' 36 # Generated labels 37 app.kubernetes.io/version: "v1.17.0" 38spec: 39 group: cert-manager.io 40 names: 41 kind: CertificateRequest 42 listKind: CertificateRequestList 43 plural: certificaterequests 44 shortNames: 45 - cr 46 - crs 47 singular: certificaterequest 48 categories: 49 - cert-manager 50 scope: Namespaced 51 versions: 52 - name: v1 53 subresources: 54 status: {} 55 additionalPrinterColumns: 56 - jsonPath: .status.conditions[?(@.type=="Approved")].status 57 name: Approved 58 type: string 59 - jsonPath: .status.conditions[?(@.type=="Denied")].status 60 name: Denied 61 type: string 62 - jsonPath: .status.conditions[?(@.type=="Ready")].status 63 name: Ready 64 type: string 65 - jsonPath: .spec.issuerRef.name 66 name: Issuer 67 type: string 68 - jsonPath: .spec.username 69 name: Requester 70 type: string 71 - jsonPath: .status.conditions[?(@.type=="Ready")].message 72 name: Status 73 priority: 1 74 type: string 75 - jsonPath: .metadata.creationTimestamp 76 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 77 name: Age 78 type: date 79 schema: 80 openAPIV3Schema: 81 description: |- 82 A CertificateRequest is used to request a signed certificate from one of the 83 configured issuers. 84 85 All fields within the CertificateRequest's `spec` are immutable after creation. 86 A CertificateRequest will either succeed or fail, as denoted by its `Ready` status 87 condition and its `status.failureTime` field. 88 89 A CertificateRequest is a one-shot resource, meaning it represents a single 90 point in time request for a certificate and cannot be re-used. 91 type: object 92 properties: 93 apiVersion: 94 description: |- 95 APIVersion defines the versioned schema of this representation of an object. 96 Servers should convert recognized schemas to the latest internal value, and 97 may reject unrecognized values. 98 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 99 type: string 100 kind: 101 description: |- 102 Kind is a string value representing the REST resource this object represents. 103 Servers may infer this from the endpoint the client submits requests to. 104 Cannot be updated. 105 In CamelCase. 106 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 107 type: string 108 metadata: 109 type: object 110 spec: 111 description: |- 112 Specification of the desired state of the CertificateRequest resource. 113 https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 114 type: object 115 required: 116 - issuerRef 117 - request 118 properties: 119 duration: 120 description: |- 121 Requested 'duration' (i.e. lifetime) of the Certificate. Note that the 122 issuer may choose to ignore the requested duration, just like any other 123 requested attribute. 124 type: string 125 extra: 126 description: |- 127 Extra contains extra attributes of the user that created the CertificateRequest. 128 Populated by the cert-manager webhook on creation and immutable. 129 type: object 130 additionalProperties: 131 type: array 132 items: 133 type: string 134 groups: 135 description: |- 136 Groups contains group membership of the user that created the CertificateRequest. 137 Populated by the cert-manager webhook on creation and immutable. 138 type: array 139 items: 140 type: string 141 x-kubernetes-list-type: atomic 142 isCA: 143 description: |- 144 Requested basic constraints isCA value. Note that the issuer may choose 145 to ignore the requested isCA value, just like any other requested attribute. 146 147 NOTE: If the CSR in the `Request` field has a BasicConstraints extension, 148 it must have the same isCA value as specified here. 149 150 If true, this will automatically add the `cert sign` usage to the list 151 of requested `usages`. 152 type: boolean 153 issuerRef: 154 description: |- 155 Reference to the issuer responsible for issuing the certificate. 156 If the issuer is namespace-scoped, it must be in the same namespace 157 as the Certificate. If the issuer is cluster-scoped, it can be used 158 from any namespace. 159 160 The `name` field of the reference must always be specified. 161 type: object 162 required: 163 - name 164 properties: 165 group: 166 description: Group of the resource being referred to. 167 type: string 168 kind: 169 description: Kind of the resource being referred to. 170 type: string 171 name: 172 description: Name of the resource being referred to. 173 type: string 174 request: 175 description: |- 176 The PEM-encoded X.509 certificate signing request to be submitted to the 177 issuer for signing. 178 179 If the CSR has a BasicConstraints extension, its isCA attribute must 180 match the `isCA` value of this CertificateRequest. 181 If the CSR has a KeyUsage extension, its key usages must match the 182 key usages in the `usages` field of this CertificateRequest. 183 If the CSR has a ExtKeyUsage extension, its extended key usages 184 must match the extended key usages in the `usages` field of this 185 CertificateRequest. 186 type: string 187 format: byte 188 uid: 189 description: |- 190 UID contains the uid of the user that created the CertificateRequest. 191 Populated by the cert-manager webhook on creation and immutable. 192 type: string 193 usages: 194 description: |- 195 Requested key usages and extended key usages. 196 197 NOTE: If the CSR in the `Request` field has uses the KeyUsage or 198 ExtKeyUsage extension, these extensions must have the same values 199 as specified here without any additional values. 200 201 If unset, defaults to `digital signature` and `key encipherment`. 202 type: array 203 items: 204 description: |- 205 KeyUsage specifies valid usage contexts for keys. 206 See: 207 https://tools.ietf.org/html/rfc5280#section-4.2.1.3 208 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 209 210 Valid KeyUsage values are as follows: 211 "signing", 212 "digital signature", 213 "content commitment", 214 "key encipherment", 215 "key agreement", 216 "data encipherment", 217 "cert sign", 218 "crl sign", 219 "encipher only", 220 "decipher only", 221 "any", 222 "server auth", 223 "client auth", 224 "code signing", 225 "email protection", 226 "s/mime", 227 "ipsec end system", 228 "ipsec tunnel", 229 "ipsec user", 230 "timestamping", 231 "ocsp signing", 232 "microsoft sgc", 233 "netscape sgc" 234 type: string 235 enum: 236 - signing 237 - digital signature 238 - content commitment 239 - key encipherment 240 - key agreement 241 - data encipherment 242 - cert sign 243 - crl sign 244 - encipher only 245 - decipher only 246 - any 247 - server auth 248 - client auth 249 - code signing 250 - email protection 251 - s/mime 252 - ipsec end system 253 - ipsec tunnel 254 - ipsec user 255 - timestamping 256 - ocsp signing 257 - microsoft sgc 258 - netscape sgc 259 username: 260 description: |- 261 Username contains the name of the user that created the CertificateRequest. 262 Populated by the cert-manager webhook on creation and immutable. 263 type: string 264 status: 265 description: |- 266 Status of the CertificateRequest. 267 This is set and managed automatically. 268 Read-only. 269 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 270 type: object 271 properties: 272 ca: 273 description: |- 274 The PEM encoded X.509 certificate of the signer, also known as the CA 275 (Certificate Authority). 276 This is set on a best-effort basis by different issuers. 277 If not set, the CA is assumed to be unknown/not available. 278 type: string 279 format: byte 280 certificate: 281 description: |- 282 The PEM encoded X.509 certificate resulting from the certificate 283 signing request. 284 If not set, the CertificateRequest has either not been completed or has 285 failed. More information on failure can be found by checking the 286 `conditions` field. 287 type: string 288 format: byte 289 conditions: 290 description: |- 291 List of status conditions to indicate the status of a CertificateRequest. 292 Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. 293 type: array 294 items: 295 description: CertificateRequestCondition contains condition information for a CertificateRequest. 296 type: object 297 required: 298 - status 299 - type 300 properties: 301 lastTransitionTime: 302 description: |- 303 LastTransitionTime is the timestamp corresponding to the last status 304 change of this condition. 305 type: string 306 format: date-time 307 message: 308 description: |- 309 Message is a human readable description of the details of the last 310 transition, complementing reason. 311 type: string 312 reason: 313 description: |- 314 Reason is a brief machine readable explanation for the condition's last 315 transition. 316 type: string 317 status: 318 description: Status of the condition, one of (`True`, `False`, `Unknown`). 319 type: string 320 enum: 321 - "True" 322 - "False" 323 - Unknown 324 type: 325 description: |- 326 Type of the condition, known values are (`Ready`, `InvalidRequest`, 327 `Approved`, `Denied`). 328 type: string 329 x-kubernetes-list-map-keys: 330 - type 331 x-kubernetes-list-type: map 332 failureTime: 333 description: |- 334 FailureTime stores the time that this CertificateRequest failed. This is 335 used to influence garbage collection and back-off. 336 type: string 337 format: date-time 338 served: true 339 storage: true 340 341# END crd 342--- 343# Source: cert-manager/templates/crds.yaml 344# START crd 345apiVersion: apiextensions.k8s.io/v1 346kind: CustomResourceDefinition 347metadata: 348 name: certificates.cert-manager.io 349 # START annotations 350 annotations: 351 helm.sh/resource-policy: keep 352 # END annotations 353 labels: 354 app: 'cert-manager' 355 app.kubernetes.io/name: 'cert-manager' 356 app.kubernetes.io/instance: 'cert-manager' 357 # Generated labels 358 app.kubernetes.io/version: "v1.17.0" 359spec: 360 group: cert-manager.io 361 names: 362 kind: Certificate 363 listKind: CertificateList 364 plural: certificates 365 shortNames: 366 - cert 367 - certs 368 singular: certificate 369 categories: 370 - cert-manager 371 scope: Namespaced 372 versions: 373 - name: v1 374 subresources: 375 status: {} 376 additionalPrinterColumns: 377 - jsonPath: .status.conditions[?(@.type=="Ready")].status 378 name: Ready 379 type: string 380 - jsonPath: .spec.secretName 381 name: Secret 382 type: string 383 - jsonPath: .spec.issuerRef.name 384 name: Issuer 385 priority: 1 386 type: string 387 - jsonPath: .status.conditions[?(@.type=="Ready")].message 388 name: Status 389 priority: 1 390 type: string 391 - jsonPath: .metadata.creationTimestamp 392 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 393 name: Age 394 type: date 395 schema: 396 openAPIV3Schema: 397 description: |- 398 A Certificate resource should be created to ensure an up to date and signed 399 X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. 400 401 The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). 402 type: object 403 properties: 404 apiVersion: 405 description: |- 406 APIVersion defines the versioned schema of this representation of an object. 407 Servers should convert recognized schemas to the latest internal value, and 408 may reject unrecognized values. 409 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 410 type: string 411 kind: 412 description: |- 413 Kind is a string value representing the REST resource this object represents. 414 Servers may infer this from the endpoint the client submits requests to. 415 Cannot be updated. 416 In CamelCase. 417 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 418 type: string 419 metadata: 420 type: object 421 spec: 422 description: |- 423 Specification of the desired state of the Certificate resource. 424 https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 425 type: object 426 required: 427 - issuerRef 428 - secretName 429 properties: 430 additionalOutputFormats: 431 description: |- 432 Defines extra output formats of the private key and signed certificate chain 433 to be written to this Certificate's target Secret. 434 435 This is a Beta Feature enabled by default. It can be disabled with the 436 `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both 437 the controller and webhook components. 438 type: array 439 items: 440 description: |- 441 CertificateAdditionalOutputFormat defines an additional output format of a 442 Certificate resource. These contain supplementary data formats of the signed 443 certificate chain and paired private key. 444 type: object 445 required: 446 - type 447 properties: 448 type: 449 description: |- 450 Type is the name of the format type that should be written to the 451 Certificate's target Secret. 452 type: string 453 enum: 454 - DER 455 - CombinedPEM 456 commonName: 457 description: |- 458 Requested common name X509 certificate subject attribute. 459 More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 460 NOTE: TLS clients will ignore this value when any subject alternative name is 461 set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). 462 463 Should have a length of 64 characters or fewer to avoid generating invalid CSRs. 464 Cannot be set if the `literalSubject` field is set. 465 type: string 466 dnsNames: 467 description: Requested DNS subject alternative names. 468 type: array 469 items: 470 type: string 471 duration: 472 description: |- 473 Requested 'duration' (i.e. lifetime) of the Certificate. Note that the 474 issuer may choose to ignore the requested duration, just like any other 475 requested attribute. 476 477 If unset, this defaults to 90 days. 478 Minimum accepted duration is 1 hour. 479 Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. 480 type: string 481 emailAddresses: 482 description: Requested email subject alternative names. 483 type: array 484 items: 485 type: string 486 encodeUsagesInRequest: 487 description: |- 488 Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. 489 490 This option defaults to true, and should only be disabled if the target 491 issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. 492 type: boolean 493 ipAddresses: 494 description: Requested IP address subject alternative names. 495 type: array 496 items: 497 type: string 498 isCA: 499 description: |- 500 Requested basic constraints isCA value. 501 The isCA value is used to set the `isCA` field on the created CertificateRequest 502 resources. Note that the issuer may choose to ignore the requested isCA value, just 503 like any other requested attribute. 504 505 If true, this will automatically add the `cert sign` usage to the list 506 of requested `usages`. 507 type: boolean 508 issuerRef: 509 description: |- 510 Reference to the issuer responsible for issuing the certificate. 511 If the issuer is namespace-scoped, it must be in the same namespace 512 as the Certificate. If the issuer is cluster-scoped, it can be used 513 from any namespace. 514 515 The `name` field of the reference must always be specified. 516 type: object 517 required: 518 - name 519 properties: 520 group: 521 description: Group of the resource being referred to. 522 type: string 523 kind: 524 description: Kind of the resource being referred to. 525 type: string 526 name: 527 description: Name of the resource being referred to. 528 type: string 529 keystores: 530 description: Additional keystore output formats to be stored in the Certificate's Secret. 531 type: object 532 properties: 533 jks: 534 description: |- 535 JKS configures options for storing a JKS keystore in the 536 `spec.secretName` Secret resource. 537 type: object 538 required: 539 - create 540 properties: 541 alias: 542 description: |- 543 Alias specifies the alias of the key in the keystore, required by the JKS format. 544 If not provided, the default alias `certificate` will be used. 545 type: string 546 create: 547 description: |- 548 Create enables JKS keystore creation for the Certificate. 549 If true, a file named `keystore.jks` will be created in the target 550 Secret resource, encrypted using the password stored in 551 `passwordSecretRef` or `password`. 552 The keystore file will be updated immediately. 553 If the issuer provided a CA certificate, a file named `truststore.jks` 554 will also be created in the target Secret resource, encrypted using the 555 password stored in `passwordSecretRef` 556 containing the issuing Certificate Authority 557 type: boolean 558 password: 559 description: |- 560 Password provides a literal password used to encrypt the JKS keystore. 561 Mutually exclusive with passwordSecretRef. 562 One of password or passwordSecretRef must provide a password with a non-zero length. 563 type: string 564 passwordSecretRef: 565 description: |- 566 PasswordSecretRef is a reference to a non-empty key in a Secret resource 567 containing the password used to encrypt the JKS keystore. 568 Mutually exclusive with password. 569 One of password or passwordSecretRef must provide a password with a non-zero length. 570 type: object 571 required: 572 - name 573 properties: 574 key: 575 description: |- 576 The key of the entry in the Secret resource's `data` field to be used. 577 Some instances of this field may be defaulted, in others it may be 578 required. 579 type: string 580 name: 581 description: |- 582 Name of the resource being referred to. 583 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 584 type: string 585 pkcs12: 586 description: |- 587 PKCS12 configures options for storing a PKCS12 keystore in the 588 `spec.secretName` Secret resource. 589 type: object 590 required: 591 - create 592 properties: 593 create: 594 description: |- 595 Create enables PKCS12 keystore creation for the Certificate. 596 If true, a file named `keystore.p12` will be created in the target 597 Secret resource, encrypted using the password stored in 598 `passwordSecretRef` or in `password`. 599 The keystore file will be updated immediately. 600 If the issuer provided a CA certificate, a file named `truststore.p12` will 601 also be created in the target Secret resource, encrypted using the 602 password stored in `passwordSecretRef` containing the issuing Certificate 603 Authority 604 type: boolean 605 password: 606 description: |- 607 Password provides a literal password used to encrypt the PKCS#12 keystore. 608 Mutually exclusive with passwordSecretRef. 609 One of password or passwordSecretRef must provide a password with a non-zero length. 610 type: string 611 passwordSecretRef: 612 description: |- 613 PasswordSecretRef is a reference to a non-empty key in a Secret resource 614 containing the password used to encrypt the PKCS#12 keystore. 615 Mutually exclusive with password. 616 One of password or passwordSecretRef must provide a password with a non-zero length. 617 type: object 618 required: 619 - name 620 properties: 621 key: 622 description: |- 623 The key of the entry in the Secret resource's `data` field to be used. 624 Some instances of this field may be defaulted, in others it may be 625 required. 626 type: string 627 name: 628 description: |- 629 Name of the resource being referred to. 630 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 631 type: string 632 profile: 633 description: |- 634 Profile specifies the key and certificate encryption algorithms and the HMAC algorithm 635 used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. 636 637 If provided, allowed values are: 638 `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. 639 `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. 640 `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms 641 (eg. because of company policy). Please note that the security of the algorithm is not that important 642 in reality, because the unencrypted certificate and private key are also stored in the Secret. 643 type: string 644 enum: 645 - LegacyRC2 646 - LegacyDES 647 - Modern2023 648 literalSubject: 649 description: |- 650 Requested X.509 certificate subject, represented using the LDAP "String 651 Representation of a Distinguished Name" [1]. 652 Important: the LDAP string format also specifies the order of the attributes 653 in the subject, this is important when issuing certs for LDAP authentication. 654 Example: `CN=foo,DC=corp,DC=example,DC=com` 655 More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 656 More info: https://github.com/cert-manager/cert-manager/issues/3203 657 More info: https://github.com/cert-manager/cert-manager/issues/4424 658 659 Cannot be set if the `subject` or `commonName` field is set. 660 type: string 661 nameConstraints: 662 description: |- 663 x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. 664 More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 665 666 This is an Alpha Feature and is only enabled with the 667 `--feature-gates=NameConstraints=true` option set on both 668 the controller and webhook components. 669 type: object 670 properties: 671 critical: 672 description: if true then the name constraints are marked critical. 673 type: boolean 674 excluded: 675 description: |- 676 Excluded contains the constraints which must be disallowed. Any name matching a 677 restriction in the excluded field is invalid regardless 678 of information appearing in the permitted 679 type: object 680 properties: 681 dnsDomains: 682 description: DNSDomains is a list of DNS domains that are permitted or excluded. 683 type: array 684 items: 685 type: string 686 emailAddresses: 687 description: EmailAddresses is a list of Email Addresses that are permitted or excluded. 688 type: array 689 items: 690 type: string 691 ipRanges: 692 description: |- 693 IPRanges is a list of IP Ranges that are permitted or excluded. 694 This should be a valid CIDR notation. 695 type: array 696 items: 697 type: string 698 uriDomains: 699 description: URIDomains is a list of URI domains that are permitted or excluded. 700 type: array 701 items: 702 type: string 703 permitted: 704 description: Permitted contains the constraints in which the names must be located. 705 type: object 706 properties: 707 dnsDomains: 708 description: DNSDomains is a list of DNS domains that are permitted or excluded. 709 type: array 710 items: 711 type: string 712 emailAddresses: 713 description: EmailAddresses is a list of Email Addresses that are permitted or excluded. 714 type: array 715 items: 716 type: string 717 ipRanges: 718 description: |- 719 IPRanges is a list of IP Ranges that are permitted or excluded. 720 This should be a valid CIDR notation. 721 type: array 722 items: 723 type: string 724 uriDomains: 725 description: URIDomains is a list of URI domains that are permitted or excluded. 726 type: array 727 items: 728 type: string 729 otherNames: 730 description: |- 731 `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 732 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. 733 Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 734 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. 735 type: array 736 items: 737 type: object 738 properties: 739 oid: 740 description: |- 741 OID is the object identifier for the otherName SAN. 742 The object identifier must be expressed as a dotted string, for 743 example, "1.2.840.113556.1.4.221". 744 type: string 745 utf8Value: 746 description: |- 747 utf8Value is the string value of the otherName SAN. 748 The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. 749 type: string 750 privateKey: 751 description: |- 752 Private key options. These include the key algorithm and size, the used 753 encoding and the rotation policy. 754 type: object 755 properties: 756 algorithm: 757 description: |- 758 Algorithm is the private key algorithm of the corresponding private key 759 for this certificate. 760 761 If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. 762 If `algorithm` is specified and `size` is not provided, 763 key size of 2048 will be used for `RSA` key algorithm and 764 key size of 256 will be used for `ECDSA` key algorithm. 765 key size is ignored when using the `Ed25519` key algorithm. 766 type: string 767 enum: 768 - RSA 769 - ECDSA 770 - Ed25519 771 encoding: 772 description: |- 773 The private key cryptography standards (PKCS) encoding for this 774 certificate's private key to be encoded in. 775 776 If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 777 and PKCS#8, respectively. 778 Defaults to `PKCS1` if not specified. 779 type: string 780 enum: 781 - PKCS1 782 - PKCS8 783 rotationPolicy: 784 description: |- 785 RotationPolicy controls how private keys should be regenerated when a 786 re-issuance is being processed. 787 788 If set to `Never`, a private key will only be generated if one does not 789 already exist in the target `spec.secretName`. If one does exist but it 790 does not have the correct algorithm or size, a warning will be raised 791 to await user intervention. 792 If set to `Always`, a private key matching the specified requirements 793 will be generated whenever a re-issuance occurs. 794 Default is `Never` for backward compatibility. 795 type: string 796 enum: 797 - Never 798 - Always 799 size: 800 description: |- 801 Size is the key bit size of the corresponding private key for this certificate. 802 803 If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, 804 and will default to `2048` if not specified. 805 If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, 806 and will default to `256` if not specified. 807 If `algorithm` is set to `Ed25519`, Size is ignored. 808 No other values are allowed. 809 type: integer 810 renewBefore: 811 description: |- 812 How long before the currently issued certificate's expiry cert-manager should 813 renew the certificate. For example, if a certificate is valid for 60 minutes, 814 and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 815 50 minutes after it was issued (i.e. when there are 10 minutes remaining until 816 the certificate is no longer valid). 817 818 NOTE: The actual lifetime of the issued certificate is used to determine the 819 renewal time. If an issuer returns a certificate with a different lifetime than 820 the one requested, cert-manager will use the lifetime of the issued certificate. 821 822 If unset, this defaults to 1/3 of the issued certificate's lifetime. 823 Minimum accepted value is 5 minutes. 824 Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. 825 Cannot be set if the `renewBeforePercentage` field is set. 826 type: string 827 renewBeforePercentage: 828 description: |- 829 `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage 830 rather than an absolute duration. For example, if a certificate is valid for 60 831 minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to 832 renew the certificate 45 minutes after it was issued (i.e. when there are 15 833 minutes (25%) remaining until the certificate is no longer valid). 834 835 NOTE: The actual lifetime of the issued certificate is used to determine the 836 renewal time. If an issuer returns a certificate with a different lifetime than 837 the one requested, cert-manager will use the lifetime of the issued certificate. 838 839 Value must be an integer in the range (0,100). The minimum effective 840 `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5 841 minutes. 842 Cannot be set if the `renewBefore` field is set. 843 type: integer 844 format: int32 845 revisionHistoryLimit: 846 description: |- 847 The maximum number of CertificateRequest revisions that are maintained in 848 the Certificate's history. Each revision represents a single `CertificateRequest` 849 created by this Certificate, either when it was created, renewed, or Spec 850 was changed. Revisions will be removed by oldest first if the number of 851 revisions exceeds this number. 852 853 If set, revisionHistoryLimit must be a value of `1` or greater. 854 If unset (`nil`), revisions will not be garbage collected. 855 Default value is `nil`. 856 type: integer 857 format: int32 858 secretName: 859 description: |- 860 Name of the Secret resource that will be automatically created and 861 managed by this Certificate resource. It will be populated with a 862 private key and certificate, signed by the denoted issuer. The Secret 863 resource lives in the same namespace as the Certificate resource. 864 type: string 865 secretTemplate: 866 description: |- 867 Defines annotations and labels to be copied to the Certificate's Secret. 868 Labels and annotations on the Secret will be changed as they appear on the 869 SecretTemplate when added or removed. SecretTemplate annotations are added 870 in conjunction with, and cannot overwrite, the base set of annotations 871 cert-manager sets on the Certificate's Secret. 872 type: object 873 properties: 874 annotations: 875 description: Annotations is a key value map to be copied to the target Kubernetes Secret. 876 type: object 877 additionalProperties: 878 type: string 879 labels: 880 description: Labels is a key value map to be copied to the target Kubernetes Secret. 881 type: object 882 additionalProperties: 883 type: string 884 subject: 885 description: |- 886 Requested set of X509 certificate subject attributes. 887 More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 888 889 The common name attribute is specified separately in the `commonName` field. 890 Cannot be set if the `literalSubject` field is set. 891 type: object 892 properties: 893 countries: 894 description: Countries to be used on the Certificate. 895 type: array 896 items: 897 type: string 898 localities: 899 description: Cities to be used on the Certificate. 900 type: array 901 items: 902 type: string 903 organizationalUnits: 904 description: Organizational Units to be used on the Certificate. 905 type: array 906 items: 907 type: string 908 organizations: 909 description: Organizations to be used on the Certificate. 910 type: array 911 items: 912 type: string 913 postalCodes: 914 description: Postal codes to be used on the Certificate. 915 type: array 916 items: 917 type: string 918 provinces: 919 description: State/Provinces to be used on the Certificate. 920 type: array 921 items: 922 type: string 923 serialNumber: 924 description: Serial number to be used on the Certificate. 925 type: string 926 streetAddresses: 927 description: Street addresses to be used on the Certificate. 928 type: array 929 items: 930 type: string 931 uris: 932 description: Requested URI subject alternative names. 933 type: array 934 items: 935 type: string 936 usages: 937 description: |- 938 Requested key usages and extended key usages. 939 These usages are used to set the `usages` field on the created CertificateRequest 940 resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages 941 will additionally be encoded in the `request` field which contains the CSR blob. 942 943 If unset, defaults to `digital signature` and `key encipherment`. 944 type: array 945 items: 946 description: |- 947 KeyUsage specifies valid usage contexts for keys. 948 See: 949 https://tools.ietf.org/html/rfc5280#section-4.2.1.3 950 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 951 952 Valid KeyUsage values are as follows: 953 "signing", 954 "digital signature", 955 "content commitment", 956 "key encipherment", 957 "key agreement", 958 "data encipherment", 959 "cert sign", 960 "crl sign", 961 "encipher only", 962 "decipher only", 963 "any", 964 "server auth", 965 "client auth", 966 "code signing", 967 "email protection", 968 "s/mime", 969 "ipsec end system", 970 "ipsec tunnel", 971 "ipsec user", 972 "timestamping", 973 "ocsp signing", 974 "microsoft sgc", 975 "netscape sgc" 976 type: string 977 enum: 978 - signing 979 - digital signature 980 - content commitment 981 - key encipherment 982 - key agreement 983 - data encipherment 984 - cert sign 985 - crl sign 986 - encipher only 987 - decipher only 988 - any 989 - server auth 990 - client auth 991 - code signing 992 - email protection 993 - s/mime 994 - ipsec end system 995 - ipsec tunnel 996 - ipsec user 997 - timestamping 998 - ocsp signing 999 - microsoft sgc 1000 - netscape sgc 1001 status: 1002 description: |- 1003 Status of the Certificate. 1004 This is set and managed automatically. 1005 Read-only. 1006 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 1007 type: object 1008 properties: 1009 conditions: 1010 description: |- 1011 List of status conditions to indicate the status of certificates. 1012 Known condition types are `Ready` and `Issuing`. 1013 type: array 1014 items: 1015 description: CertificateCondition contains condition information for a Certificate. 1016 type: object 1017 required: 1018 - status 1019 - type 1020 properties: 1021 lastTransitionTime: 1022 description: |- 1023 LastTransitionTime is the timestamp corresponding to the last status 1024 change of this condition. 1025 type: string 1026 format: date-time 1027 message: 1028 description: |- 1029 Message is a human readable description of the details of the last 1030 transition, complementing reason. 1031 type: string 1032 observedGeneration: 1033 description: |- 1034 If set, this represents the .metadata.generation that the condition was 1035 set based upon. 1036 For instance, if .metadata.generation is currently 12, but the 1037 .status.condition[x].observedGeneration is 9, the condition is out of date 1038 with respect to the current state of the Certificate. 1039 type: integer 1040 format: int64 1041 reason: 1042 description: |- 1043 Reason is a brief machine readable explanation for the condition's last 1044 transition. 1045 type: string 1046 status: 1047 description: Status of the condition, one of (`True`, `False`, `Unknown`). 1048 type: string 1049 enum: 1050 - "True" 1051 - "False" 1052 - Unknown 1053 type: 1054 description: Type of the condition, known values are (`Ready`, `Issuing`). 1055 type: string 1056 x-kubernetes-list-map-keys: 1057 - type 1058 x-kubernetes-list-type: map 1059 failedIssuanceAttempts: 1060 description: |- 1061 The number of continuous failed issuance attempts up till now. This 1062 field gets removed (if set) on a successful issuance and gets set to 1063 1 if unset and an issuance has failed. If an issuance has failed, the 1064 delay till the next issuance will be calculated using formula 1065 time.Hour * 2 ^ (failedIssuanceAttempts - 1). 1066 type: integer 1067 lastFailureTime: 1068 description: |- 1069 LastFailureTime is set only if the latest issuance for this 1070 Certificate failed and contains the time of the failure. If an 1071 issuance has failed, the delay till the next issuance will be 1072 calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1073 1). If the latest issuance has succeeded this field will be unset. 1074 type: string 1075 format: date-time 1076 nextPrivateKeySecretName: 1077 description: |- 1078 The name of the Secret resource containing the private key to be used 1079 for the next certificate iteration. 1080 The keymanager controller will automatically set this field if the 1081 `Issuing` condition is set to `True`. 1082 It will automatically unset this field when the Issuing condition is 1083 not set or False. 1084 type: string 1085 notAfter: 1086 description: |- 1087 The expiration time of the certificate stored in the secret named 1088 by this resource in `spec.secretName`. 1089 type: string 1090 format: date-time 1091 notBefore: 1092 description: |- 1093 The time after which the certificate stored in the secret named 1094 by this resource in `spec.secretName` is valid. 1095 type: string 1096 format: date-time 1097 renewalTime: 1098 description: |- 1099 RenewalTime is the time at which the certificate will be next 1100 renewed. 1101 If not set, no upcoming renewal is scheduled. 1102 type: string 1103 format: date-time 1104 revision: 1105 description: |- 1106 The current 'revision' of the certificate as issued. 1107 1108 When a CertificateRequest resource is created, it will have the 1109 `cert-manager.io/certificate-revision` set to one greater than the 1110 current value of this field. 1111 1112 Upon issuance, this field will be set to the value of the annotation 1113 on the CertificateRequest resource used to issue the certificate. 1114 1115 Persisting the value on the CertificateRequest resource allows the 1116 certificates controller to know whether a request is part of an old 1117 issuance or if it is part of the ongoing revision's issuance by 1118 checking if the revision value in the annotation is greater than this 1119 field. 1120 type: integer 1121 served: true 1122 storage: true 1123 1124# END crd 1125--- 1126# Source: cert-manager/templates/crds.yaml 1127# START crd 1128apiVersion: apiextensions.k8s.io/v1 1129kind: CustomResourceDefinition 1130metadata: 1131 name: challenges.acme.cert-manager.io 1132 # START annotations 1133 annotations: 1134 helm.sh/resource-policy: keep 1135 # END annotations 1136 labels: 1137 app: 'cert-manager' 1138 app.kubernetes.io/name: 'cert-manager' 1139 app.kubernetes.io/instance: 'cert-manager' 1140 # Generated labels 1141 app.kubernetes.io/version: "v1.17.0" 1142spec: 1143 group: acme.cert-manager.io 1144 names: 1145 kind: Challenge 1146 listKind: ChallengeList 1147 plural: challenges 1148 singular: challenge 1149 categories: 1150 - cert-manager 1151 - cert-manager-acme 1152 scope: Namespaced 1153 versions: 1154 - additionalPrinterColumns: 1155 - jsonPath: .status.state 1156 name: State 1157 type: string 1158 - jsonPath: .spec.dnsName 1159 name: Domain 1160 type: string 1161 - jsonPath: .status.reason 1162 name: Reason 1163 priority: 1 1164 type: string 1165 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 1166 jsonPath: .metadata.creationTimestamp 1167 name: Age 1168 type: date 1169 name: v1 1170 schema: 1171 openAPIV3Schema: 1172 description: Challenge is a type to represent a Challenge request with an ACME server 1173 type: object 1174 required: 1175 - metadata 1176 - spec 1177 properties: 1178 apiVersion: 1179 description: |- 1180 APIVersion defines the versioned schema of this representation of an object. 1181 Servers should convert recognized schemas to the latest internal value, and 1182 may reject unrecognized values. 1183 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 1184 type: string 1185 kind: 1186 description: |- 1187 Kind is a string value representing the REST resource this object represents. 1188 Servers may infer this from the endpoint the client submits requests to. 1189 Cannot be updated. 1190 In CamelCase. 1191 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 1192 type: string 1193 metadata: 1194 type: object 1195 spec: 1196 type: object 1197 required: 1198 - authorizationURL 1199 - dnsName 1200 - issuerRef 1201 - key 1202 - solver 1203 - token 1204 - type 1205 - url 1206 properties: 1207 authorizationURL: 1208 description: |- 1209 The URL to the ACME Authorization resource that this 1210 challenge is a part of. 1211 type: string 1212 dnsName: 1213 description: |- 1214 dnsName is the identifier that this challenge is for, e.g. example.com. 1215 If the requested DNSName is a 'wildcard', this field MUST be set to the 1216 non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. 1217 type: string 1218 issuerRef: 1219 description: |- 1220 References a properly configured ACME-type Issuer which should 1221 be used to create this Challenge. 1222 If the Issuer does not exist, processing will be retried. 1223 If the Issuer is not an 'ACME' Issuer, an error will be returned and the 1224 Challenge will be marked as failed. 1225 type: object 1226 required: 1227 - name 1228 properties: 1229 group: 1230 description: Group of the resource being referred to. 1231 type: string 1232 kind: 1233 description: Kind of the resource being referred to. 1234 type: string 1235 name: 1236 description: Name of the resource being referred to. 1237 type: string 1238 key: 1239 description: |- 1240 The ACME challenge key for this challenge 1241 For HTTP01 challenges, this is the value that must be responded with to 1242 complete the HTTP01 challenge in the format: 1243 `<private key JWK thumbprint>.<key from acme server for challenge>`. 1244 For DNS01 challenges, this is the base64 encoded SHA256 sum of the 1245 `<private key JWK thumbprint>.<key from acme server for challenge>` 1246 text that must be set as the TXT record content. 1247 type: string 1248 solver: 1249 description: |- 1250 Contains the domain solving configuration that should be used to 1251 solve this challenge resource. 1252 type: object 1253 properties: 1254 dns01: 1255 description: |- 1256 Configures cert-manager to attempt to complete authorizations by 1257 performing the DNS01 challenge flow. 1258 type: object 1259 properties: 1260 acmeDNS: 1261 description: |- 1262 Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage 1263 DNS01 challenge records. 1264 type: object 1265 required: 1266 - accountSecretRef 1267 - host 1268 properties: 1269 accountSecretRef: 1270 description: |- 1271 A reference to a specific 'key' within a Secret resource. 1272 In some instances, `key` is a required field. 1273 type: object 1274 required: 1275 - name 1276 properties: 1277 key: 1278 description: |- 1279 The key of the entry in the Secret resource's `data` field to be used. 1280 Some instances of this field may be defaulted, in others it may be 1281 required. 1282 type: string 1283 name: 1284 description: |- 1285 Name of the resource being referred to. 1286 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1287 type: string 1288 host: 1289 type: string 1290 akamai: 1291 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 1292 type: object 1293 required: 1294 - accessTokenSecretRef 1295 - clientSecretSecretRef 1296 - clientTokenSecretRef 1297 - serviceConsumerDomain 1298 properties: 1299 accessTokenSecretRef: 1300 description: |- 1301 A reference to a specific 'key' within a Secret resource. 1302 In some instances, `key` is a required field. 1303 type: object 1304 required: 1305 - name 1306 properties: 1307 key: 1308 description: |- 1309 The key of the entry in the Secret resource's `data` field to be used. 1310 Some instances of this field may be defaulted, in others it may be 1311 required. 1312 type: string 1313 name: 1314 description: |- 1315 Name of the resource being referred to. 1316 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1317 type: string 1318 clientSecretSecretRef: 1319 description: |- 1320 A reference to a specific 'key' within a Secret resource. 1321 In some instances, `key` is a required field. 1322 type: object 1323 required: 1324 - name 1325 properties: 1326 key: 1327 description: |- 1328 The key of the entry in the Secret resource's `data` field to be used. 1329 Some instances of this field may be defaulted, in others it may be 1330 required. 1331 type: string 1332 name: 1333 description: |- 1334 Name of the resource being referred to. 1335 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1336 type: string 1337 clientTokenSecretRef: 1338 description: |- 1339 A reference to a specific 'key' within a Secret resource. 1340 In some instances, `key` is a required field. 1341 type: object 1342 required: 1343 - name 1344 properties: 1345 key: 1346 description: |- 1347 The key of the entry in the Secret resource's `data` field to be used. 1348 Some instances of this field may be defaulted, in others it may be 1349 required. 1350 type: string 1351 name: 1352 description: |- 1353 Name of the resource being referred to. 1354 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1355 type: string 1356 serviceConsumerDomain: 1357 type: string 1358 azureDNS: 1359 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 1360 type: object 1361 required: 1362 - resourceGroupName 1363 - subscriptionID 1364 properties: 1365 clientID: 1366 description: |- 1367 Auth: Azure Service Principal: 1368 The ClientID of the Azure Service Principal used to authenticate with Azure DNS. 1369 If set, ClientSecret and TenantID must also be set. 1370 type: string 1371 clientSecretSecretRef: 1372 description: |- 1373 Auth: Azure Service Principal: 1374 A reference to a Secret containing the password associated with the Service Principal. 1375 If set, ClientID and TenantID must also be set. 1376 type: object 1377 required: 1378 - name 1379 properties: 1380 key: 1381 description: |- 1382 The key of the entry in the Secret resource's `data` field to be used. 1383 Some instances of this field may be defaulted, in others it may be 1384 required. 1385 type: string 1386 name: 1387 description: |- 1388 Name of the resource being referred to. 1389 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1390 type: string 1391 environment: 1392 description: name of the Azure environment (default AzurePublicCloud) 1393 type: string 1394 enum: 1395 - AzurePublicCloud 1396 - AzureChinaCloud 1397 - AzureGermanCloud 1398 - AzureUSGovernmentCloud 1399 hostedZoneName: 1400 description: name of the DNS zone that should be used 1401 type: string 1402 managedIdentity: 1403 description: |- 1404 Auth: Azure Workload Identity or Azure Managed Service Identity: 1405 Settings to enable Azure Workload Identity or Azure Managed Service Identity 1406 If set, ClientID, ClientSecret and TenantID must not be set. 1407 type: object 1408 properties: 1409 clientID: 1410 description: client ID of the managed identity, can not be used at the same time as resourceID 1411 type: string 1412 resourceID: 1413 description: |- 1414 resource ID of the managed identity, can not be used at the same time as clientID 1415 Cannot be used for Azure Managed Service Identity 1416 type: string 1417 tenantID: 1418 description: tenant ID of the managed identity, can not be used at the same time as resourceID 1419 type: string 1420 resourceGroupName: 1421 description: resource group the DNS zone is located in 1422 type: string 1423 subscriptionID: 1424 description: ID of the Azure subscription 1425 type: string 1426 tenantID: 1427 description: |- 1428 Auth: Azure Service Principal: 1429 The TenantID of the Azure Service Principal used to authenticate with Azure DNS. 1430 If set, ClientID and ClientSecret must also be set. 1431 type: string 1432 cloudDNS: 1433 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 1434 type: object 1435 required: 1436 - project 1437 properties: 1438 hostedZoneName: 1439 description: |- 1440 HostedZoneName is an optional field that tells cert-manager in which 1441 Cloud DNS zone the challenge record has to be created. 1442 If left empty cert-manager will automatically choose a zone. 1443 type: string 1444 project: 1445 type: string 1446 serviceAccountSecretRef: 1447 description: |- 1448 A reference to a specific 'key' within a Secret resource. 1449 In some instances, `key` is a required field. 1450 type: object 1451 required: 1452 - name 1453 properties: 1454 key: 1455 description: |- 1456 The key of the entry in the Secret resource's `data` field to be used. 1457 Some instances of this field may be defaulted, in others it may be 1458 required. 1459 type: string 1460 name: 1461 description: |- 1462 Name of the resource being referred to. 1463 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1464 type: string 1465 cloudflare: 1466 description: Use the Cloudflare API to manage DNS01 challenge records. 1467 type: object 1468 properties: 1469 apiKeySecretRef: 1470 description: |- 1471 API key to use to authenticate with Cloudflare. 1472 Note: using an API token to authenticate is now the recommended method 1473 as it allows greater control of permissions. 1474 type: object 1475 required: 1476 - name 1477 properties: 1478 key: 1479 description: |- 1480 The key of the entry in the Secret resource's `data` field to be used. 1481 Some instances of this field may be defaulted, in others it may be 1482 required. 1483 type: string 1484 name: 1485 description: |- 1486 Name of the resource being referred to. 1487 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1488 type: string 1489 apiTokenSecretRef: 1490 description: API token used to authenticate with Cloudflare. 1491 type: object 1492 required: 1493 - name 1494 properties: 1495 key: 1496 description: |- 1497 The key of the entry in the Secret resource's `data` field to be used. 1498 Some instances of this field may be defaulted, in others it may be 1499 required. 1500 type: string 1501 name: 1502 description: |- 1503 Name of the resource being referred to. 1504 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1505 type: string 1506 email: 1507 description: Email of the account, only required when using API key based authentication. 1508 type: string 1509 cnameStrategy: 1510 description: |- 1511 CNAMEStrategy configures how the DNS01 provider should handle CNAME 1512 records when found in DNS zones. 1513 type: string 1514 enum: 1515 - None 1516 - Follow 1517 digitalocean: 1518 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 1519 type: object 1520 required: 1521 - tokenSecretRef 1522 properties: 1523 tokenSecretRef: 1524 description: |- 1525 A reference to a specific 'key' within a Secret resource. 1526 In some instances, `key` is a required field. 1527 type: object 1528 required: 1529 - name 1530 properties: 1531 key: 1532 description: |- 1533 The key of the entry in the Secret resource's `data` field to be used. 1534 Some instances of this field may be defaulted, in others it may be 1535 required. 1536 type: string 1537 name: 1538 description: |- 1539 Name of the resource being referred to. 1540 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1541 type: string 1542 rfc2136: 1543 description: |- 1544 Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) 1545 to manage DNS01 challenge records. 1546 type: object 1547 required: 1548 - nameserver 1549 properties: 1550 nameserver: 1551 description: |- 1552 The IP address or hostname of an authoritative DNS server supporting 1553 RFC2136 in the form host:port. If the host is an IPv6 address it must be 1554 enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. 1555 This field is required. 1556 type: string 1557 tsigAlgorithm: 1558 description: |- 1559 The TSIG Algorithm configured in the DNS supporting RFC2136. Used only 1560 when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. 1561 Supported values are (case-insensitive): ``HMACMD5`` (default), 1562 ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. 1563 type: string 1564 tsigKeyName: 1565 description: |- 1566 The TSIG Key name configured in the DNS. 1567 If ``tsigSecretSecretRef`` is defined, this field is required. 1568 type: string 1569 tsigSecretSecretRef: 1570 description: |- 1571 The name of the secret containing the TSIG value. 1572 If ``tsigKeyName`` is defined, this field is required. 1573 type: object 1574 required: 1575 - name 1576 properties: 1577 key: 1578 description: |- 1579 The key of the entry in the Secret resource's `data` field to be used. 1580 Some instances of this field may be defaulted, in others it may be 1581 required. 1582 type: string 1583 name: 1584 description: |- 1585 Name of the resource being referred to. 1586 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1587 type: string 1588 route53: 1589 description: Use the AWS Route53 API to manage DNS01 challenge records. 1590 type: object 1591 properties: 1592 accessKeyID: 1593 description: |- 1594 The AccessKeyID is used for authentication. 1595 Cannot be set when SecretAccessKeyID is set. 1596 If neither the Access Key nor Key ID are set, we fall-back to using env 1597 vars, shared credentials file or AWS Instance metadata, 1598 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 1599 type: string 1600 accessKeyIDSecretRef: 1601 description: |- 1602 The SecretAccessKey is used for authentication. If set, pull the AWS 1603 access key ID from a key within a Kubernetes Secret. 1604 Cannot be set when AccessKeyID is set. 1605 If neither the Access Key nor Key ID are set, we fall-back to using env 1606 vars, shared credentials file or AWS Instance metadata, 1607 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 1608 type: object 1609 required: 1610 - name 1611 properties: 1612 key: 1613 description: |- 1614 The key of the entry in the Secret resource's `data` field to be used. 1615 Some instances of this field may be defaulted, in others it may be 1616 required. 1617 type: string 1618 name: 1619 description: |- 1620 Name of the resource being referred to. 1621 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1622 type: string 1623 auth: 1624 description: Auth configures how cert-manager authenticates. 1625 type: object 1626 required: 1627 - kubernetes 1628 properties: 1629 kubernetes: 1630 description: |- 1631 Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity 1632 by passing a bound ServiceAccount token. 1633 type: object 1634 required: 1635 - serviceAccountRef 1636 properties: 1637 serviceAccountRef: 1638 description: |- 1639 A reference to a service account that will be used to request a bound 1640 token (also known as "projected token"). To use this field, you must 1641 configure an RBAC rule to let cert-manager request a token. 1642 type: object 1643 required: 1644 - name 1645 properties: 1646 audiences: 1647 description: |- 1648 TokenAudiences is an optional list of audiences to include in the 1649 token passed to AWS. The default token consisting of the issuer's namespace 1650 and name is always included. 1651 If unset the audience defaults to `sts.amazonaws.com`. 1652 type: array 1653 items: 1654 type: string 1655 name: 1656 description: Name of the ServiceAccount used to request a token. 1657 type: string 1658 hostedZoneID: 1659 description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. 1660 type: string 1661 region: 1662 description: |- 1663 Override the AWS region. 1664 1665 Route53 is a global service and does not have regional endpoints but the 1666 region specified here (or via environment variables) is used as a hint to 1667 help compute the correct AWS credential scope and partition when it 1668 connects to Route53. See: 1669 - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) 1670 - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) 1671 1672 If you omit this region field, cert-manager will use the region from 1673 AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set 1674 in the cert-manager controller Pod. 1675 1676 The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). 1677 Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: 1678 [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). 1679 In this case this `region` field value is ignored. 1680 1681 The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). 1682 Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: 1683 [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), 1684 In this case this `region` field value is ignored. 1685 type: string 1686 role: 1687 description: |- 1688 Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey 1689 or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 1690 type: string 1691 secretAccessKeySecretRef: 1692 description: |- 1693 The SecretAccessKey is used for authentication. 1694 If neither the Access Key nor Key ID are set, we fall-back to using env 1695 vars, shared credentials file or AWS Instance metadata, 1696 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 1697 type: object 1698 required: 1699 - name 1700 properties: 1701 key: 1702 description: |- 1703 The key of the entry in the Secret resource's `data` field to be used. 1704 Some instances of this field may be defaulted, in others it may be 1705 required. 1706 type: string 1707 name: 1708 description: |- 1709 Name of the resource being referred to. 1710 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 1711 type: string 1712 webhook: 1713 description: |- 1714 Configure an external webhook based DNS01 challenge solver to manage 1715 DNS01 challenge records. 1716 type: object 1717 required: 1718 - groupName 1719 - solverName 1720 properties: 1721 config: 1722 description: |- 1723 Additional configuration that should be passed to the webhook apiserver 1724 when challenges are processed. 1725 This can contain arbitrary JSON data. 1726 Secret values should not be specified in this stanza. 1727 If secret values are needed (e.g. credentials for a DNS service), you 1728 should use a SecretKeySelector to reference a Secret resource. 1729 For details on the schema of this field, consult the webhook provider 1730 implementation's documentation. 1731 x-kubernetes-preserve-unknown-fields: true 1732 groupName: 1733 description: |- 1734 The API group name that should be used when POSTing ChallengePayload 1735 resources to the webhook apiserver. 1736 This should be the same as the GroupName specified in the webhook 1737 provider implementation. 1738 type: string 1739 solverName: 1740 description: |- 1741 The name of the solver to use, as defined in the webhook provider 1742 implementation. 1743 This will typically be the name of the provider, e.g. 'cloudflare'. 1744 type: string 1745 http01: 1746 description: |- 1747 Configures cert-manager to attempt to complete authorizations by 1748 performing the HTTP01 challenge flow. 1749 It is not possible to obtain certificates for wildcard domain names 1750 (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 1751 type: object 1752 properties: 1753 gatewayHTTPRoute: 1754 description: |- 1755 The Gateway API is a sig-network community API that models service networking 1756 in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will 1757 create HTTPRoutes with the specified labels in the same namespace as the challenge. 1758 This solver is experimental, and fields / behaviour may change in the future. 1759 type: object 1760 properties: 1761 labels: 1762 description: |- 1763 Custom labels that will be applied to HTTPRoutes created by cert-manager 1764 while solving HTTP-01 challenges. 1765 type: object 1766 additionalProperties: 1767 type: string 1768 parentRefs: 1769 description: |- 1770 When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. 1771 cert-manager needs to know which parentRefs should be used when creating 1772 the HTTPRoute. Usually, the parentRef references a Gateway. See: 1773 https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways 1774 type: array 1775 items: 1776 description: |- 1777 ParentReference identifies an API object (usually a Gateway) that can be considered 1778 a parent of this resource (usually a route). There are two kinds of parent resources 1779 with "Core" support: 1780 1781 * Gateway (Gateway conformance profile) 1782 * Service (Mesh conformance profile, ClusterIP Services only) 1783 1784 This API may be extended in the future to support additional kinds of parent 1785 resources. 1786 1787 The API object must be valid in the cluster; the Group and Kind must 1788 be registered in the cluster for this reference to be valid. 1789 type: object 1790 required: 1791 - name 1792 properties: 1793 group: 1794 description: |- 1795 Group is the group of the referent. 1796 When unspecified, "gateway.networking.k8s.io" is inferred. 1797 To set the core API group (such as for a "Service" kind referent), 1798 Group must be explicitly set to "" (empty string). 1799 1800 Support: Core 1801 type: string 1802 default: gateway.networking.k8s.io 1803 maxLength: 253 1804 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1805 kind: 1806 description: |- 1807 Kind is kind of the referent. 1808 1809 There are two kinds of parent resources with "Core" support: 1810 1811 * Gateway (Gateway conformance profile) 1812 * Service (Mesh conformance profile, ClusterIP Services only) 1813 1814 Support for other resources is Implementation-Specific. 1815 type: string 1816 default: Gateway 1817 maxLength: 63 1818 minLength: 1 1819 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 1820 name: 1821 description: |- 1822 Name is the name of the referent. 1823 1824 Support: Core 1825 type: string 1826 maxLength: 253 1827 minLength: 1 1828 namespace: 1829 description: |- 1830 Namespace is the namespace of the referent. When unspecified, this refers 1831 to the local namespace of the Route. 1832 1833 Note that there are specific rules for ParentRefs which cross namespace 1834 boundaries. Cross-namespace references are only valid if they are explicitly 1835 allowed by something in the namespace they are referring to. For example: 1836 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 1837 generic way to enable any other kind of cross-namespace reference. 1838 1839 <gateway:experimental:description> 1840 ParentRefs from a Route to a Service in the same namespace are "producer" 1841 routes, which apply default routing rules to inbound connections from 1842 any namespace to the Service. 1843 1844 ParentRefs from a Route to a Service in a different namespace are 1845 "consumer" routes, and these routing rules are only applied to outbound 1846 connections originating from the same namespace as the Route, for which 1847 the intended destination of the connections are a Service targeted as a 1848 ParentRef of the Route. 1849 </gateway:experimental:description> 1850 1851 Support: Core 1852 type: string 1853 maxLength: 63 1854 minLength: 1 1855 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 1856 port: 1857 description: |- 1858 Port is the network port this Route targets. It can be interpreted 1859 differently based on the type of parent resource. 1860 1861 When the parent resource is a Gateway, this targets all listeners 1862 listening on the specified port that also support this kind of Route(and 1863 select this Route). It's not recommended to set `Port` unless the 1864 networking behaviors specified in a Route must apply to a specific port 1865 as opposed to a listener(s) whose port(s) may be changed. When both Port 1866 and SectionName are specified, the name and port of the selected listener 1867 must match both specified values. 1868 1869 <gateway:experimental:description> 1870 When the parent resource is a Service, this targets a specific port in the 1871 Service spec. When both Port (experimental) and SectionName are specified, 1872 the name and port of the selected port must match both specified values. 1873 </gateway:experimental:description> 1874 1875 Implementations MAY choose to support other parent resources. 1876 Implementations supporting other types of parent resources MUST clearly 1877 document how/if Port is interpreted. 1878 1879 For the purpose of status, an attachment is considered successful as 1880 long as the parent resource accepts it partially. For example, Gateway 1881 listeners can restrict which Routes can attach to them by Route kind, 1882 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 1883 from the referencing Route, the Route MUST be considered successfully 1884 attached. If no Gateway listeners accept attachment from this Route, 1885 the Route MUST be considered detached from the Gateway. 1886 1887 Support: Extended 1888 type: integer 1889 format: int32 1890 maximum: 65535 1891 minimum: 1 1892 sectionName: 1893 description: |- 1894 SectionName is the name of a section within the target resource. In the 1895 following resources, SectionName is interpreted as the following: 1896 1897 * Gateway: Listener name. When both Port (experimental) and SectionName 1898 are specified, the name and port of the selected listener must match 1899 both specified values. 1900 * Service: Port name. When both Port (experimental) and SectionName 1901 are specified, the name and port of the selected listener must match 1902 both specified values. 1903 1904 Implementations MAY choose to support attaching Routes to other resources. 1905 If that is the case, they MUST clearly document how SectionName is 1906 interpreted. 1907 1908 When unspecified (empty string), this will reference the entire resource. 1909 For the purpose of status, an attachment is considered successful if at 1910 least one section in the parent resource accepts it. For example, Gateway 1911 listeners can restrict which Routes can attach to them by Route kind, 1912 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 1913 the referencing Route, the Route MUST be considered successfully 1914 attached. If no Gateway listeners accept attachment from this Route, the 1915 Route MUST be considered detached from the Gateway. 1916 1917 Support: Core 1918 type: string 1919 maxLength: 253 1920 minLength: 1 1921 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1922 podTemplate: 1923 description: |- 1924 Optional pod template used to configure the ACME challenge solver pods 1925 used for HTTP01 challenges. 1926 type: object 1927 properties: 1928 metadata: 1929 description: |- 1930 ObjectMeta overrides for the pod used to solve HTTP01 challenges. 1931 Only the 'labels' and 'annotations' fields may be set. 1932 If labels or annotations overlap with in-built values, the values here 1933 will override the in-built values. 1934 type: object 1935 properties: 1936 annotations: 1937 description: Annotations that should be added to the created ACME HTTP01 solver pods. 1938 type: object 1939 additionalProperties: 1940 type: string 1941 labels: 1942 description: Labels that should be added to the created ACME HTTP01 solver pods. 1943 type: object 1944 additionalProperties: 1945 type: string 1946 spec: 1947 description: |- 1948 PodSpec defines overrides for the HTTP01 challenge solver pod. 1949 Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. 1950 All other fields will be ignored. 1951 type: object 1952 properties: 1953 affinity: 1954 description: If specified, the pod's scheduling constraints 1955 type: object 1956 properties: 1957 nodeAffinity: 1958 description: Describes node affinity scheduling rules for the pod. 1959 type: object 1960 properties: 1961 preferredDuringSchedulingIgnoredDuringExecution: 1962 description: |- 1963 The scheduler will prefer to schedule pods to nodes that satisfy 1964 the affinity expressions specified by this field, but it may choose 1965 a node that violates one or more of the expressions. The node that is 1966 most preferred is the one with the greatest sum of weights, i.e. 1967 for each node that meets all of the scheduling requirements (resource 1968 request, requiredDuringScheduling affinity expressions, etc.), 1969 compute a sum by iterating through the elements of this field and adding 1970 "weight" to the sum if the node matches the corresponding matchExpressions; the 1971 node(s) with the highest sum are the most preferred. 1972 type: array 1973 items: 1974 description: |- 1975 An empty preferred scheduling term matches all objects with implicit weight 0 1976 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 1977 type: object 1978 required: 1979 - preference 1980 - weight 1981 properties: 1982 preference: 1983 description: A node selector term, associated with the corresponding weight. 1984 type: object 1985 properties: 1986 matchExpressions: 1987 description: A list of node selector requirements by node's labels. 1988 type: array 1989 items: 1990 description: |- 1991 A node selector requirement is a selector that contains values, a key, and an operator 1992 that relates the key and values. 1993 type: object 1994 required: 1995 - key 1996 - operator 1997 properties: 1998 key: 1999 description: The label key that the selector applies to. 2000 type: string 2001 operator: 2002 description: |- 2003 Represents a key's relationship to a set of values. 2004 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2005 type: string 2006 values: 2007 description: |- 2008 An array of string values. If the operator is In or NotIn, 2009 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2010 the values array must be empty. If the operator is Gt or Lt, the values 2011 array must have a single element, which will be interpreted as an integer. 2012 This array is replaced during a strategic merge patch. 2013 type: array 2014 items: 2015 type: string 2016 x-kubernetes-list-type: atomic 2017 x-kubernetes-list-type: atomic 2018 matchFields: 2019 description: A list of node selector requirements by node's fields. 2020 type: array 2021 items: 2022 description: |- 2023 A node selector requirement is a selector that contains values, a key, and an operator 2024 that relates the key and values. 2025 type: object 2026 required: 2027 - key 2028 - operator 2029 properties: 2030 key: 2031 description: The label key that the selector applies to. 2032 type: string 2033 operator: 2034 description: |- 2035 Represents a key's relationship to a set of values. 2036 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2037 type: string 2038 values: 2039 description: |- 2040 An array of string values. If the operator is In or NotIn, 2041 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2042 the values array must be empty. If the operator is Gt or Lt, the values 2043 array must have a single element, which will be interpreted as an integer. 2044 This array is replaced during a strategic merge patch. 2045 type: array 2046 items: 2047 type: string 2048 x-kubernetes-list-type: atomic 2049 x-kubernetes-list-type: atomic 2050 x-kubernetes-map-type: atomic 2051 weight: 2052 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 2053 type: integer 2054 format: int32 2055 x-kubernetes-list-type: atomic 2056 requiredDuringSchedulingIgnoredDuringExecution: 2057 description: |- 2058 If the affinity requirements specified by this field are not met at 2059 scheduling time, the pod will not be scheduled onto the node. 2060 If the affinity requirements specified by this field cease to be met 2061 at some point during pod execution (e.g. due to an update), the system 2062 may or may not try to eventually evict the pod from its node. 2063 type: object 2064 required: 2065 - nodeSelectorTerms 2066 properties: 2067 nodeSelectorTerms: 2068 description: Required. A list of node selector terms. The terms are ORed. 2069 type: array 2070 items: 2071 description: |- 2072 A null or empty node selector term matches no objects. The requirements of 2073 them are ANDed. 2074 The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 2075 type: object 2076 properties: 2077 matchExpressions: 2078 description: A list of node selector requirements by node's labels. 2079 type: array 2080 items: 2081 description: |- 2082 A node selector requirement is a selector that contains values, a key, and an operator 2083 that relates the key and values. 2084 type: object 2085 required: 2086 - key 2087 - operator 2088 properties: 2089 key: 2090 description: The label key that the selector applies to. 2091 type: string 2092 operator: 2093 description: |- 2094 Represents a key's relationship to a set of values. 2095 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2096 type: string 2097 values: 2098 description: |- 2099 An array of string values. If the operator is In or NotIn, 2100 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2101 the values array must be empty. If the operator is Gt or Lt, the values 2102 array must have a single element, which will be interpreted as an integer. 2103 This array is replaced during a strategic merge patch. 2104 type: array 2105 items: 2106 type: string 2107 x-kubernetes-list-type: atomic 2108 x-kubernetes-list-type: atomic 2109 matchFields: 2110 description: A list of node selector requirements by node's fields. 2111 type: array 2112 items: 2113 description: |- 2114 A node selector requirement is a selector that contains values, a key, and an operator 2115 that relates the key and values. 2116 type: object 2117 required: 2118 - key 2119 - operator 2120 properties: 2121 key: 2122 description: The label key that the selector applies to. 2123 type: string 2124 operator: 2125 description: |- 2126 Represents a key's relationship to a set of values. 2127 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 2128 type: string 2129 values: 2130 description: |- 2131 An array of string values. If the operator is In or NotIn, 2132 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2133 the values array must be empty. If the operator is Gt or Lt, the values 2134 array must have a single element, which will be interpreted as an integer. 2135 This array is replaced during a strategic merge patch. 2136 type: array 2137 items: 2138 type: string 2139 x-kubernetes-list-type: atomic 2140 x-kubernetes-list-type: atomic 2141 x-kubernetes-map-type: atomic 2142 x-kubernetes-list-type: atomic 2143 x-kubernetes-map-type: atomic 2144 podAffinity: 2145 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 2146 type: object 2147 properties: 2148 preferredDuringSchedulingIgnoredDuringExecution: 2149 description: |- 2150 The scheduler will prefer to schedule pods to nodes that satisfy 2151 the affinity expressions specified by this field, but it may choose 2152 a node that violates one or more of the expressions. The node that is 2153 most preferred is the one with the greatest sum of weights, i.e. 2154 for each node that meets all of the scheduling requirements (resource 2155 request, requiredDuringScheduling affinity expressions, etc.), 2156 compute a sum by iterating through the elements of this field and adding 2157 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 2158 node(s) with the highest sum are the most preferred. 2159 type: array 2160 items: 2161 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2162 type: object 2163 required: 2164 - podAffinityTerm 2165 - weight 2166 properties: 2167 podAffinityTerm: 2168 description: Required. A pod affinity term, associated with the corresponding weight. 2169 type: object 2170 required: 2171 - topologyKey 2172 properties: 2173 labelSelector: 2174 description: |- 2175 A label query over a set of resources, in this case pods. 2176 If it's null, this PodAffinityTerm matches with no Pods. 2177 type: object 2178 properties: 2179 matchExpressions: 2180 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2181 type: array 2182 items: 2183 description: |- 2184 A label selector requirement is a selector that contains values, a key, and an operator that 2185 relates the key and values. 2186 type: object 2187 required: 2188 - key 2189 - operator 2190 properties: 2191 key: 2192 description: key is the label key that the selector applies to. 2193 type: string 2194 operator: 2195 description: |- 2196 operator represents a key's relationship to a set of values. 2197 Valid operators are In, NotIn, Exists and DoesNotExist. 2198 type: string 2199 values: 2200 description: |- 2201 values is an array of string values. If the operator is In or NotIn, 2202 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2203 the values array must be empty. This array is replaced during a strategic 2204 merge patch. 2205 type: array 2206 items: 2207 type: string 2208 x-kubernetes-list-type: atomic 2209 x-kubernetes-list-type: atomic 2210 matchLabels: 2211 description: |- 2212 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2213 map is equivalent to an element of matchExpressions, whose key field is "key", the 2214 operator is "In", and the values array contains only "value". The requirements are ANDed. 2215 type: object 2216 additionalProperties: 2217 type: string 2218 x-kubernetes-map-type: atomic 2219 matchLabelKeys: 2220 description: |- 2221 MatchLabelKeys is a set of pod label keys to select which pods will 2222 be taken into consideration. The keys are used to lookup values from the 2223 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 2224 to select the group of existing pods which pods will be taken into consideration 2225 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2226 pod labels will be ignored. The default value is empty. 2227 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 2228 Also, matchLabelKeys cannot be set when labelSelector isn't set. 2229 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2230 type: array 2231 items: 2232 type: string 2233 x-kubernetes-list-type: atomic 2234 mismatchLabelKeys: 2235 description: |- 2236 MismatchLabelKeys is a set of pod label keys to select which pods will 2237 be taken into consideration. The keys are used to lookup values from the 2238 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 2239 to select the group of existing pods which pods will be taken into consideration 2240 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2241 pod labels will be ignored. The default value is empty. 2242 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 2243 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 2244 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2245 type: array 2246 items: 2247 type: string 2248 x-kubernetes-list-type: atomic 2249 namespaceSelector: 2250 description: |- 2251 A label query over the set of namespaces that the term applies to. 2252 The term is applied to the union of the namespaces selected by this field 2253 and the ones listed in the namespaces field. 2254 null selector and null or empty namespaces list means "this pod's namespace". 2255 An empty selector ({}) matches all namespaces. 2256 type: object 2257 properties: 2258 matchExpressions: 2259 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2260 type: array 2261 items: 2262 description: |- 2263 A label selector requirement is a selector that contains values, a key, and an operator that 2264 relates the key and values. 2265 type: object 2266 required: 2267 - key 2268 - operator 2269 properties: 2270 key: 2271 description: key is the label key that the selector applies to. 2272 type: string 2273 operator: 2274 description: |- 2275 operator represents a key's relationship to a set of values. 2276 Valid operators are In, NotIn, Exists and DoesNotExist. 2277 type: string 2278 values: 2279 description: |- 2280 values is an array of string values. If the operator is In or NotIn, 2281 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2282 the values array must be empty. This array is replaced during a strategic 2283 merge patch. 2284 type: array 2285 items: 2286 type: string 2287 x-kubernetes-list-type: atomic 2288 x-kubernetes-list-type: atomic 2289 matchLabels: 2290 description: |- 2291 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2292 map is equivalent to an element of matchExpressions, whose key field is "key", the 2293 operator is "In", and the values array contains only "value". The requirements are ANDed. 2294 type: object 2295 additionalProperties: 2296 type: string 2297 x-kubernetes-map-type: atomic 2298 namespaces: 2299 description: |- 2300 namespaces specifies a static list of namespace names that the term applies to. 2301 The term is applied to the union of the namespaces listed in this field 2302 and the ones selected by namespaceSelector. 2303 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2304 type: array 2305 items: 2306 type: string 2307 x-kubernetes-list-type: atomic 2308 topologyKey: 2309 description: |- 2310 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 2311 the labelSelector in the specified namespaces, where co-located is defined as running on a node 2312 whose value of the label with key topologyKey matches that of any node on which any of the 2313 selected pods is running. 2314 Empty topologyKey is not allowed. 2315 type: string 2316 weight: 2317 description: |- 2318 weight associated with matching the corresponding podAffinityTerm, 2319 in the range 1-100. 2320 type: integer 2321 format: int32 2322 x-kubernetes-list-type: atomic 2323 requiredDuringSchedulingIgnoredDuringExecution: 2324 description: |- 2325 If the affinity requirements specified by this field are not met at 2326 scheduling time, the pod will not be scheduled onto the node. 2327 If the affinity requirements specified by this field cease to be met 2328 at some point during pod execution (e.g. due to a pod label update), the 2329 system may or may not try to eventually evict the pod from its node. 2330 When there are multiple elements, the lists of nodes corresponding to each 2331 podAffinityTerm are intersected, i.e. all terms must be satisfied. 2332 type: array 2333 items: 2334 description: |- 2335 Defines a set of pods (namely those matching the labelSelector 2336 relative to the given namespace(s)) that this pod should be 2337 co-located (affinity) or not co-located (anti-affinity) with, 2338 where co-located is defined as running on a node whose value of 2339 the label with key <topologyKey> matches that of any node on which 2340 a pod of the set of pods is running 2341 type: object 2342 required: 2343 - topologyKey 2344 properties: 2345 labelSelector: 2346 description: |- 2347 A label query over a set of resources, in this case pods. 2348 If it's null, this PodAffinityTerm matches with no Pods. 2349 type: object 2350 properties: 2351 matchExpressions: 2352 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2353 type: array 2354 items: 2355 description: |- 2356 A label selector requirement is a selector that contains values, a key, and an operator that 2357 relates the key and values. 2358 type: object 2359 required: 2360 - key 2361 - operator 2362 properties: 2363 key: 2364 description: key is the label key that the selector applies to. 2365 type: string 2366 operator: 2367 description: |- 2368 operator represents a key's relationship to a set of values. 2369 Valid operators are In, NotIn, Exists and DoesNotExist. 2370 type: string 2371 values: 2372 description: |- 2373 values is an array of string values. If the operator is In or NotIn, 2374 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2375 the values array must be empty. This array is replaced during a strategic 2376 merge patch. 2377 type: array 2378 items: 2379 type: string 2380 x-kubernetes-list-type: atomic 2381 x-kubernetes-list-type: atomic 2382 matchLabels: 2383 description: |- 2384 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2385 map is equivalent to an element of matchExpressions, whose key field is "key", the 2386 operator is "In", and the values array contains only "value". The requirements are ANDed. 2387 type: object 2388 additionalProperties: 2389 type: string 2390 x-kubernetes-map-type: atomic 2391 matchLabelKeys: 2392 description: |- 2393 MatchLabelKeys is a set of pod label keys to select which pods will 2394 be taken into consideration. The keys are used to lookup values from the 2395 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 2396 to select the group of existing pods which pods will be taken into consideration 2397 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2398 pod labels will be ignored. The default value is empty. 2399 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 2400 Also, matchLabelKeys cannot be set when labelSelector isn't set. 2401 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2402 type: array 2403 items: 2404 type: string 2405 x-kubernetes-list-type: atomic 2406 mismatchLabelKeys: 2407 description: |- 2408 MismatchLabelKeys is a set of pod label keys to select which pods will 2409 be taken into consideration. The keys are used to lookup values from the 2410 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 2411 to select the group of existing pods which pods will be taken into consideration 2412 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2413 pod labels will be ignored. The default value is empty. 2414 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 2415 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 2416 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2417 type: array 2418 items: 2419 type: string 2420 x-kubernetes-list-type: atomic 2421 namespaceSelector: 2422 description: |- 2423 A label query over the set of namespaces that the term applies to. 2424 The term is applied to the union of the namespaces selected by this field 2425 and the ones listed in the namespaces field. 2426 null selector and null or empty namespaces list means "this pod's namespace". 2427 An empty selector ({}) matches all namespaces. 2428 type: object 2429 properties: 2430 matchExpressions: 2431 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2432 type: array 2433 items: 2434 description: |- 2435 A label selector requirement is a selector that contains values, a key, and an operator that 2436 relates the key and values. 2437 type: object 2438 required: 2439 - key 2440 - operator 2441 properties: 2442 key: 2443 description: key is the label key that the selector applies to. 2444 type: string 2445 operator: 2446 description: |- 2447 operator represents a key's relationship to a set of values. 2448 Valid operators are In, NotIn, Exists and DoesNotExist. 2449 type: string 2450 values: 2451 description: |- 2452 values is an array of string values. If the operator is In or NotIn, 2453 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2454 the values array must be empty. This array is replaced during a strategic 2455 merge patch. 2456 type: array 2457 items: 2458 type: string 2459 x-kubernetes-list-type: atomic 2460 x-kubernetes-list-type: atomic 2461 matchLabels: 2462 description: |- 2463 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2464 map is equivalent to an element of matchExpressions, whose key field is "key", the 2465 operator is "In", and the values array contains only "value". The requirements are ANDed. 2466 type: object 2467 additionalProperties: 2468 type: string 2469 x-kubernetes-map-type: atomic 2470 namespaces: 2471 description: |- 2472 namespaces specifies a static list of namespace names that the term applies to. 2473 The term is applied to the union of the namespaces listed in this field 2474 and the ones selected by namespaceSelector. 2475 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2476 type: array 2477 items: 2478 type: string 2479 x-kubernetes-list-type: atomic 2480 topologyKey: 2481 description: |- 2482 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 2483 the labelSelector in the specified namespaces, where co-located is defined as running on a node 2484 whose value of the label with key topologyKey matches that of any node on which any of the 2485 selected pods is running. 2486 Empty topologyKey is not allowed. 2487 type: string 2488 x-kubernetes-list-type: atomic 2489 podAntiAffinity: 2490 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 2491 type: object 2492 properties: 2493 preferredDuringSchedulingIgnoredDuringExecution: 2494 description: |- 2495 The scheduler will prefer to schedule pods to nodes that satisfy 2496 the anti-affinity expressions specified by this field, but it may choose 2497 a node that violates one or more of the expressions. The node that is 2498 most preferred is the one with the greatest sum of weights, i.e. 2499 for each node that meets all of the scheduling requirements (resource 2500 request, requiredDuringScheduling anti-affinity expressions, etc.), 2501 compute a sum by iterating through the elements of this field and adding 2502 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 2503 node(s) with the highest sum are the most preferred. 2504 type: array 2505 items: 2506 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 2507 type: object 2508 required: 2509 - podAffinityTerm 2510 - weight 2511 properties: 2512 podAffinityTerm: 2513 description: Required. A pod affinity term, associated with the corresponding weight. 2514 type: object 2515 required: 2516 - topologyKey 2517 properties: 2518 labelSelector: 2519 description: |- 2520 A label query over a set of resources, in this case pods. 2521 If it's null, this PodAffinityTerm matches with no Pods. 2522 type: object 2523 properties: 2524 matchExpressions: 2525 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2526 type: array 2527 items: 2528 description: |- 2529 A label selector requirement is a selector that contains values, a key, and an operator that 2530 relates the key and values. 2531 type: object 2532 required: 2533 - key 2534 - operator 2535 properties: 2536 key: 2537 description: key is the label key that the selector applies to. 2538 type: string 2539 operator: 2540 description: |- 2541 operator represents a key's relationship to a set of values. 2542 Valid operators are In, NotIn, Exists and DoesNotExist. 2543 type: string 2544 values: 2545 description: |- 2546 values is an array of string values. If the operator is In or NotIn, 2547 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2548 the values array must be empty. This array is replaced during a strategic 2549 merge patch. 2550 type: array 2551 items: 2552 type: string 2553 x-kubernetes-list-type: atomic 2554 x-kubernetes-list-type: atomic 2555 matchLabels: 2556 description: |- 2557 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2558 map is equivalent to an element of matchExpressions, whose key field is "key", the 2559 operator is "In", and the values array contains only "value". The requirements are ANDed. 2560 type: object 2561 additionalProperties: 2562 type: string 2563 x-kubernetes-map-type: atomic 2564 matchLabelKeys: 2565 description: |- 2566 MatchLabelKeys is a set of pod label keys to select which pods will 2567 be taken into consideration. The keys are used to lookup values from the 2568 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 2569 to select the group of existing pods which pods will be taken into consideration 2570 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2571 pod labels will be ignored. The default value is empty. 2572 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 2573 Also, matchLabelKeys cannot be set when labelSelector isn't set. 2574 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2575 type: array 2576 items: 2577 type: string 2578 x-kubernetes-list-type: atomic 2579 mismatchLabelKeys: 2580 description: |- 2581 MismatchLabelKeys is a set of pod label keys to select which pods will 2582 be taken into consideration. The keys are used to lookup values from the 2583 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 2584 to select the group of existing pods which pods will be taken into consideration 2585 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2586 pod labels will be ignored. The default value is empty. 2587 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 2588 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 2589 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2590 type: array 2591 items: 2592 type: string 2593 x-kubernetes-list-type: atomic 2594 namespaceSelector: 2595 description: |- 2596 A label query over the set of namespaces that the term applies to. 2597 The term is applied to the union of the namespaces selected by this field 2598 and the ones listed in the namespaces field. 2599 null selector and null or empty namespaces list means "this pod's namespace". 2600 An empty selector ({}) matches all namespaces. 2601 type: object 2602 properties: 2603 matchExpressions: 2604 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2605 type: array 2606 items: 2607 description: |- 2608 A label selector requirement is a selector that contains values, a key, and an operator that 2609 relates the key and values. 2610 type: object 2611 required: 2612 - key 2613 - operator 2614 properties: 2615 key: 2616 description: key is the label key that the selector applies to. 2617 type: string 2618 operator: 2619 description: |- 2620 operator represents a key's relationship to a set of values. 2621 Valid operators are In, NotIn, Exists and DoesNotExist. 2622 type: string 2623 values: 2624 description: |- 2625 values is an array of string values. If the operator is In or NotIn, 2626 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2627 the values array must be empty. This array is replaced during a strategic 2628 merge patch. 2629 type: array 2630 items: 2631 type: string 2632 x-kubernetes-list-type: atomic 2633 x-kubernetes-list-type: atomic 2634 matchLabels: 2635 description: |- 2636 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2637 map is equivalent to an element of matchExpressions, whose key field is "key", the 2638 operator is "In", and the values array contains only "value". The requirements are ANDed. 2639 type: object 2640 additionalProperties: 2641 type: string 2642 x-kubernetes-map-type: atomic 2643 namespaces: 2644 description: |- 2645 namespaces specifies a static list of namespace names that the term applies to. 2646 The term is applied to the union of the namespaces listed in this field 2647 and the ones selected by namespaceSelector. 2648 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2649 type: array 2650 items: 2651 type: string 2652 x-kubernetes-list-type: atomic 2653 topologyKey: 2654 description: |- 2655 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 2656 the labelSelector in the specified namespaces, where co-located is defined as running on a node 2657 whose value of the label with key topologyKey matches that of any node on which any of the 2658 selected pods is running. 2659 Empty topologyKey is not allowed. 2660 type: string 2661 weight: 2662 description: |- 2663 weight associated with matching the corresponding podAffinityTerm, 2664 in the range 1-100. 2665 type: integer 2666 format: int32 2667 x-kubernetes-list-type: atomic 2668 requiredDuringSchedulingIgnoredDuringExecution: 2669 description: |- 2670 If the anti-affinity requirements specified by this field are not met at 2671 scheduling time, the pod will not be scheduled onto the node. 2672 If the anti-affinity requirements specified by this field cease to be met 2673 at some point during pod execution (e.g. due to a pod label update), the 2674 system may or may not try to eventually evict the pod from its node. 2675 When there are multiple elements, the lists of nodes corresponding to each 2676 podAffinityTerm are intersected, i.e. all terms must be satisfied. 2677 type: array 2678 items: 2679 description: |- 2680 Defines a set of pods (namely those matching the labelSelector 2681 relative to the given namespace(s)) that this pod should be 2682 co-located (affinity) or not co-located (anti-affinity) with, 2683 where co-located is defined as running on a node whose value of 2684 the label with key <topologyKey> matches that of any node on which 2685 a pod of the set of pods is running 2686 type: object 2687 required: 2688 - topologyKey 2689 properties: 2690 labelSelector: 2691 description: |- 2692 A label query over a set of resources, in this case pods. 2693 If it's null, this PodAffinityTerm matches with no Pods. 2694 type: object 2695 properties: 2696 matchExpressions: 2697 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2698 type: array 2699 items: 2700 description: |- 2701 A label selector requirement is a selector that contains values, a key, and an operator that 2702 relates the key and values. 2703 type: object 2704 required: 2705 - key 2706 - operator 2707 properties: 2708 key: 2709 description: key is the label key that the selector applies to. 2710 type: string 2711 operator: 2712 description: |- 2713 operator represents a key's relationship to a set of values. 2714 Valid operators are In, NotIn, Exists and DoesNotExist. 2715 type: string 2716 values: 2717 description: |- 2718 values is an array of string values. If the operator is In or NotIn, 2719 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2720 the values array must be empty. This array is replaced during a strategic 2721 merge patch. 2722 type: array 2723 items: 2724 type: string 2725 x-kubernetes-list-type: atomic 2726 x-kubernetes-list-type: atomic 2727 matchLabels: 2728 description: |- 2729 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2730 map is equivalent to an element of matchExpressions, whose key field is "key", the 2731 operator is "In", and the values array contains only "value". The requirements are ANDed. 2732 type: object 2733 additionalProperties: 2734 type: string 2735 x-kubernetes-map-type: atomic 2736 matchLabelKeys: 2737 description: |- 2738 MatchLabelKeys is a set of pod label keys to select which pods will 2739 be taken into consideration. The keys are used to lookup values from the 2740 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 2741 to select the group of existing pods which pods will be taken into consideration 2742 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2743 pod labels will be ignored. The default value is empty. 2744 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 2745 Also, matchLabelKeys cannot be set when labelSelector isn't set. 2746 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2747 type: array 2748 items: 2749 type: string 2750 x-kubernetes-list-type: atomic 2751 mismatchLabelKeys: 2752 description: |- 2753 MismatchLabelKeys is a set of pod label keys to select which pods will 2754 be taken into consideration. The keys are used to lookup values from the 2755 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 2756 to select the group of existing pods which pods will be taken into consideration 2757 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 2758 pod labels will be ignored. The default value is empty. 2759 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 2760 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 2761 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 2762 type: array 2763 items: 2764 type: string 2765 x-kubernetes-list-type: atomic 2766 namespaceSelector: 2767 description: |- 2768 A label query over the set of namespaces that the term applies to. 2769 The term is applied to the union of the namespaces selected by this field 2770 and the ones listed in the namespaces field. 2771 null selector and null or empty namespaces list means "this pod's namespace". 2772 An empty selector ({}) matches all namespaces. 2773 type: object 2774 properties: 2775 matchExpressions: 2776 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 2777 type: array 2778 items: 2779 description: |- 2780 A label selector requirement is a selector that contains values, a key, and an operator that 2781 relates the key and values. 2782 type: object 2783 required: 2784 - key 2785 - operator 2786 properties: 2787 key: 2788 description: key is the label key that the selector applies to. 2789 type: string 2790 operator: 2791 description: |- 2792 operator represents a key's relationship to a set of values. 2793 Valid operators are In, NotIn, Exists and DoesNotExist. 2794 type: string 2795 values: 2796 description: |- 2797 values is an array of string values. If the operator is In or NotIn, 2798 the values array must be non-empty. If the operator is Exists or DoesNotExist, 2799 the values array must be empty. This array is replaced during a strategic 2800 merge patch. 2801 type: array 2802 items: 2803 type: string 2804 x-kubernetes-list-type: atomic 2805 x-kubernetes-list-type: atomic 2806 matchLabels: 2807 description: |- 2808 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 2809 map is equivalent to an element of matchExpressions, whose key field is "key", the 2810 operator is "In", and the values array contains only "value". The requirements are ANDed. 2811 type: object 2812 additionalProperties: 2813 type: string 2814 x-kubernetes-map-type: atomic 2815 namespaces: 2816 description: |- 2817 namespaces specifies a static list of namespace names that the term applies to. 2818 The term is applied to the union of the namespaces listed in this field 2819 and the ones selected by namespaceSelector. 2820 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 2821 type: array 2822 items: 2823 type: string 2824 x-kubernetes-list-type: atomic 2825 topologyKey: 2826 description: |- 2827 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 2828 the labelSelector in the specified namespaces, where co-located is defined as running on a node 2829 whose value of the label with key topologyKey matches that of any node on which any of the 2830 selected pods is running. 2831 Empty topologyKey is not allowed. 2832 type: string 2833 x-kubernetes-list-type: atomic 2834 imagePullSecrets: 2835 description: If specified, the pod's imagePullSecrets 2836 type: array 2837 items: 2838 description: |- 2839 LocalObjectReference contains enough information to let you locate the 2840 referenced object inside the same namespace. 2841 type: object 2842 properties: 2843 name: 2844 description: |- 2845 Name of the referent. 2846 This field is effectively required, but due to backwards compatibility is 2847 allowed to be empty. Instances of this type with an empty value here are 2848 almost certainly wrong. 2849 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 2850 type: string 2851 default: "" 2852 x-kubernetes-map-type: atomic 2853 nodeSelector: 2854 description: |- 2855 NodeSelector is a selector which must be true for the pod to fit on a node. 2856 Selector which must match a node's labels for the pod to be scheduled on that node. 2857 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 2858 type: object 2859 additionalProperties: 2860 type: string 2861 priorityClassName: 2862 description: If specified, the pod's priorityClassName. 2863 type: string 2864 securityContext: 2865 description: If specified, the pod's security context 2866 type: object 2867 properties: 2868 fsGroup: 2869 description: |- 2870 A special supplemental group that applies to all containers in a pod. 2871 Some volume types allow the Kubelet to change the ownership of that volume 2872 to be owned by the pod: 2873 2874 1. The owning GID will be the FSGroup 2875 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 2876 3. The permission bits are OR'd with rw-rw---- 2877 2878 If unset, the Kubelet will not modify the ownership and permissions of any volume. 2879 Note that this field cannot be set when spec.os.name is windows. 2880 type: integer 2881 format: int64 2882 fsGroupChangePolicy: 2883 description: |- 2884 fsGroupChangePolicy defines behavior of changing ownership and permission of the volume 2885 before being exposed inside Pod. This field will only apply to 2886 volume types which support fsGroup based ownership(and permissions). 2887 It will have no effect on ephemeral volume types such as: secret, configmaps 2888 and emptydir. 2889 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. 2890 Note that this field cannot be set when spec.os.name is windows. 2891 type: string 2892 runAsGroup: 2893 description: |- 2894 The GID to run the entrypoint of the container process. 2895 Uses runtime default if unset. 2896 May also be set in SecurityContext. If set in both SecurityContext and 2897 PodSecurityContext, the value specified in SecurityContext takes precedence 2898 for that container. 2899 Note that this field cannot be set when spec.os.name is windows. 2900 type: integer 2901 format: int64 2902 runAsNonRoot: 2903 description: |- 2904 Indicates that the container must run as a non-root user. 2905 If true, the Kubelet will validate the image at runtime to ensure that it 2906 does not run as UID 0 (root) and fail to start the container if it does. 2907 If unset or false, no such validation will be performed. 2908 May also be set in SecurityContext. If set in both SecurityContext and 2909 PodSecurityContext, the value specified in SecurityContext takes precedence. 2910 type: boolean 2911 runAsUser: 2912 description: |- 2913 The UID to run the entrypoint of the container process. 2914 Defaults to user specified in image metadata if unspecified. 2915 May also be set in SecurityContext. If set in both SecurityContext and 2916 PodSecurityContext, the value specified in SecurityContext takes precedence 2917 for that container. 2918 Note that this field cannot be set when spec.os.name is windows. 2919 type: integer 2920 format: int64 2921 seLinuxOptions: 2922 description: |- 2923 The SELinux context to be applied to all containers. 2924 If unspecified, the container runtime will allocate a random SELinux context for each 2925 container. May also be set in SecurityContext. If set in 2926 both SecurityContext and PodSecurityContext, the value specified in SecurityContext 2927 takes precedence for that container. 2928 Note that this field cannot be set when spec.os.name is windows. 2929 type: object 2930 properties: 2931 level: 2932 description: Level is SELinux level label that applies to the container. 2933 type: string 2934 role: 2935 description: Role is a SELinux role label that applies to the container. 2936 type: string 2937 type: 2938 description: Type is a SELinux type label that applies to the container. 2939 type: string 2940 user: 2941 description: User is a SELinux user label that applies to the container. 2942 type: string 2943 seccompProfile: 2944 description: |- 2945 The seccomp options to use by the containers in this pod. 2946 Note that this field cannot be set when spec.os.name is windows. 2947 type: object 2948 required: 2949 - type 2950 properties: 2951 localhostProfile: 2952 description: |- 2953 localhostProfile indicates a profile defined in a file on the node should be used. 2954 The profile must be preconfigured on the node to work. 2955 Must be a descending path, relative to the kubelet's configured seccomp profile location. 2956 Must be set if type is "Localhost". Must NOT be set for any other type. 2957 type: string 2958 type: 2959 description: |- 2960 type indicates which kind of seccomp profile will be applied. 2961 Valid options are: 2962 2963 Localhost - a profile defined in a file on the node should be used. 2964 RuntimeDefault - the container runtime default profile should be used. 2965 Unconfined - no profile should be applied. 2966 type: string 2967 supplementalGroups: 2968 description: |- 2969 A list of groups applied to the first process run in each container, in addition 2970 to the container's primary GID, the fsGroup (if specified), and group memberships 2971 defined in the container image for the uid of the container process. If unspecified, 2972 no additional groups are added to any container. Note that group memberships 2973 defined in the container image for the uid of the container process are still effective, 2974 even if they are not included in this list. 2975 Note that this field cannot be set when spec.os.name is windows. 2976 type: array 2977 items: 2978 type: integer 2979 format: int64 2980 sysctls: 2981 description: |- 2982 Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported 2983 sysctls (by the container runtime) might fail to launch. 2984 Note that this field cannot be set when spec.os.name is windows. 2985 type: array 2986 items: 2987 description: Sysctl defines a kernel parameter to be set 2988 type: object 2989 required: 2990 - name 2991 - value 2992 properties: 2993 name: 2994 description: Name of a property to set 2995 type: string 2996 value: 2997 description: Value of a property to set 2998 type: string 2999 serviceAccountName: 3000 description: If specified, the pod's service account 3001 type: string 3002 tolerations: 3003 description: If specified, the pod's tolerations. 3004 type: array 3005 items: 3006 description: |- 3007 The pod this Toleration is attached to tolerates any taint that matches 3008 the triple <key,value,effect> using the matching operator <operator>. 3009 type: object 3010 properties: 3011 effect: 3012 description: |- 3013 Effect indicates the taint effect to match. Empty means match all taint effects. 3014 When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 3015 type: string 3016 key: 3017 description: |- 3018 Key is the taint key that the toleration applies to. Empty means match all taint keys. 3019 If the key is empty, operator must be Exists; this combination means to match all values and all keys. 3020 type: string 3021 operator: 3022 description: |- 3023 Operator represents a key's relationship to the value. 3024 Valid operators are Exists and Equal. Defaults to Equal. 3025 Exists is equivalent to wildcard for value, so that a pod can 3026 tolerate all taints of a particular category. 3027 type: string 3028 tolerationSeconds: 3029 description: |- 3030 TolerationSeconds represents the period of time the toleration (which must be 3031 of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, 3032 it is not set, which means tolerate the taint forever (do not evict). Zero and 3033 negative values will be treated as 0 (evict immediately) by the system. 3034 type: integer 3035 format: int64 3036 value: 3037 description: |- 3038 Value is the taint value the toleration matches to. 3039 If the operator is Exists, the value should be empty, otherwise just a regular string. 3040 type: string 3041 serviceType: 3042 description: |- 3043 Optional service type for Kubernetes solver service. Supported values 3044 are NodePort or ClusterIP. If unset, defaults to NodePort. 3045 type: string 3046 ingress: 3047 description: |- 3048 The ingress based HTTP01 challenge solver will solve challenges by 3049 creating or modifying Ingress resources in order to route requests for 3050 '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are 3051 provisioned by cert-manager for each Challenge to be completed. 3052 type: object 3053 properties: 3054 class: 3055 description: |- 3056 This field configures the annotation `kubernetes.io/ingress.class` when 3057 creating Ingress resources to solve ACME challenges that use this 3058 challenge solver. Only one of `class`, `name` or `ingressClassName` may 3059 be specified. 3060 type: string 3061 ingressClassName: 3062 description: |- 3063 This field configures the field `ingressClassName` on the created Ingress 3064 resources used to solve ACME challenges that use this challenge solver. 3065 This is the recommended way of configuring the ingress class. Only one of 3066 `class`, `name` or `ingressClassName` may be specified. 3067 type: string 3068 ingressTemplate: 3069 description: |- 3070 Optional ingress template used to configure the ACME challenge solver 3071 ingress used for HTTP01 challenges. 3072 type: object 3073 properties: 3074 metadata: 3075 description: |- 3076 ObjectMeta overrides for the ingress used to solve HTTP01 challenges. 3077 Only the 'labels' and 'annotations' fields may be set. 3078 If labels or annotations overlap with in-built values, the values here 3079 will override the in-built values. 3080 type: object 3081 properties: 3082 annotations: 3083 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 3084 type: object 3085 additionalProperties: 3086 type: string 3087 labels: 3088 description: Labels that should be added to the created ACME HTTP01 solver ingress. 3089 type: object 3090 additionalProperties: 3091 type: string 3092 name: 3093 description: |- 3094 The name of the ingress resource that should have ACME challenge solving 3095 routes inserted into it in order to solve HTTP01 challenges. 3096 This is typically used in conjunction with ingress controllers like 3097 ingress-gce, which maintains a 1:1 mapping between external IPs and 3098 ingress resources. Only one of `class`, `name` or `ingressClassName` may 3099 be specified. 3100 type: string 3101 podTemplate: 3102 description: |- 3103 Optional pod template used to configure the ACME challenge solver pods 3104 used for HTTP01 challenges. 3105 type: object 3106 properties: 3107 metadata: 3108 description: |- 3109 ObjectMeta overrides for the pod used to solve HTTP01 challenges. 3110 Only the 'labels' and 'annotations' fields may be set. 3111 If labels or annotations overlap with in-built values, the values here 3112 will override the in-built values. 3113 type: object 3114 properties: 3115 annotations: 3116 description: Annotations that should be added to the created ACME HTTP01 solver pods. 3117 type: object 3118 additionalProperties: 3119 type: string 3120 labels: 3121 description: Labels that should be added to the created ACME HTTP01 solver pods. 3122 type: object 3123 additionalProperties: 3124 type: string 3125 spec: 3126 description: |- 3127 PodSpec defines overrides for the HTTP01 challenge solver pod. 3128 Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. 3129 All other fields will be ignored. 3130 type: object 3131 properties: 3132 affinity: 3133 description: If specified, the pod's scheduling constraints 3134 type: object 3135 properties: 3136 nodeAffinity: 3137 description: Describes node affinity scheduling rules for the pod. 3138 type: object 3139 properties: 3140 preferredDuringSchedulingIgnoredDuringExecution: 3141 description: |- 3142 The scheduler will prefer to schedule pods to nodes that satisfy 3143 the affinity expressions specified by this field, but it may choose 3144 a node that violates one or more of the expressions. The node that is 3145 most preferred is the one with the greatest sum of weights, i.e. 3146 for each node that meets all of the scheduling requirements (resource 3147 request, requiredDuringScheduling affinity expressions, etc.), 3148 compute a sum by iterating through the elements of this field and adding 3149 "weight" to the sum if the node matches the corresponding matchExpressions; the 3150 node(s) with the highest sum are the most preferred. 3151 type: array 3152 items: 3153 description: |- 3154 An empty preferred scheduling term matches all objects with implicit weight 0 3155 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 3156 type: object 3157 required: 3158 - preference 3159 - weight 3160 properties: 3161 preference: 3162 description: A node selector term, associated with the corresponding weight. 3163 type: object 3164 properties: 3165 matchExpressions: 3166 description: A list of node selector requirements by node's labels. 3167 type: array 3168 items: 3169 description: |- 3170 A node selector requirement is a selector that contains values, a key, and an operator 3171 that relates the key and values. 3172 type: object 3173 required: 3174 - key 3175 - operator 3176 properties: 3177 key: 3178 description: The label key that the selector applies to. 3179 type: string 3180 operator: 3181 description: |- 3182 Represents a key's relationship to a set of values. 3183 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3184 type: string 3185 values: 3186 description: |- 3187 An array of string values. If the operator is In or NotIn, 3188 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3189 the values array must be empty. If the operator is Gt or Lt, the values 3190 array must have a single element, which will be interpreted as an integer. 3191 This array is replaced during a strategic merge patch. 3192 type: array 3193 items: 3194 type: string 3195 x-kubernetes-list-type: atomic 3196 x-kubernetes-list-type: atomic 3197 matchFields: 3198 description: A list of node selector requirements by node's fields. 3199 type: array 3200 items: 3201 description: |- 3202 A node selector requirement is a selector that contains values, a key, and an operator 3203 that relates the key and values. 3204 type: object 3205 required: 3206 - key 3207 - operator 3208 properties: 3209 key: 3210 description: The label key that the selector applies to. 3211 type: string 3212 operator: 3213 description: |- 3214 Represents a key's relationship to a set of values. 3215 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3216 type: string 3217 values: 3218 description: |- 3219 An array of string values. If the operator is In or NotIn, 3220 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3221 the values array must be empty. If the operator is Gt or Lt, the values 3222 array must have a single element, which will be interpreted as an integer. 3223 This array is replaced during a strategic merge patch. 3224 type: array 3225 items: 3226 type: string 3227 x-kubernetes-list-type: atomic 3228 x-kubernetes-list-type: atomic 3229 x-kubernetes-map-type: atomic 3230 weight: 3231 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 3232 type: integer 3233 format: int32 3234 x-kubernetes-list-type: atomic 3235 requiredDuringSchedulingIgnoredDuringExecution: 3236 description: |- 3237 If the affinity requirements specified by this field are not met at 3238 scheduling time, the pod will not be scheduled onto the node. 3239 If the affinity requirements specified by this field cease to be met 3240 at some point during pod execution (e.g. due to an update), the system 3241 may or may not try to eventually evict the pod from its node. 3242 type: object 3243 required: 3244 - nodeSelectorTerms 3245 properties: 3246 nodeSelectorTerms: 3247 description: Required. A list of node selector terms. The terms are ORed. 3248 type: array 3249 items: 3250 description: |- 3251 A null or empty node selector term matches no objects. The requirements of 3252 them are ANDed. 3253 The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 3254 type: object 3255 properties: 3256 matchExpressions: 3257 description: A list of node selector requirements by node's labels. 3258 type: array 3259 items: 3260 description: |- 3261 A node selector requirement is a selector that contains values, a key, and an operator 3262 that relates the key and values. 3263 type: object 3264 required: 3265 - key 3266 - operator 3267 properties: 3268 key: 3269 description: The label key that the selector applies to. 3270 type: string 3271 operator: 3272 description: |- 3273 Represents a key's relationship to a set of values. 3274 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3275 type: string 3276 values: 3277 description: |- 3278 An array of string values. If the operator is In or NotIn, 3279 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3280 the values array must be empty. If the operator is Gt or Lt, the values 3281 array must have a single element, which will be interpreted as an integer. 3282 This array is replaced during a strategic merge patch. 3283 type: array 3284 items: 3285 type: string 3286 x-kubernetes-list-type: atomic 3287 x-kubernetes-list-type: atomic 3288 matchFields: 3289 description: A list of node selector requirements by node's fields. 3290 type: array 3291 items: 3292 description: |- 3293 A node selector requirement is a selector that contains values, a key, and an operator 3294 that relates the key and values. 3295 type: object 3296 required: 3297 - key 3298 - operator 3299 properties: 3300 key: 3301 description: The label key that the selector applies to. 3302 type: string 3303 operator: 3304 description: |- 3305 Represents a key's relationship to a set of values. 3306 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 3307 type: string 3308 values: 3309 description: |- 3310 An array of string values. If the operator is In or NotIn, 3311 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3312 the values array must be empty. If the operator is Gt or Lt, the values 3313 array must have a single element, which will be interpreted as an integer. 3314 This array is replaced during a strategic merge patch. 3315 type: array 3316 items: 3317 type: string 3318 x-kubernetes-list-type: atomic 3319 x-kubernetes-list-type: atomic 3320 x-kubernetes-map-type: atomic 3321 x-kubernetes-list-type: atomic 3322 x-kubernetes-map-type: atomic 3323 podAffinity: 3324 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 3325 type: object 3326 properties: 3327 preferredDuringSchedulingIgnoredDuringExecution: 3328 description: |- 3329 The scheduler will prefer to schedule pods to nodes that satisfy 3330 the affinity expressions specified by this field, but it may choose 3331 a node that violates one or more of the expressions. The node that is 3332 most preferred is the one with the greatest sum of weights, i.e. 3333 for each node that meets all of the scheduling requirements (resource 3334 request, requiredDuringScheduling affinity expressions, etc.), 3335 compute a sum by iterating through the elements of this field and adding 3336 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 3337 node(s) with the highest sum are the most preferred. 3338 type: array 3339 items: 3340 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3341 type: object 3342 required: 3343 - podAffinityTerm 3344 - weight 3345 properties: 3346 podAffinityTerm: 3347 description: Required. A pod affinity term, associated with the corresponding weight. 3348 type: object 3349 required: 3350 - topologyKey 3351 properties: 3352 labelSelector: 3353 description: |- 3354 A label query over a set of resources, in this case pods. 3355 If it's null, this PodAffinityTerm matches with no Pods. 3356 type: object 3357 properties: 3358 matchExpressions: 3359 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3360 type: array 3361 items: 3362 description: |- 3363 A label selector requirement is a selector that contains values, a key, and an operator that 3364 relates the key and values. 3365 type: object 3366 required: 3367 - key 3368 - operator 3369 properties: 3370 key: 3371 description: key is the label key that the selector applies to. 3372 type: string 3373 operator: 3374 description: |- 3375 operator represents a key's relationship to a set of values. 3376 Valid operators are In, NotIn, Exists and DoesNotExist. 3377 type: string 3378 values: 3379 description: |- 3380 values is an array of string values. If the operator is In or NotIn, 3381 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3382 the values array must be empty. This array is replaced during a strategic 3383 merge patch. 3384 type: array 3385 items: 3386 type: string 3387 x-kubernetes-list-type: atomic 3388 x-kubernetes-list-type: atomic 3389 matchLabels: 3390 description: |- 3391 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3392 map is equivalent to an element of matchExpressions, whose key field is "key", the 3393 operator is "In", and the values array contains only "value". The requirements are ANDed. 3394 type: object 3395 additionalProperties: 3396 type: string 3397 x-kubernetes-map-type: atomic 3398 matchLabelKeys: 3399 description: |- 3400 MatchLabelKeys is a set of pod label keys to select which pods will 3401 be taken into consideration. The keys are used to lookup values from the 3402 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 3403 to select the group of existing pods which pods will be taken into consideration 3404 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3405 pod labels will be ignored. The default value is empty. 3406 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 3407 Also, matchLabelKeys cannot be set when labelSelector isn't set. 3408 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3409 type: array 3410 items: 3411 type: string 3412 x-kubernetes-list-type: atomic 3413 mismatchLabelKeys: 3414 description: |- 3415 MismatchLabelKeys is a set of pod label keys to select which pods will 3416 be taken into consideration. The keys are used to lookup values from the 3417 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 3418 to select the group of existing pods which pods will be taken into consideration 3419 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3420 pod labels will be ignored. The default value is empty. 3421 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 3422 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 3423 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3424 type: array 3425 items: 3426 type: string 3427 x-kubernetes-list-type: atomic 3428 namespaceSelector: 3429 description: |- 3430 A label query over the set of namespaces that the term applies to. 3431 The term is applied to the union of the namespaces selected by this field 3432 and the ones listed in the namespaces field. 3433 null selector and null or empty namespaces list means "this pod's namespace". 3434 An empty selector ({}) matches all namespaces. 3435 type: object 3436 properties: 3437 matchExpressions: 3438 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3439 type: array 3440 items: 3441 description: |- 3442 A label selector requirement is a selector that contains values, a key, and an operator that 3443 relates the key and values. 3444 type: object 3445 required: 3446 - key 3447 - operator 3448 properties: 3449 key: 3450 description: key is the label key that the selector applies to. 3451 type: string 3452 operator: 3453 description: |- 3454 operator represents a key's relationship to a set of values. 3455 Valid operators are In, NotIn, Exists and DoesNotExist. 3456 type: string 3457 values: 3458 description: |- 3459 values is an array of string values. If the operator is In or NotIn, 3460 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3461 the values array must be empty. This array is replaced during a strategic 3462 merge patch. 3463 type: array 3464 items: 3465 type: string 3466 x-kubernetes-list-type: atomic 3467 x-kubernetes-list-type: atomic 3468 matchLabels: 3469 description: |- 3470 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3471 map is equivalent to an element of matchExpressions, whose key field is "key", the 3472 operator is "In", and the values array contains only "value". The requirements are ANDed. 3473 type: object 3474 additionalProperties: 3475 type: string 3476 x-kubernetes-map-type: atomic 3477 namespaces: 3478 description: |- 3479 namespaces specifies a static list of namespace names that the term applies to. 3480 The term is applied to the union of the namespaces listed in this field 3481 and the ones selected by namespaceSelector. 3482 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3483 type: array 3484 items: 3485 type: string 3486 x-kubernetes-list-type: atomic 3487 topologyKey: 3488 description: |- 3489 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 3490 the labelSelector in the specified namespaces, where co-located is defined as running on a node 3491 whose value of the label with key topologyKey matches that of any node on which any of the 3492 selected pods is running. 3493 Empty topologyKey is not allowed. 3494 type: string 3495 weight: 3496 description: |- 3497 weight associated with matching the corresponding podAffinityTerm, 3498 in the range 1-100. 3499 type: integer 3500 format: int32 3501 x-kubernetes-list-type: atomic 3502 requiredDuringSchedulingIgnoredDuringExecution: 3503 description: |- 3504 If the affinity requirements specified by this field are not met at 3505 scheduling time, the pod will not be scheduled onto the node. 3506 If the affinity requirements specified by this field cease to be met 3507 at some point during pod execution (e.g. due to a pod label update), the 3508 system may or may not try to eventually evict the pod from its node. 3509 When there are multiple elements, the lists of nodes corresponding to each 3510 podAffinityTerm are intersected, i.e. all terms must be satisfied. 3511 type: array 3512 items: 3513 description: |- 3514 Defines a set of pods (namely those matching the labelSelector 3515 relative to the given namespace(s)) that this pod should be 3516 co-located (affinity) or not co-located (anti-affinity) with, 3517 where co-located is defined as running on a node whose value of 3518 the label with key <topologyKey> matches that of any node on which 3519 a pod of the set of pods is running 3520 type: object 3521 required: 3522 - topologyKey 3523 properties: 3524 labelSelector: 3525 description: |- 3526 A label query over a set of resources, in this case pods. 3527 If it's null, this PodAffinityTerm matches with no Pods. 3528 type: object 3529 properties: 3530 matchExpressions: 3531 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3532 type: array 3533 items: 3534 description: |- 3535 A label selector requirement is a selector that contains values, a key, and an operator that 3536 relates the key and values. 3537 type: object 3538 required: 3539 - key 3540 - operator 3541 properties: 3542 key: 3543 description: key is the label key that the selector applies to. 3544 type: string 3545 operator: 3546 description: |- 3547 operator represents a key's relationship to a set of values. 3548 Valid operators are In, NotIn, Exists and DoesNotExist. 3549 type: string 3550 values: 3551 description: |- 3552 values is an array of string values. If the operator is In or NotIn, 3553 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3554 the values array must be empty. This array is replaced during a strategic 3555 merge patch. 3556 type: array 3557 items: 3558 type: string 3559 x-kubernetes-list-type: atomic 3560 x-kubernetes-list-type: atomic 3561 matchLabels: 3562 description: |- 3563 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3564 map is equivalent to an element of matchExpressions, whose key field is "key", the 3565 operator is "In", and the values array contains only "value". The requirements are ANDed. 3566 type: object 3567 additionalProperties: 3568 type: string 3569 x-kubernetes-map-type: atomic 3570 matchLabelKeys: 3571 description: |- 3572 MatchLabelKeys is a set of pod label keys to select which pods will 3573 be taken into consideration. The keys are used to lookup values from the 3574 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 3575 to select the group of existing pods which pods will be taken into consideration 3576 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3577 pod labels will be ignored. The default value is empty. 3578 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 3579 Also, matchLabelKeys cannot be set when labelSelector isn't set. 3580 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3581 type: array 3582 items: 3583 type: string 3584 x-kubernetes-list-type: atomic 3585 mismatchLabelKeys: 3586 description: |- 3587 MismatchLabelKeys is a set of pod label keys to select which pods will 3588 be taken into consideration. The keys are used to lookup values from the 3589 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 3590 to select the group of existing pods which pods will be taken into consideration 3591 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3592 pod labels will be ignored. The default value is empty. 3593 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 3594 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 3595 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3596 type: array 3597 items: 3598 type: string 3599 x-kubernetes-list-type: atomic 3600 namespaceSelector: 3601 description: |- 3602 A label query over the set of namespaces that the term applies to. 3603 The term is applied to the union of the namespaces selected by this field 3604 and the ones listed in the namespaces field. 3605 null selector and null or empty namespaces list means "this pod's namespace". 3606 An empty selector ({}) matches all namespaces. 3607 type: object 3608 properties: 3609 matchExpressions: 3610 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3611 type: array 3612 items: 3613 description: |- 3614 A label selector requirement is a selector that contains values, a key, and an operator that 3615 relates the key and values. 3616 type: object 3617 required: 3618 - key 3619 - operator 3620 properties: 3621 key: 3622 description: key is the label key that the selector applies to. 3623 type: string 3624 operator: 3625 description: |- 3626 operator represents a key's relationship to a set of values. 3627 Valid operators are In, NotIn, Exists and DoesNotExist. 3628 type: string 3629 values: 3630 description: |- 3631 values is an array of string values. If the operator is In or NotIn, 3632 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3633 the values array must be empty. This array is replaced during a strategic 3634 merge patch. 3635 type: array 3636 items: 3637 type: string 3638 x-kubernetes-list-type: atomic 3639 x-kubernetes-list-type: atomic 3640 matchLabels: 3641 description: |- 3642 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3643 map is equivalent to an element of matchExpressions, whose key field is "key", the 3644 operator is "In", and the values array contains only "value". The requirements are ANDed. 3645 type: object 3646 additionalProperties: 3647 type: string 3648 x-kubernetes-map-type: atomic 3649 namespaces: 3650 description: |- 3651 namespaces specifies a static list of namespace names that the term applies to. 3652 The term is applied to the union of the namespaces listed in this field 3653 and the ones selected by namespaceSelector. 3654 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3655 type: array 3656 items: 3657 type: string 3658 x-kubernetes-list-type: atomic 3659 topologyKey: 3660 description: |- 3661 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 3662 the labelSelector in the specified namespaces, where co-located is defined as running on a node 3663 whose value of the label with key topologyKey matches that of any node on which any of the 3664 selected pods is running. 3665 Empty topologyKey is not allowed. 3666 type: string 3667 x-kubernetes-list-type: atomic 3668 podAntiAffinity: 3669 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 3670 type: object 3671 properties: 3672 preferredDuringSchedulingIgnoredDuringExecution: 3673 description: |- 3674 The scheduler will prefer to schedule pods to nodes that satisfy 3675 the anti-affinity expressions specified by this field, but it may choose 3676 a node that violates one or more of the expressions. The node that is 3677 most preferred is the one with the greatest sum of weights, i.e. 3678 for each node that meets all of the scheduling requirements (resource 3679 request, requiredDuringScheduling anti-affinity expressions, etc.), 3680 compute a sum by iterating through the elements of this field and adding 3681 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 3682 node(s) with the highest sum are the most preferred. 3683 type: array 3684 items: 3685 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 3686 type: object 3687 required: 3688 - podAffinityTerm 3689 - weight 3690 properties: 3691 podAffinityTerm: 3692 description: Required. A pod affinity term, associated with the corresponding weight. 3693 type: object 3694 required: 3695 - topologyKey 3696 properties: 3697 labelSelector: 3698 description: |- 3699 A label query over a set of resources, in this case pods. 3700 If it's null, this PodAffinityTerm matches with no Pods. 3701 type: object 3702 properties: 3703 matchExpressions: 3704 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3705 type: array 3706 items: 3707 description: |- 3708 A label selector requirement is a selector that contains values, a key, and an operator that 3709 relates the key and values. 3710 type: object 3711 required: 3712 - key 3713 - operator 3714 properties: 3715 key: 3716 description: key is the label key that the selector applies to. 3717 type: string 3718 operator: 3719 description: |- 3720 operator represents a key's relationship to a set of values. 3721 Valid operators are In, NotIn, Exists and DoesNotExist. 3722 type: string 3723 values: 3724 description: |- 3725 values is an array of string values. If the operator is In or NotIn, 3726 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3727 the values array must be empty. This array is replaced during a strategic 3728 merge patch. 3729 type: array 3730 items: 3731 type: string 3732 x-kubernetes-list-type: atomic 3733 x-kubernetes-list-type: atomic 3734 matchLabels: 3735 description: |- 3736 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3737 map is equivalent to an element of matchExpressions, whose key field is "key", the 3738 operator is "In", and the values array contains only "value". The requirements are ANDed. 3739 type: object 3740 additionalProperties: 3741 type: string 3742 x-kubernetes-map-type: atomic 3743 matchLabelKeys: 3744 description: |- 3745 MatchLabelKeys is a set of pod label keys to select which pods will 3746 be taken into consideration. The keys are used to lookup values from the 3747 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 3748 to select the group of existing pods which pods will be taken into consideration 3749 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3750 pod labels will be ignored. The default value is empty. 3751 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 3752 Also, matchLabelKeys cannot be set when labelSelector isn't set. 3753 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3754 type: array 3755 items: 3756 type: string 3757 x-kubernetes-list-type: atomic 3758 mismatchLabelKeys: 3759 description: |- 3760 MismatchLabelKeys is a set of pod label keys to select which pods will 3761 be taken into consideration. The keys are used to lookup values from the 3762 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 3763 to select the group of existing pods which pods will be taken into consideration 3764 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3765 pod labels will be ignored. The default value is empty. 3766 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 3767 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 3768 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3769 type: array 3770 items: 3771 type: string 3772 x-kubernetes-list-type: atomic 3773 namespaceSelector: 3774 description: |- 3775 A label query over the set of namespaces that the term applies to. 3776 The term is applied to the union of the namespaces selected by this field 3777 and the ones listed in the namespaces field. 3778 null selector and null or empty namespaces list means "this pod's namespace". 3779 An empty selector ({}) matches all namespaces. 3780 type: object 3781 properties: 3782 matchExpressions: 3783 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3784 type: array 3785 items: 3786 description: |- 3787 A label selector requirement is a selector that contains values, a key, and an operator that 3788 relates the key and values. 3789 type: object 3790 required: 3791 - key 3792 - operator 3793 properties: 3794 key: 3795 description: key is the label key that the selector applies to. 3796 type: string 3797 operator: 3798 description: |- 3799 operator represents a key's relationship to a set of values. 3800 Valid operators are In, NotIn, Exists and DoesNotExist. 3801 type: string 3802 values: 3803 description: |- 3804 values is an array of string values. If the operator is In or NotIn, 3805 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3806 the values array must be empty. This array is replaced during a strategic 3807 merge patch. 3808 type: array 3809 items: 3810 type: string 3811 x-kubernetes-list-type: atomic 3812 x-kubernetes-list-type: atomic 3813 matchLabels: 3814 description: |- 3815 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3816 map is equivalent to an element of matchExpressions, whose key field is "key", the 3817 operator is "In", and the values array contains only "value". The requirements are ANDed. 3818 type: object 3819 additionalProperties: 3820 type: string 3821 x-kubernetes-map-type: atomic 3822 namespaces: 3823 description: |- 3824 namespaces specifies a static list of namespace names that the term applies to. 3825 The term is applied to the union of the namespaces listed in this field 3826 and the ones selected by namespaceSelector. 3827 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 3828 type: array 3829 items: 3830 type: string 3831 x-kubernetes-list-type: atomic 3832 topologyKey: 3833 description: |- 3834 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 3835 the labelSelector in the specified namespaces, where co-located is defined as running on a node 3836 whose value of the label with key topologyKey matches that of any node on which any of the 3837 selected pods is running. 3838 Empty topologyKey is not allowed. 3839 type: string 3840 weight: 3841 description: |- 3842 weight associated with matching the corresponding podAffinityTerm, 3843 in the range 1-100. 3844 type: integer 3845 format: int32 3846 x-kubernetes-list-type: atomic 3847 requiredDuringSchedulingIgnoredDuringExecution: 3848 description: |- 3849 If the anti-affinity requirements specified by this field are not met at 3850 scheduling time, the pod will not be scheduled onto the node. 3851 If the anti-affinity requirements specified by this field cease to be met 3852 at some point during pod execution (e.g. due to a pod label update), the 3853 system may or may not try to eventually evict the pod from its node. 3854 When there are multiple elements, the lists of nodes corresponding to each 3855 podAffinityTerm are intersected, i.e. all terms must be satisfied. 3856 type: array 3857 items: 3858 description: |- 3859 Defines a set of pods (namely those matching the labelSelector 3860 relative to the given namespace(s)) that this pod should be 3861 co-located (affinity) or not co-located (anti-affinity) with, 3862 where co-located is defined as running on a node whose value of 3863 the label with key <topologyKey> matches that of any node on which 3864 a pod of the set of pods is running 3865 type: object 3866 required: 3867 - topologyKey 3868 properties: 3869 labelSelector: 3870 description: |- 3871 A label query over a set of resources, in this case pods. 3872 If it's null, this PodAffinityTerm matches with no Pods. 3873 type: object 3874 properties: 3875 matchExpressions: 3876 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3877 type: array 3878 items: 3879 description: |- 3880 A label selector requirement is a selector that contains values, a key, and an operator that 3881 relates the key and values. 3882 type: object 3883 required: 3884 - key 3885 - operator 3886 properties: 3887 key: 3888 description: key is the label key that the selector applies to. 3889 type: string 3890 operator: 3891 description: |- 3892 operator represents a key's relationship to a set of values. 3893 Valid operators are In, NotIn, Exists and DoesNotExist. 3894 type: string 3895 values: 3896 description: |- 3897 values is an array of string values. If the operator is In or NotIn, 3898 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3899 the values array must be empty. This array is replaced during a strategic 3900 merge patch. 3901 type: array 3902 items: 3903 type: string 3904 x-kubernetes-list-type: atomic 3905 x-kubernetes-list-type: atomic 3906 matchLabels: 3907 description: |- 3908 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3909 map is equivalent to an element of matchExpressions, whose key field is "key", the 3910 operator is "In", and the values array contains only "value". The requirements are ANDed. 3911 type: object 3912 additionalProperties: 3913 type: string 3914 x-kubernetes-map-type: atomic 3915 matchLabelKeys: 3916 description: |- 3917 MatchLabelKeys is a set of pod label keys to select which pods will 3918 be taken into consideration. The keys are used to lookup values from the 3919 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 3920 to select the group of existing pods which pods will be taken into consideration 3921 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3922 pod labels will be ignored. The default value is empty. 3923 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 3924 Also, matchLabelKeys cannot be set when labelSelector isn't set. 3925 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3926 type: array 3927 items: 3928 type: string 3929 x-kubernetes-list-type: atomic 3930 mismatchLabelKeys: 3931 description: |- 3932 MismatchLabelKeys is a set of pod label keys to select which pods will 3933 be taken into consideration. The keys are used to lookup values from the 3934 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 3935 to select the group of existing pods which pods will be taken into consideration 3936 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 3937 pod labels will be ignored. The default value is empty. 3938 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 3939 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 3940 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 3941 type: array 3942 items: 3943 type: string 3944 x-kubernetes-list-type: atomic 3945 namespaceSelector: 3946 description: |- 3947 A label query over the set of namespaces that the term applies to. 3948 The term is applied to the union of the namespaces selected by this field 3949 and the ones listed in the namespaces field. 3950 null selector and null or empty namespaces list means "this pod's namespace". 3951 An empty selector ({}) matches all namespaces. 3952 type: object 3953 properties: 3954 matchExpressions: 3955 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 3956 type: array 3957 items: 3958 description: |- 3959 A label selector requirement is a selector that contains values, a key, and an operator that 3960 relates the key and values. 3961 type: object 3962 required: 3963 - key 3964 - operator 3965 properties: 3966 key: 3967 description: key is the label key that the selector applies to. 3968 type: string 3969 operator: 3970 description: |- 3971 operator represents a key's relationship to a set of values. 3972 Valid operators are In, NotIn, Exists and DoesNotExist. 3973 type: string 3974 values: 3975 description: |- 3976 values is an array of string values. If the operator is In or NotIn, 3977 the values array must be non-empty. If the operator is Exists or DoesNotExist, 3978 the values array must be empty. This array is replaced during a strategic 3979 merge patch. 3980 type: array 3981 items: 3982 type: string 3983 x-kubernetes-list-type: atomic 3984 x-kubernetes-list-type: atomic 3985 matchLabels: 3986 description: |- 3987 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 3988 map is equivalent to an element of matchExpressions, whose key field is "key", the 3989 operator is "In", and the values array contains only "value". The requirements are ANDed. 3990 type: object 3991 additionalProperties: 3992 type: string 3993 x-kubernetes-map-type: atomic 3994 namespaces: 3995 description: |- 3996 namespaces specifies a static list of namespace names that the term applies to. 3997 The term is applied to the union of the namespaces listed in this field 3998 and the ones selected by namespaceSelector. 3999 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 4000 type: array 4001 items: 4002 type: string 4003 x-kubernetes-list-type: atomic 4004 topologyKey: 4005 description: |- 4006 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 4007 the labelSelector in the specified namespaces, where co-located is defined as running on a node 4008 whose value of the label with key topologyKey matches that of any node on which any of the 4009 selected pods is running. 4010 Empty topologyKey is not allowed. 4011 type: string 4012 x-kubernetes-list-type: atomic 4013 imagePullSecrets: 4014 description: If specified, the pod's imagePullSecrets 4015 type: array 4016 items: 4017 description: |- 4018 LocalObjectReference contains enough information to let you locate the 4019 referenced object inside the same namespace. 4020 type: object 4021 properties: 4022 name: 4023 description: |- 4024 Name of the referent. 4025 This field is effectively required, but due to backwards compatibility is 4026 allowed to be empty. Instances of this type with an empty value here are 4027 almost certainly wrong. 4028 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4029 type: string 4030 default: "" 4031 x-kubernetes-map-type: atomic 4032 nodeSelector: 4033 description: |- 4034 NodeSelector is a selector which must be true for the pod to fit on a node. 4035 Selector which must match a node's labels for the pod to be scheduled on that node. 4036 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 4037 type: object 4038 additionalProperties: 4039 type: string 4040 priorityClassName: 4041 description: If specified, the pod's priorityClassName. 4042 type: string 4043 securityContext: 4044 description: If specified, the pod's security context 4045 type: object 4046 properties: 4047 fsGroup: 4048 description: |- 4049 A special supplemental group that applies to all containers in a pod. 4050 Some volume types allow the Kubelet to change the ownership of that volume 4051 to be owned by the pod: 4052 4053 1. The owning GID will be the FSGroup 4054 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 4055 3. The permission bits are OR'd with rw-rw---- 4056 4057 If unset, the Kubelet will not modify the ownership and permissions of any volume. 4058 Note that this field cannot be set when spec.os.name is windows. 4059 type: integer 4060 format: int64 4061 fsGroupChangePolicy: 4062 description: |- 4063 fsGroupChangePolicy defines behavior of changing ownership and permission of the volume 4064 before being exposed inside Pod. This field will only apply to 4065 volume types which support fsGroup based ownership(and permissions). 4066 It will have no effect on ephemeral volume types such as: secret, configmaps 4067 and emptydir. 4068 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. 4069 Note that this field cannot be set when spec.os.name is windows. 4070 type: string 4071 runAsGroup: 4072 description: |- 4073 The GID to run the entrypoint of the container process. 4074 Uses runtime default if unset. 4075 May also be set in SecurityContext. If set in both SecurityContext and 4076 PodSecurityContext, the value specified in SecurityContext takes precedence 4077 for that container. 4078 Note that this field cannot be set when spec.os.name is windows. 4079 type: integer 4080 format: int64 4081 runAsNonRoot: 4082 description: |- 4083 Indicates that the container must run as a non-root user. 4084 If true, the Kubelet will validate the image at runtime to ensure that it 4085 does not run as UID 0 (root) and fail to start the container if it does. 4086 If unset or false, no such validation will be performed. 4087 May also be set in SecurityContext. If set in both SecurityContext and 4088 PodSecurityContext, the value specified in SecurityContext takes precedence. 4089 type: boolean 4090 runAsUser: 4091 description: |- 4092 The UID to run the entrypoint of the container process. 4093 Defaults to user specified in image metadata if unspecified. 4094 May also be set in SecurityContext. If set in both SecurityContext and 4095 PodSecurityContext, the value specified in SecurityContext takes precedence 4096 for that container. 4097 Note that this field cannot be set when spec.os.name is windows. 4098 type: integer 4099 format: int64 4100 seLinuxOptions: 4101 description: |- 4102 The SELinux context to be applied to all containers. 4103 If unspecified, the container runtime will allocate a random SELinux context for each 4104 container. May also be set in SecurityContext. If set in 4105 both SecurityContext and PodSecurityContext, the value specified in SecurityContext 4106 takes precedence for that container. 4107 Note that this field cannot be set when spec.os.name is windows. 4108 type: object 4109 properties: 4110 level: 4111 description: Level is SELinux level label that applies to the container. 4112 type: string 4113 role: 4114 description: Role is a SELinux role label that applies to the container. 4115 type: string 4116 type: 4117 description: Type is a SELinux type label that applies to the container. 4118 type: string 4119 user: 4120 description: User is a SELinux user label that applies to the container. 4121 type: string 4122 seccompProfile: 4123 description: |- 4124 The seccomp options to use by the containers in this pod. 4125 Note that this field cannot be set when spec.os.name is windows. 4126 type: object 4127 required: 4128 - type 4129 properties: 4130 localhostProfile: 4131 description: |- 4132 localhostProfile indicates a profile defined in a file on the node should be used. 4133 The profile must be preconfigured on the node to work. 4134 Must be a descending path, relative to the kubelet's configured seccomp profile location. 4135 Must be set if type is "Localhost". Must NOT be set for any other type. 4136 type: string 4137 type: 4138 description: |- 4139 type indicates which kind of seccomp profile will be applied. 4140 Valid options are: 4141 4142 Localhost - a profile defined in a file on the node should be used. 4143 RuntimeDefault - the container runtime default profile should be used. 4144 Unconfined - no profile should be applied. 4145 type: string 4146 supplementalGroups: 4147 description: |- 4148 A list of groups applied to the first process run in each container, in addition 4149 to the container's primary GID, the fsGroup (if specified), and group memberships 4150 defined in the container image for the uid of the container process. If unspecified, 4151 no additional groups are added to any container. Note that group memberships 4152 defined in the container image for the uid of the container process are still effective, 4153 even if they are not included in this list. 4154 Note that this field cannot be set when spec.os.name is windows. 4155 type: array 4156 items: 4157 type: integer 4158 format: int64 4159 sysctls: 4160 description: |- 4161 Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported 4162 sysctls (by the container runtime) might fail to launch. 4163 Note that this field cannot be set when spec.os.name is windows. 4164 type: array 4165 items: 4166 description: Sysctl defines a kernel parameter to be set 4167 type: object 4168 required: 4169 - name 4170 - value 4171 properties: 4172 name: 4173 description: Name of a property to set 4174 type: string 4175 value: 4176 description: Value of a property to set 4177 type: string 4178 serviceAccountName: 4179 description: If specified, the pod's service account 4180 type: string 4181 tolerations: 4182 description: If specified, the pod's tolerations. 4183 type: array 4184 items: 4185 description: |- 4186 The pod this Toleration is attached to tolerates any taint that matches 4187 the triple <key,value,effect> using the matching operator <operator>. 4188 type: object 4189 properties: 4190 effect: 4191 description: |- 4192 Effect indicates the taint effect to match. Empty means match all taint effects. 4193 When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 4194 type: string 4195 key: 4196 description: |- 4197 Key is the taint key that the toleration applies to. Empty means match all taint keys. 4198 If the key is empty, operator must be Exists; this combination means to match all values and all keys. 4199 type: string 4200 operator: 4201 description: |- 4202 Operator represents a key's relationship to the value. 4203 Valid operators are Exists and Equal. Defaults to Equal. 4204 Exists is equivalent to wildcard for value, so that a pod can 4205 tolerate all taints of a particular category. 4206 type: string 4207 tolerationSeconds: 4208 description: |- 4209 TolerationSeconds represents the period of time the toleration (which must be 4210 of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, 4211 it is not set, which means tolerate the taint forever (do not evict). Zero and 4212 negative values will be treated as 0 (evict immediately) by the system. 4213 type: integer 4214 format: int64 4215 value: 4216 description: |- 4217 Value is the taint value the toleration matches to. 4218 If the operator is Exists, the value should be empty, otherwise just a regular string. 4219 type: string 4220 serviceType: 4221 description: |- 4222 Optional service type for Kubernetes solver service. Supported values 4223 are NodePort or ClusterIP. If unset, defaults to NodePort. 4224 type: string 4225 selector: 4226 description: |- 4227 Selector selects a set of DNSNames on the Certificate resource that 4228 should be solved using this challenge solver. 4229 If not specified, the solver will be treated as the 'default' solver 4230 with the lowest priority, i.e. if any other solver has a more specific 4231 match, it will be used instead. 4232 type: object 4233 properties: 4234 dnsNames: 4235 description: |- 4236 List of DNSNames that this solver will be used to solve. 4237 If specified and a match is found, a dnsNames selector will take 4238 precedence over a dnsZones selector. 4239 If multiple solvers match with the same dnsNames value, the solver 4240 with the most matching labels in matchLabels will be selected. 4241 If neither has more matches, the solver defined earlier in the list 4242 will be selected. 4243 type: array 4244 items: 4245 type: string 4246 dnsZones: 4247 description: |- 4248 List of DNSZones that this solver will be used to solve. 4249 The most specific DNS zone match specified here will take precedence 4250 over other DNS zone matches, so a solver specifying sys.example.com 4251 will be selected over one specifying example.com for the domain 4252 www.sys.example.com. 4253 If multiple solvers match with the same dnsZones value, the solver 4254 with the most matching labels in matchLabels will be selected. 4255 If neither has more matches, the solver defined earlier in the list 4256 will be selected. 4257 type: array 4258 items: 4259 type: string 4260 matchLabels: 4261 description: |- 4262 A label selector that is used to refine the set of certificate's that 4263 this challenge solver will apply to. 4264 type: object 4265 additionalProperties: 4266 type: string 4267 token: 4268 description: |- 4269 The ACME challenge token for this challenge. 4270 This is the raw value returned from the ACME server. 4271 type: string 4272 type: 4273 description: |- 4274 The type of ACME challenge this resource represents. 4275 One of "HTTP-01" or "DNS-01". 4276 type: string 4277 enum: 4278 - HTTP-01 4279 - DNS-01 4280 url: 4281 description: |- 4282 The URL of the ACME Challenge resource for this challenge. 4283 This can be used to lookup details about the status of this challenge. 4284 type: string 4285 wildcard: 4286 description: |- 4287 wildcard will be true if this challenge is for a wildcard identifier, 4288 for example '*.example.com'. 4289 type: boolean 4290 status: 4291 type: object 4292 properties: 4293 presented: 4294 description: |- 4295 presented will be set to true if the challenge values for this challenge 4296 are currently 'presented'. 4297 This *does not* imply the self check is passing. Only that the values 4298 have been 'submitted' for the appropriate challenge mechanism (i.e. the 4299 DNS01 TXT record has been presented, or the HTTP01 configuration has been 4300 configured). 4301 type: boolean 4302 processing: 4303 description: |- 4304 Used to denote whether this challenge should be processed or not. 4305 This field will only be set to true by the 'scheduling' component. 4306 It will only be set to false by the 'challenges' controller, after the 4307 challenge has reached a final state or timed out. 4308 If this field is set to false, the challenge controller will not take 4309 any more action. 4310 type: boolean 4311 reason: 4312 description: |- 4313 Contains human readable information on why the Challenge is in the 4314 current state. 4315 type: string 4316 state: 4317 description: |- 4318 Contains the current 'state' of the challenge. 4319 If not set, the state of the challenge is unknown. 4320 type: string 4321 enum: 4322 - valid 4323 - ready 4324 - pending 4325 - processing 4326 - invalid 4327 - expired 4328 - errored 4329 served: true 4330 storage: true 4331 subresources: 4332 status: {} 4333 4334# END crd 4335--- 4336# Source: cert-manager/templates/crds.yaml 4337# START crd 4338apiVersion: apiextensions.k8s.io/v1 4339kind: CustomResourceDefinition 4340metadata: 4341 name: clusterissuers.cert-manager.io 4342 # START annotations 4343 annotations: 4344 helm.sh/resource-policy: keep 4345 # END annotations 4346 labels: 4347 app: 'cert-manager' 4348 app.kubernetes.io/name: 'cert-manager' 4349 app.kubernetes.io/instance: 'cert-manager' 4350 # Generated labels 4351 app.kubernetes.io/version: "v1.17.0" 4352spec: 4353 group: cert-manager.io 4354 names: 4355 kind: ClusterIssuer 4356 listKind: ClusterIssuerList 4357 plural: clusterissuers 4358 singular: clusterissuer 4359 categories: 4360 - cert-manager 4361 scope: Cluster 4362 versions: 4363 - name: v1 4364 subresources: 4365 status: {} 4366 additionalPrinterColumns: 4367 - jsonPath: .status.conditions[?(@.type=="Ready")].status 4368 name: Ready 4369 type: string 4370 - jsonPath: .status.conditions[?(@.type=="Ready")].message 4371 name: Status 4372 priority: 1 4373 type: string 4374 - jsonPath: .metadata.creationTimestamp 4375 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 4376 name: Age 4377 type: date 4378 schema: 4379 openAPIV3Schema: 4380 description: |- 4381 A ClusterIssuer represents a certificate issuing authority which can be 4382 referenced as part of `issuerRef` fields. 4383 It is similar to an Issuer, however it is cluster-scoped and therefore can 4384 be referenced by resources that exist in *any* namespace, not just the same 4385 namespace as the referent. 4386 type: object 4387 required: 4388 - spec 4389 properties: 4390 apiVersion: 4391 description: |- 4392 APIVersion defines the versioned schema of this representation of an object. 4393 Servers should convert recognized schemas to the latest internal value, and 4394 may reject unrecognized values. 4395 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 4396 type: string 4397 kind: 4398 description: |- 4399 Kind is a string value representing the REST resource this object represents. 4400 Servers may infer this from the endpoint the client submits requests to. 4401 Cannot be updated. 4402 In CamelCase. 4403 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 4404 type: string 4405 metadata: 4406 type: object 4407 spec: 4408 description: Desired state of the ClusterIssuer resource. 4409 type: object 4410 properties: 4411 acme: 4412 description: |- 4413 ACME configures this issuer to communicate with a RFC8555 (ACME) server 4414 to obtain signed x509 certificates. 4415 type: object 4416 required: 4417 - privateKeySecretRef 4418 - server 4419 properties: 4420 caBundle: 4421 description: |- 4422 Base64-encoded bundle of PEM CAs which can be used to validate the certificate 4423 chain presented by the ACME server. 4424 Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various 4425 kinds of security vulnerabilities. 4426 If CABundle and SkipTLSVerify are unset, the system certificate bundle inside 4427 the container is used to validate the TLS connection. 4428 type: string 4429 format: byte 4430 disableAccountKeyGeneration: 4431 description: |- 4432 Enables or disables generating a new ACME account key. 4433 If true, the Issuer resource will *not* request a new account but will expect 4434 the account key to be supplied via an existing secret. 4435 If false, the cert-manager system will generate a new ACME account key 4436 for the Issuer. 4437 Defaults to false. 4438 type: boolean 4439 email: 4440 description: |- 4441 Email is the email address to be associated with the ACME account. 4442 This field is optional, but it is strongly recommended to be set. 4443 It will be used to contact you in case of issues with your account or 4444 certificates, including expiry notification emails. 4445 This field may be updated after the account is initially registered. 4446 type: string 4447 enableDurationFeature: 4448 description: |- 4449 Enables requesting a Not After date on certificates that matches the 4450 duration of the certificate. This is not supported by all ACME servers 4451 like Let's Encrypt. If set to true when the ACME server does not support 4452 it, it will create an error on the Order. 4453 Defaults to false. 4454 type: boolean 4455 externalAccountBinding: 4456 description: |- 4457 ExternalAccountBinding is a reference to a CA external account of the ACME 4458 server. 4459 If set, upon registration cert-manager will attempt to associate the given 4460 external account credentials with the registered ACME account. 4461 type: object 4462 required: 4463 - keyID 4464 - keySecretRef 4465 properties: 4466 keyAlgorithm: 4467 description: |- 4468 Deprecated: keyAlgorithm field exists for historical compatibility 4469 reasons and should not be used. The algorithm is now hardcoded to HS256 4470 in golang/x/crypto/acme. 4471 type: string 4472 enum: 4473 - HS256 4474 - HS384 4475 - HS512 4476 keyID: 4477 description: keyID is the ID of the CA key that the External Account is bound to. 4478 type: string 4479 keySecretRef: 4480 description: |- 4481 keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes 4482 Secret which holds the symmetric MAC key of the External Account Binding. 4483 The `key` is the index string that is paired with the key data in the 4484 Secret and should not be confused with the key data itself, or indeed with 4485 the External Account Binding keyID above. 4486 The secret key stored in the Secret **must** be un-padded, base64 URL 4487 encoded data. 4488 type: object 4489 required: 4490 - name 4491 properties: 4492 key: 4493 description: |- 4494 The key of the entry in the Secret resource's `data` field to be used. 4495 Some instances of this field may be defaulted, in others it may be 4496 required. 4497 type: string 4498 name: 4499 description: |- 4500 Name of the resource being referred to. 4501 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4502 type: string 4503 preferredChain: 4504 description: |- 4505 PreferredChain is the chain to use if the ACME server outputs multiple. 4506 PreferredChain is no guarantee that this one gets delivered by the ACME 4507 endpoint. 4508 For example, for Let's Encrypt's DST crosssign you would use: 4509 "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. 4510 This value picks the first certificate bundle in the combined set of 4511 ACME default and alternative chains that has a root-most certificate with 4512 this value as its issuer's commonname. 4513 type: string 4514 maxLength: 64 4515 privateKeySecretRef: 4516 description: |- 4517 PrivateKey is the name of a Kubernetes Secret resource that will be used to 4518 store the automatically generated ACME account private key. 4519 Optionally, a `key` may be specified to select a specific entry within 4520 the named Secret resource. 4521 If `key` is not specified, a default of `tls.key` will be used. 4522 type: object 4523 required: 4524 - name 4525 properties: 4526 key: 4527 description: |- 4528 The key of the entry in the Secret resource's `data` field to be used. 4529 Some instances of this field may be defaulted, in others it may be 4530 required. 4531 type: string 4532 name: 4533 description: |- 4534 Name of the resource being referred to. 4535 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4536 type: string 4537 server: 4538 description: |- 4539 Server is the URL used to access the ACME server's 'directory' endpoint. 4540 For example, for Let's Encrypt's staging endpoint, you would use: 4541 "https://acme-staging-v02.api.letsencrypt.org/directory". 4542 Only ACME v2 endpoints (i.e. RFC 8555) are supported. 4543 type: string 4544 skipTLSVerify: 4545 description: |- 4546 INSECURE: Enables or disables validation of the ACME server TLS certificate. 4547 If true, requests to the ACME server will not have the TLS certificate chain 4548 validated. 4549 Mutually exclusive with CABundle; prefer using CABundle to prevent various 4550 kinds of security vulnerabilities. 4551 Only enable this option in development environments. 4552 If CABundle and SkipTLSVerify are unset, the system certificate bundle inside 4553 the container is used to validate the TLS connection. 4554 Defaults to false. 4555 type: boolean 4556 solvers: 4557 description: |- 4558 Solvers is a list of challenge solvers that will be used to solve 4559 ACME challenges for the matching domains. 4560 Solver configurations must be provided in order to obtain certificates 4561 from an ACME server. 4562 For more information, see: https://cert-manager.io/docs/configuration/acme/ 4563 type: array 4564 items: 4565 description: |- 4566 An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. 4567 A selector may be provided to use different solving strategies for different DNS names. 4568 Only one of HTTP01 or DNS01 must be provided. 4569 type: object 4570 properties: 4571 dns01: 4572 description: |- 4573 Configures cert-manager to attempt to complete authorizations by 4574 performing the DNS01 challenge flow. 4575 type: object 4576 properties: 4577 acmeDNS: 4578 description: |- 4579 Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage 4580 DNS01 challenge records. 4581 type: object 4582 required: 4583 - accountSecretRef 4584 - host 4585 properties: 4586 accountSecretRef: 4587 description: |- 4588 A reference to a specific 'key' within a Secret resource. 4589 In some instances, `key` is a required field. 4590 type: object 4591 required: 4592 - name 4593 properties: 4594 key: 4595 description: |- 4596 The key of the entry in the Secret resource's `data` field to be used. 4597 Some instances of this field may be defaulted, in others it may be 4598 required. 4599 type: string 4600 name: 4601 description: |- 4602 Name of the resource being referred to. 4603 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4604 type: string 4605 host: 4606 type: string 4607 akamai: 4608 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 4609 type: object 4610 required: 4611 - accessTokenSecretRef 4612 - clientSecretSecretRef 4613 - clientTokenSecretRef 4614 - serviceConsumerDomain 4615 properties: 4616 accessTokenSecretRef: 4617 description: |- 4618 A reference to a specific 'key' within a Secret resource. 4619 In some instances, `key` is a required field. 4620 type: object 4621 required: 4622 - name 4623 properties: 4624 key: 4625 description: |- 4626 The key of the entry in the Secret resource's `data` field to be used. 4627 Some instances of this field may be defaulted, in others it may be 4628 required. 4629 type: string 4630 name: 4631 description: |- 4632 Name of the resource being referred to. 4633 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4634 type: string 4635 clientSecretSecretRef: 4636 description: |- 4637 A reference to a specific 'key' within a Secret resource. 4638 In some instances, `key` is a required field. 4639 type: object 4640 required: 4641 - name 4642 properties: 4643 key: 4644 description: |- 4645 The key of the entry in the Secret resource's `data` field to be used. 4646 Some instances of this field may be defaulted, in others it may be 4647 required. 4648 type: string 4649 name: 4650 description: |- 4651 Name of the resource being referred to. 4652 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4653 type: string 4654 clientTokenSecretRef: 4655 description: |- 4656 A reference to a specific 'key' within a Secret resource. 4657 In some instances, `key` is a required field. 4658 type: object 4659 required: 4660 - name 4661 properties: 4662 key: 4663 description: |- 4664 The key of the entry in the Secret resource's `data` field to be used. 4665 Some instances of this field may be defaulted, in others it may be 4666 required. 4667 type: string 4668 name: 4669 description: |- 4670 Name of the resource being referred to. 4671 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4672 type: string 4673 serviceConsumerDomain: 4674 type: string 4675 azureDNS: 4676 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 4677 type: object 4678 required: 4679 - resourceGroupName 4680 - subscriptionID 4681 properties: 4682 clientID: 4683 description: |- 4684 Auth: Azure Service Principal: 4685 The ClientID of the Azure Service Principal used to authenticate with Azure DNS. 4686 If set, ClientSecret and TenantID must also be set. 4687 type: string 4688 clientSecretSecretRef: 4689 description: |- 4690 Auth: Azure Service Principal: 4691 A reference to a Secret containing the password associated with the Service Principal. 4692 If set, ClientID and TenantID must also be set. 4693 type: object 4694 required: 4695 - name 4696 properties: 4697 key: 4698 description: |- 4699 The key of the entry in the Secret resource's `data` field to be used. 4700 Some instances of this field may be defaulted, in others it may be 4701 required. 4702 type: string 4703 name: 4704 description: |- 4705 Name of the resource being referred to. 4706 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4707 type: string 4708 environment: 4709 description: name of the Azure environment (default AzurePublicCloud) 4710 type: string 4711 enum: 4712 - AzurePublicCloud 4713 - AzureChinaCloud 4714 - AzureGermanCloud 4715 - AzureUSGovernmentCloud 4716 hostedZoneName: 4717 description: name of the DNS zone that should be used 4718 type: string 4719 managedIdentity: 4720 description: |- 4721 Auth: Azure Workload Identity or Azure Managed Service Identity: 4722 Settings to enable Azure Workload Identity or Azure Managed Service Identity 4723 If set, ClientID, ClientSecret and TenantID must not be set. 4724 type: object 4725 properties: 4726 clientID: 4727 description: client ID of the managed identity, can not be used at the same time as resourceID 4728 type: string 4729 resourceID: 4730 description: |- 4731 resource ID of the managed identity, can not be used at the same time as clientID 4732 Cannot be used for Azure Managed Service Identity 4733 type: string 4734 tenantID: 4735 description: tenant ID of the managed identity, can not be used at the same time as resourceID 4736 type: string 4737 resourceGroupName: 4738 description: resource group the DNS zone is located in 4739 type: string 4740 subscriptionID: 4741 description: ID of the Azure subscription 4742 type: string 4743 tenantID: 4744 description: |- 4745 Auth: Azure Service Principal: 4746 The TenantID of the Azure Service Principal used to authenticate with Azure DNS. 4747 If set, ClientID and ClientSecret must also be set. 4748 type: string 4749 cloudDNS: 4750 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 4751 type: object 4752 required: 4753 - project 4754 properties: 4755 hostedZoneName: 4756 description: |- 4757 HostedZoneName is an optional field that tells cert-manager in which 4758 Cloud DNS zone the challenge record has to be created. 4759 If left empty cert-manager will automatically choose a zone. 4760 type: string 4761 project: 4762 type: string 4763 serviceAccountSecretRef: 4764 description: |- 4765 A reference to a specific 'key' within a Secret resource. 4766 In some instances, `key` is a required field. 4767 type: object 4768 required: 4769 - name 4770 properties: 4771 key: 4772 description: |- 4773 The key of the entry in the Secret resource's `data` field to be used. 4774 Some instances of this field may be defaulted, in others it may be 4775 required. 4776 type: string 4777 name: 4778 description: |- 4779 Name of the resource being referred to. 4780 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4781 type: string 4782 cloudflare: 4783 description: Use the Cloudflare API to manage DNS01 challenge records. 4784 type: object 4785 properties: 4786 apiKeySecretRef: 4787 description: |- 4788 API key to use to authenticate with Cloudflare. 4789 Note: using an API token to authenticate is now the recommended method 4790 as it allows greater control of permissions. 4791 type: object 4792 required: 4793 - name 4794 properties: 4795 key: 4796 description: |- 4797 The key of the entry in the Secret resource's `data` field to be used. 4798 Some instances of this field may be defaulted, in others it may be 4799 required. 4800 type: string 4801 name: 4802 description: |- 4803 Name of the resource being referred to. 4804 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4805 type: string 4806 apiTokenSecretRef: 4807 description: API token used to authenticate with Cloudflare. 4808 type: object 4809 required: 4810 - name 4811 properties: 4812 key: 4813 description: |- 4814 The key of the entry in the Secret resource's `data` field to be used. 4815 Some instances of this field may be defaulted, in others it may be 4816 required. 4817 type: string 4818 name: 4819 description: |- 4820 Name of the resource being referred to. 4821 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4822 type: string 4823 email: 4824 description: Email of the account, only required when using API key based authentication. 4825 type: string 4826 cnameStrategy: 4827 description: |- 4828 CNAMEStrategy configures how the DNS01 provider should handle CNAME 4829 records when found in DNS zones. 4830 type: string 4831 enum: 4832 - None 4833 - Follow 4834 digitalocean: 4835 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 4836 type: object 4837 required: 4838 - tokenSecretRef 4839 properties: 4840 tokenSecretRef: 4841 description: |- 4842 A reference to a specific 'key' within a Secret resource. 4843 In some instances, `key` is a required field. 4844 type: object 4845 required: 4846 - name 4847 properties: 4848 key: 4849 description: |- 4850 The key of the entry in the Secret resource's `data` field to be used. 4851 Some instances of this field may be defaulted, in others it may be 4852 required. 4853 type: string 4854 name: 4855 description: |- 4856 Name of the resource being referred to. 4857 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4858 type: string 4859 rfc2136: 4860 description: |- 4861 Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) 4862 to manage DNS01 challenge records. 4863 type: object 4864 required: 4865 - nameserver 4866 properties: 4867 nameserver: 4868 description: |- 4869 The IP address or hostname of an authoritative DNS server supporting 4870 RFC2136 in the form host:port. If the host is an IPv6 address it must be 4871 enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. 4872 This field is required. 4873 type: string 4874 tsigAlgorithm: 4875 description: |- 4876 The TSIG Algorithm configured in the DNS supporting RFC2136. Used only 4877 when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. 4878 Supported values are (case-insensitive): ``HMACMD5`` (default), 4879 ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. 4880 type: string 4881 tsigKeyName: 4882 description: |- 4883 The TSIG Key name configured in the DNS. 4884 If ``tsigSecretSecretRef`` is defined, this field is required. 4885 type: string 4886 tsigSecretSecretRef: 4887 description: |- 4888 The name of the secret containing the TSIG value. 4889 If ``tsigKeyName`` is defined, this field is required. 4890 type: object 4891 required: 4892 - name 4893 properties: 4894 key: 4895 description: |- 4896 The key of the entry in the Secret resource's `data` field to be used. 4897 Some instances of this field may be defaulted, in others it may be 4898 required. 4899 type: string 4900 name: 4901 description: |- 4902 Name of the resource being referred to. 4903 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4904 type: string 4905 route53: 4906 description: Use the AWS Route53 API to manage DNS01 challenge records. 4907 type: object 4908 properties: 4909 accessKeyID: 4910 description: |- 4911 The AccessKeyID is used for authentication. 4912 Cannot be set when SecretAccessKeyID is set. 4913 If neither the Access Key nor Key ID are set, we fall-back to using env 4914 vars, shared credentials file or AWS Instance metadata, 4915 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 4916 type: string 4917 accessKeyIDSecretRef: 4918 description: |- 4919 The SecretAccessKey is used for authentication. If set, pull the AWS 4920 access key ID from a key within a Kubernetes Secret. 4921 Cannot be set when AccessKeyID is set. 4922 If neither the Access Key nor Key ID are set, we fall-back to using env 4923 vars, shared credentials file or AWS Instance metadata, 4924 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 4925 type: object 4926 required: 4927 - name 4928 properties: 4929 key: 4930 description: |- 4931 The key of the entry in the Secret resource's `data` field to be used. 4932 Some instances of this field may be defaulted, in others it may be 4933 required. 4934 type: string 4935 name: 4936 description: |- 4937 Name of the resource being referred to. 4938 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4939 type: string 4940 auth: 4941 description: Auth configures how cert-manager authenticates. 4942 type: object 4943 required: 4944 - kubernetes 4945 properties: 4946 kubernetes: 4947 description: |- 4948 Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity 4949 by passing a bound ServiceAccount token. 4950 type: object 4951 required: 4952 - serviceAccountRef 4953 properties: 4954 serviceAccountRef: 4955 description: |- 4956 A reference to a service account that will be used to request a bound 4957 token (also known as "projected token"). To use this field, you must 4958 configure an RBAC rule to let cert-manager request a token. 4959 type: object 4960 required: 4961 - name 4962 properties: 4963 audiences: 4964 description: |- 4965 TokenAudiences is an optional list of audiences to include in the 4966 token passed to AWS. The default token consisting of the issuer's namespace 4967 and name is always included. 4968 If unset the audience defaults to `sts.amazonaws.com`. 4969 type: array 4970 items: 4971 type: string 4972 name: 4973 description: Name of the ServiceAccount used to request a token. 4974 type: string 4975 hostedZoneID: 4976 description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. 4977 type: string 4978 region: 4979 description: |- 4980 Override the AWS region. 4981 4982 Route53 is a global service and does not have regional endpoints but the 4983 region specified here (or via environment variables) is used as a hint to 4984 help compute the correct AWS credential scope and partition when it 4985 connects to Route53. See: 4986 - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) 4987 - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) 4988 4989 If you omit this region field, cert-manager will use the region from 4990 AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set 4991 in the cert-manager controller Pod. 4992 4993 The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). 4994 Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: 4995 [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). 4996 In this case this `region` field value is ignored. 4997 4998 The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). 4999 Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: 5000 [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), 5001 In this case this `region` field value is ignored. 5002 type: string 5003 role: 5004 description: |- 5005 Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey 5006 or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 5007 type: string 5008 secretAccessKeySecretRef: 5009 description: |- 5010 The SecretAccessKey is used for authentication. 5011 If neither the Access Key nor Key ID are set, we fall-back to using env 5012 vars, shared credentials file or AWS Instance metadata, 5013 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 5014 type: object 5015 required: 5016 - name 5017 properties: 5018 key: 5019 description: |- 5020 The key of the entry in the Secret resource's `data` field to be used. 5021 Some instances of this field may be defaulted, in others it may be 5022 required. 5023 type: string 5024 name: 5025 description: |- 5026 Name of the resource being referred to. 5027 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 5028 type: string 5029 webhook: 5030 description: |- 5031 Configure an external webhook based DNS01 challenge solver to manage 5032 DNS01 challenge records. 5033 type: object 5034 required: 5035 - groupName 5036 - solverName 5037 properties: 5038 config: 5039 description: |- 5040 Additional configuration that should be passed to the webhook apiserver 5041 when challenges are processed. 5042 This can contain arbitrary JSON data. 5043 Secret values should not be specified in this stanza. 5044 If secret values are needed (e.g. credentials for a DNS service), you 5045 should use a SecretKeySelector to reference a Secret resource. 5046 For details on the schema of this field, consult the webhook provider 5047 implementation's documentation. 5048 x-kubernetes-preserve-unknown-fields: true 5049 groupName: 5050 description: |- 5051 The API group name that should be used when POSTing ChallengePayload 5052 resources to the webhook apiserver. 5053 This should be the same as the GroupName specified in the webhook 5054 provider implementation. 5055 type: string 5056 solverName: 5057 description: |- 5058 The name of the solver to use, as defined in the webhook provider 5059 implementation. 5060 This will typically be the name of the provider, e.g. 'cloudflare'. 5061 type: string 5062 http01: 5063 description: |- 5064 Configures cert-manager to attempt to complete authorizations by 5065 performing the HTTP01 challenge flow. 5066 It is not possible to obtain certificates for wildcard domain names 5067 (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 5068 type: object 5069 properties: 5070 gatewayHTTPRoute: 5071 description: |- 5072 The Gateway API is a sig-network community API that models service networking 5073 in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will 5074 create HTTPRoutes with the specified labels in the same namespace as the challenge. 5075 This solver is experimental, and fields / behaviour may change in the future. 5076 type: object 5077 properties: 5078 labels: 5079 description: |- 5080 Custom labels that will be applied to HTTPRoutes created by cert-manager 5081 while solving HTTP-01 challenges. 5082 type: object 5083 additionalProperties: 5084 type: string 5085 parentRefs: 5086 description: |- 5087 When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. 5088 cert-manager needs to know which parentRefs should be used when creating 5089 the HTTPRoute. Usually, the parentRef references a Gateway. See: 5090 https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways 5091 type: array 5092 items: 5093 description: |- 5094 ParentReference identifies an API object (usually a Gateway) that can be considered 5095 a parent of this resource (usually a route). There are two kinds of parent resources 5096 with "Core" support: 5097 5098 * Gateway (Gateway conformance profile) 5099 * Service (Mesh conformance profile, ClusterIP Services only) 5100 5101 This API may be extended in the future to support additional kinds of parent 5102 resources. 5103 5104 The API object must be valid in the cluster; the Group and Kind must 5105 be registered in the cluster for this reference to be valid. 5106 type: object 5107 required: 5108 - name 5109 properties: 5110 group: 5111 description: |- 5112 Group is the group of the referent. 5113 When unspecified, "gateway.networking.k8s.io" is inferred. 5114 To set the core API group (such as for a "Service" kind referent), 5115 Group must be explicitly set to "" (empty string). 5116 5117 Support: Core 5118 type: string 5119 default: gateway.networking.k8s.io 5120 maxLength: 253 5121 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 5122 kind: 5123 description: |- 5124 Kind is kind of the referent. 5125 5126 There are two kinds of parent resources with "Core" support: 5127 5128 * Gateway (Gateway conformance profile) 5129 * Service (Mesh conformance profile, ClusterIP Services only) 5130 5131 Support for other resources is Implementation-Specific. 5132 type: string 5133 default: Gateway 5134 maxLength: 63 5135 minLength: 1 5136 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 5137 name: 5138 description: |- 5139 Name is the name of the referent. 5140 5141 Support: Core 5142 type: string 5143 maxLength: 253 5144 minLength: 1 5145 namespace: 5146 description: |- 5147 Namespace is the namespace of the referent. When unspecified, this refers 5148 to the local namespace of the Route. 5149 5150 Note that there are specific rules for ParentRefs which cross namespace 5151 boundaries. Cross-namespace references are only valid if they are explicitly 5152 allowed by something in the namespace they are referring to. For example: 5153 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 5154 generic way to enable any other kind of cross-namespace reference. 5155 5156 <gateway:experimental:description> 5157 ParentRefs from a Route to a Service in the same namespace are "producer" 5158 routes, which apply default routing rules to inbound connections from 5159 any namespace to the Service. 5160 5161 ParentRefs from a Route to a Service in a different namespace are 5162 "consumer" routes, and these routing rules are only applied to outbound 5163 connections originating from the same namespace as the Route, for which 5164 the intended destination of the connections are a Service targeted as a 5165 ParentRef of the Route. 5166 </gateway:experimental:description> 5167 5168 Support: Core 5169 type: string 5170 maxLength: 63 5171 minLength: 1 5172 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 5173 port: 5174 description: |- 5175 Port is the network port this Route targets. It can be interpreted 5176 differently based on the type of parent resource. 5177 5178 When the parent resource is a Gateway, this targets all listeners 5179 listening on the specified port that also support this kind of Route(and 5180 select this Route). It's not recommended to set `Port` unless the 5181 networking behaviors specified in a Route must apply to a specific port 5182 as opposed to a listener(s) whose port(s) may be changed. When both Port 5183 and SectionName are specified, the name and port of the selected listener 5184 must match both specified values. 5185 5186 <gateway:experimental:description> 5187 When the parent resource is a Service, this targets a specific port in the 5188 Service spec. When both Port (experimental) and SectionName are specified, 5189 the name and port of the selected port must match both specified values. 5190 </gateway:experimental:description> 5191 5192 Implementations MAY choose to support other parent resources. 5193 Implementations supporting other types of parent resources MUST clearly 5194 document how/if Port is interpreted. 5195 5196 For the purpose of status, an attachment is considered successful as 5197 long as the parent resource accepts it partially. For example, Gateway 5198 listeners can restrict which Routes can attach to them by Route kind, 5199 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 5200 from the referencing Route, the Route MUST be considered successfully 5201 attached. If no Gateway listeners accept attachment from this Route, 5202 the Route MUST be considered detached from the Gateway. 5203 5204 Support: Extended 5205 type: integer 5206 format: int32 5207 maximum: 65535 5208 minimum: 1 5209 sectionName: 5210 description: |- 5211 SectionName is the name of a section within the target resource. In the 5212 following resources, SectionName is interpreted as the following: 5213 5214 * Gateway: Listener name. When both Port (experimental) and SectionName 5215 are specified, the name and port of the selected listener must match 5216 both specified values. 5217 * Service: Port name. When both Port (experimental) and SectionName 5218 are specified, the name and port of the selected listener must match 5219 both specified values. 5220 5221 Implementations MAY choose to support attaching Routes to other resources. 5222 If that is the case, they MUST clearly document how SectionName is 5223 interpreted. 5224 5225 When unspecified (empty string), this will reference the entire resource. 5226 For the purpose of status, an attachment is considered successful if at 5227 least one section in the parent resource accepts it. For example, Gateway 5228 listeners can restrict which Routes can attach to them by Route kind, 5229 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 5230 the referencing Route, the Route MUST be considered successfully 5231 attached. If no Gateway listeners accept attachment from this Route, the 5232 Route MUST be considered detached from the Gateway. 5233 5234 Support: Core 5235 type: string 5236 maxLength: 253 5237 minLength: 1 5238 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 5239 podTemplate: 5240 description: |- 5241 Optional pod template used to configure the ACME challenge solver pods 5242 used for HTTP01 challenges. 5243 type: object 5244 properties: 5245 metadata: 5246 description: |- 5247 ObjectMeta overrides for the pod used to solve HTTP01 challenges. 5248 Only the 'labels' and 'annotations' fields may be set. 5249 If labels or annotations overlap with in-built values, the values here 5250 will override the in-built values. 5251 type: object 5252 properties: 5253 annotations: 5254 description: Annotations that should be added to the created ACME HTTP01 solver pods. 5255 type: object 5256 additionalProperties: 5257 type: string 5258 labels: 5259 description: Labels that should be added to the created ACME HTTP01 solver pods. 5260 type: object 5261 additionalProperties: 5262 type: string 5263 spec: 5264 description: |- 5265 PodSpec defines overrides for the HTTP01 challenge solver pod. 5266 Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. 5267 All other fields will be ignored. 5268 type: object 5269 properties: 5270 affinity: 5271 description: If specified, the pod's scheduling constraints 5272 type: object 5273 properties: 5274 nodeAffinity: 5275 description: Describes node affinity scheduling rules for the pod. 5276 type: object 5277 properties: 5278 preferredDuringSchedulingIgnoredDuringExecution: 5279 description: |- 5280 The scheduler will prefer to schedule pods to nodes that satisfy 5281 the affinity expressions specified by this field, but it may choose 5282 a node that violates one or more of the expressions. The node that is 5283 most preferred is the one with the greatest sum of weights, i.e. 5284 for each node that meets all of the scheduling requirements (resource 5285 request, requiredDuringScheduling affinity expressions, etc.), 5286 compute a sum by iterating through the elements of this field and adding 5287 "weight" to the sum if the node matches the corresponding matchExpressions; the 5288 node(s) with the highest sum are the most preferred. 5289 type: array 5290 items: 5291 description: |- 5292 An empty preferred scheduling term matches all objects with implicit weight 0 5293 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 5294 type: object 5295 required: 5296 - preference 5297 - weight 5298 properties: 5299 preference: 5300 description: A node selector term, associated with the corresponding weight. 5301 type: object 5302 properties: 5303 matchExpressions: 5304 description: A list of node selector requirements by node's labels. 5305 type: array 5306 items: 5307 description: |- 5308 A node selector requirement is a selector that contains values, a key, and an operator 5309 that relates the key and values. 5310 type: object 5311 required: 5312 - key 5313 - operator 5314 properties: 5315 key: 5316 description: The label key that the selector applies to. 5317 type: string 5318 operator: 5319 description: |- 5320 Represents a key's relationship to a set of values. 5321 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 5322 type: string 5323 values: 5324 description: |- 5325 An array of string values. If the operator is In or NotIn, 5326 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5327 the values array must be empty. If the operator is Gt or Lt, the values 5328 array must have a single element, which will be interpreted as an integer. 5329 This array is replaced during a strategic merge patch. 5330 type: array 5331 items: 5332 type: string 5333 x-kubernetes-list-type: atomic 5334 x-kubernetes-list-type: atomic 5335 matchFields: 5336 description: A list of node selector requirements by node's fields. 5337 type: array 5338 items: 5339 description: |- 5340 A node selector requirement is a selector that contains values, a key, and an operator 5341 that relates the key and values. 5342 type: object 5343 required: 5344 - key 5345 - operator 5346 properties: 5347 key: 5348 description: The label key that the selector applies to. 5349 type: string 5350 operator: 5351 description: |- 5352 Represents a key's relationship to a set of values. 5353 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 5354 type: string 5355 values: 5356 description: |- 5357 An array of string values. If the operator is In or NotIn, 5358 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5359 the values array must be empty. If the operator is Gt or Lt, the values 5360 array must have a single element, which will be interpreted as an integer. 5361 This array is replaced during a strategic merge patch. 5362 type: array 5363 items: 5364 type: string 5365 x-kubernetes-list-type: atomic 5366 x-kubernetes-list-type: atomic 5367 x-kubernetes-map-type: atomic 5368 weight: 5369 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 5370 type: integer 5371 format: int32 5372 x-kubernetes-list-type: atomic 5373 requiredDuringSchedulingIgnoredDuringExecution: 5374 description: |- 5375 If the affinity requirements specified by this field are not met at 5376 scheduling time, the pod will not be scheduled onto the node. 5377 If the affinity requirements specified by this field cease to be met 5378 at some point during pod execution (e.g. due to an update), the system 5379 may or may not try to eventually evict the pod from its node. 5380 type: object 5381 required: 5382 - nodeSelectorTerms 5383 properties: 5384 nodeSelectorTerms: 5385 description: Required. A list of node selector terms. The terms are ORed. 5386 type: array 5387 items: 5388 description: |- 5389 A null or empty node selector term matches no objects. The requirements of 5390 them are ANDed. 5391 The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 5392 type: object 5393 properties: 5394 matchExpressions: 5395 description: A list of node selector requirements by node's labels. 5396 type: array 5397 items: 5398 description: |- 5399 A node selector requirement is a selector that contains values, a key, and an operator 5400 that relates the key and values. 5401 type: object 5402 required: 5403 - key 5404 - operator 5405 properties: 5406 key: 5407 description: The label key that the selector applies to. 5408 type: string 5409 operator: 5410 description: |- 5411 Represents a key's relationship to a set of values. 5412 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 5413 type: string 5414 values: 5415 description: |- 5416 An array of string values. If the operator is In or NotIn, 5417 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5418 the values array must be empty. If the operator is Gt or Lt, the values 5419 array must have a single element, which will be interpreted as an integer. 5420 This array is replaced during a strategic merge patch. 5421 type: array 5422 items: 5423 type: string 5424 x-kubernetes-list-type: atomic 5425 x-kubernetes-list-type: atomic 5426 matchFields: 5427 description: A list of node selector requirements by node's fields. 5428 type: array 5429 items: 5430 description: |- 5431 A node selector requirement is a selector that contains values, a key, and an operator 5432 that relates the key and values. 5433 type: object 5434 required: 5435 - key 5436 - operator 5437 properties: 5438 key: 5439 description: The label key that the selector applies to. 5440 type: string 5441 operator: 5442 description: |- 5443 Represents a key's relationship to a set of values. 5444 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 5445 type: string 5446 values: 5447 description: |- 5448 An array of string values. If the operator is In or NotIn, 5449 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5450 the values array must be empty. If the operator is Gt or Lt, the values 5451 array must have a single element, which will be interpreted as an integer. 5452 This array is replaced during a strategic merge patch. 5453 type: array 5454 items: 5455 type: string 5456 x-kubernetes-list-type: atomic 5457 x-kubernetes-list-type: atomic 5458 x-kubernetes-map-type: atomic 5459 x-kubernetes-list-type: atomic 5460 x-kubernetes-map-type: atomic 5461 podAffinity: 5462 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 5463 type: object 5464 properties: 5465 preferredDuringSchedulingIgnoredDuringExecution: 5466 description: |- 5467 The scheduler will prefer to schedule pods to nodes that satisfy 5468 the affinity expressions specified by this field, but it may choose 5469 a node that violates one or more of the expressions. The node that is 5470 most preferred is the one with the greatest sum of weights, i.e. 5471 for each node that meets all of the scheduling requirements (resource 5472 request, requiredDuringScheduling affinity expressions, etc.), 5473 compute a sum by iterating through the elements of this field and adding 5474 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 5475 node(s) with the highest sum are the most preferred. 5476 type: array 5477 items: 5478 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 5479 type: object 5480 required: 5481 - podAffinityTerm 5482 - weight 5483 properties: 5484 podAffinityTerm: 5485 description: Required. A pod affinity term, associated with the corresponding weight. 5486 type: object 5487 required: 5488 - topologyKey 5489 properties: 5490 labelSelector: 5491 description: |- 5492 A label query over a set of resources, in this case pods. 5493 If it's null, this PodAffinityTerm matches with no Pods. 5494 type: object 5495 properties: 5496 matchExpressions: 5497 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 5498 type: array 5499 items: 5500 description: |- 5501 A label selector requirement is a selector that contains values, a key, and an operator that 5502 relates the key and values. 5503 type: object 5504 required: 5505 - key 5506 - operator 5507 properties: 5508 key: 5509 description: key is the label key that the selector applies to. 5510 type: string 5511 operator: 5512 description: |- 5513 operator represents a key's relationship to a set of values. 5514 Valid operators are In, NotIn, Exists and DoesNotExist. 5515 type: string 5516 values: 5517 description: |- 5518 values is an array of string values. If the operator is In or NotIn, 5519 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5520 the values array must be empty. This array is replaced during a strategic 5521 merge patch. 5522 type: array 5523 items: 5524 type: string 5525 x-kubernetes-list-type: atomic 5526 x-kubernetes-list-type: atomic 5527 matchLabels: 5528 description: |- 5529 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 5530 map is equivalent to an element of matchExpressions, whose key field is "key", the 5531 operator is "In", and the values array contains only "value". The requirements are ANDed. 5532 type: object 5533 additionalProperties: 5534 type: string 5535 x-kubernetes-map-type: atomic 5536 matchLabelKeys: 5537 description: |- 5538 MatchLabelKeys is a set of pod label keys to select which pods will 5539 be taken into consideration. The keys are used to lookup values from the 5540 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 5541 to select the group of existing pods which pods will be taken into consideration 5542 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 5543 pod labels will be ignored. The default value is empty. 5544 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 5545 Also, matchLabelKeys cannot be set when labelSelector isn't set. 5546 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 5547 type: array 5548 items: 5549 type: string 5550 x-kubernetes-list-type: atomic 5551 mismatchLabelKeys: 5552 description: |- 5553 MismatchLabelKeys is a set of pod label keys to select which pods will 5554 be taken into consideration. The keys are used to lookup values from the 5555 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 5556 to select the group of existing pods which pods will be taken into consideration 5557 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 5558 pod labels will be ignored. The default value is empty. 5559 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 5560 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 5561 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 5562 type: array 5563 items: 5564 type: string 5565 x-kubernetes-list-type: atomic 5566 namespaceSelector: 5567 description: |- 5568 A label query over the set of namespaces that the term applies to. 5569 The term is applied to the union of the namespaces selected by this field 5570 and the ones listed in the namespaces field. 5571 null selector and null or empty namespaces list means "this pod's namespace". 5572 An empty selector ({}) matches all namespaces. 5573 type: object 5574 properties: 5575 matchExpressions: 5576 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 5577 type: array 5578 items: 5579 description: |- 5580 A label selector requirement is a selector that contains values, a key, and an operator that 5581 relates the key and values. 5582 type: object 5583 required: 5584 - key 5585 - operator 5586 properties: 5587 key: 5588 description: key is the label key that the selector applies to. 5589 type: string 5590 operator: 5591 description: |- 5592 operator represents a key's relationship to a set of values. 5593 Valid operators are In, NotIn, Exists and DoesNotExist. 5594 type: string 5595 values: 5596 description: |- 5597 values is an array of string values. If the operator is In or NotIn, 5598 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5599 the values array must be empty. This array is replaced during a strategic 5600 merge patch. 5601 type: array 5602 items: 5603 type: string 5604 x-kubernetes-list-type: atomic 5605 x-kubernetes-list-type: atomic 5606 matchLabels: 5607 description: |- 5608 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 5609 map is equivalent to an element of matchExpressions, whose key field is "key", the 5610 operator is "In", and the values array contains only "value". The requirements are ANDed. 5611 type: object 5612 additionalProperties: 5613 type: string 5614 x-kubernetes-map-type: atomic 5615 namespaces: 5616 description: |- 5617 namespaces specifies a static list of namespace names that the term applies to. 5618 The term is applied to the union of the namespaces listed in this field 5619 and the ones selected by namespaceSelector. 5620 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 5621 type: array 5622 items: 5623 type: string 5624 x-kubernetes-list-type: atomic 5625 topologyKey: 5626 description: |- 5627 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 5628 the labelSelector in the specified namespaces, where co-located is defined as running on a node 5629 whose value of the label with key topologyKey matches that of any node on which any of the 5630 selected pods is running. 5631 Empty topologyKey is not allowed. 5632 type: string 5633 weight: 5634 description: |- 5635 weight associated with matching the corresponding podAffinityTerm, 5636 in the range 1-100. 5637 type: integer 5638 format: int32 5639 x-kubernetes-list-type: atomic 5640 requiredDuringSchedulingIgnoredDuringExecution: 5641 description: |- 5642 If the affinity requirements specified by this field are not met at 5643 scheduling time, the pod will not be scheduled onto the node. 5644 If the affinity requirements specified by this field cease to be met 5645 at some point during pod execution (e.g. due to a pod label update), the 5646 system may or may not try to eventually evict the pod from its node. 5647 When there are multiple elements, the lists of nodes corresponding to each 5648 podAffinityTerm are intersected, i.e. all terms must be satisfied. 5649 type: array 5650 items: 5651 description: |- 5652 Defines a set of pods (namely those matching the labelSelector 5653 relative to the given namespace(s)) that this pod should be 5654 co-located (affinity) or not co-located (anti-affinity) with, 5655 where co-located is defined as running on a node whose value of 5656 the label with key <topologyKey> matches that of any node on which 5657 a pod of the set of pods is running 5658 type: object 5659 required: 5660 - topologyKey 5661 properties: 5662 labelSelector: 5663 description: |- 5664 A label query over a set of resources, in this case pods. 5665 If it's null, this PodAffinityTerm matches with no Pods. 5666 type: object 5667 properties: 5668 matchExpressions: 5669 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 5670 type: array 5671 items: 5672 description: |- 5673 A label selector requirement is a selector that contains values, a key, and an operator that 5674 relates the key and values. 5675 type: object 5676 required: 5677 - key 5678 - operator 5679 properties: 5680 key: 5681 description: key is the label key that the selector applies to. 5682 type: string 5683 operator: 5684 description: |- 5685 operator represents a key's relationship to a set of values. 5686 Valid operators are In, NotIn, Exists and DoesNotExist. 5687 type: string 5688 values: 5689 description: |- 5690 values is an array of string values. If the operator is In or NotIn, 5691 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5692 the values array must be empty. This array is replaced during a strategic 5693 merge patch. 5694 type: array 5695 items: 5696 type: string 5697 x-kubernetes-list-type: atomic 5698 x-kubernetes-list-type: atomic 5699 matchLabels: 5700 description: |- 5701 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 5702 map is equivalent to an element of matchExpressions, whose key field is "key", the 5703 operator is "In", and the values array contains only "value". The requirements are ANDed. 5704 type: object 5705 additionalProperties: 5706 type: string 5707 x-kubernetes-map-type: atomic 5708 matchLabelKeys: 5709 description: |- 5710 MatchLabelKeys is a set of pod label keys to select which pods will 5711 be taken into consideration. The keys are used to lookup values from the 5712 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 5713 to select the group of existing pods which pods will be taken into consideration 5714 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 5715 pod labels will be ignored. The default value is empty. 5716 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 5717 Also, matchLabelKeys cannot be set when labelSelector isn't set. 5718 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 5719 type: array 5720 items: 5721 type: string 5722 x-kubernetes-list-type: atomic 5723 mismatchLabelKeys: 5724 description: |- 5725 MismatchLabelKeys is a set of pod label keys to select which pods will 5726 be taken into consideration. The keys are used to lookup values from the 5727 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 5728 to select the group of existing pods which pods will be taken into consideration 5729 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 5730 pod labels will be ignored. The default value is empty. 5731 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 5732 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 5733 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 5734 type: array 5735 items: 5736 type: string 5737 x-kubernetes-list-type: atomic 5738 namespaceSelector: 5739 description: |- 5740 A label query over the set of namespaces that the term applies to. 5741 The term is applied to the union of the namespaces selected by this field 5742 and the ones listed in the namespaces field. 5743 null selector and null or empty namespaces list means "this pod's namespace". 5744 An empty selector ({}) matches all namespaces. 5745 type: object 5746 properties: 5747 matchExpressions: 5748 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 5749 type: array 5750 items: 5751 description: |- 5752 A label selector requirement is a selector that contains values, a key, and an operator that 5753 relates the key and values. 5754 type: object 5755 required: 5756 - key 5757 - operator 5758 properties: 5759 key: 5760 description: key is the label key that the selector applies to. 5761 type: string 5762 operator: 5763 description: |- 5764 operator represents a key's relationship to a set of values. 5765 Valid operators are In, NotIn, Exists and DoesNotExist. 5766 type: string 5767 values: 5768 description: |- 5769 values is an array of string values. If the operator is In or NotIn, 5770 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5771 the values array must be empty. This array is replaced during a strategic 5772 merge patch. 5773 type: array 5774 items: 5775 type: string 5776 x-kubernetes-list-type: atomic 5777 x-kubernetes-list-type: atomic 5778 matchLabels: 5779 description: |- 5780 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 5781 map is equivalent to an element of matchExpressions, whose key field is "key", the 5782 operator is "In", and the values array contains only "value". The requirements are ANDed. 5783 type: object 5784 additionalProperties: 5785 type: string 5786 x-kubernetes-map-type: atomic 5787 namespaces: 5788 description: |- 5789 namespaces specifies a static list of namespace names that the term applies to. 5790 The term is applied to the union of the namespaces listed in this field 5791 and the ones selected by namespaceSelector. 5792 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 5793 type: array 5794 items: 5795 type: string 5796 x-kubernetes-list-type: atomic 5797 topologyKey: 5798 description: |- 5799 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 5800 the labelSelector in the specified namespaces, where co-located is defined as running on a node 5801 whose value of the label with key topologyKey matches that of any node on which any of the 5802 selected pods is running. 5803 Empty topologyKey is not allowed. 5804 type: string 5805 x-kubernetes-list-type: atomic 5806 podAntiAffinity: 5807 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 5808 type: object 5809 properties: 5810 preferredDuringSchedulingIgnoredDuringExecution: 5811 description: |- 5812 The scheduler will prefer to schedule pods to nodes that satisfy 5813 the anti-affinity expressions specified by this field, but it may choose 5814 a node that violates one or more of the expressions. The node that is 5815 most preferred is the one with the greatest sum of weights, i.e. 5816 for each node that meets all of the scheduling requirements (resource 5817 request, requiredDuringScheduling anti-affinity expressions, etc.), 5818 compute a sum by iterating through the elements of this field and adding 5819 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 5820 node(s) with the highest sum are the most preferred. 5821 type: array 5822 items: 5823 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 5824 type: object 5825 required: 5826 - podAffinityTerm 5827 - weight 5828 properties: 5829 podAffinityTerm: 5830 description: Required. A pod affinity term, associated with the corresponding weight. 5831 type: object 5832 required: 5833 - topologyKey 5834 properties: 5835 labelSelector: 5836 description: |- 5837 A label query over a set of resources, in this case pods. 5838 If it's null, this PodAffinityTerm matches with no Pods. 5839 type: object 5840 properties: 5841 matchExpressions: 5842 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 5843 type: array 5844 items: 5845 description: |- 5846 A label selector requirement is a selector that contains values, a key, and an operator that 5847 relates the key and values. 5848 type: object 5849 required: 5850 - key 5851 - operator 5852 properties: 5853 key: 5854 description: key is the label key that the selector applies to. 5855 type: string 5856 operator: 5857 description: |- 5858 operator represents a key's relationship to a set of values. 5859 Valid operators are In, NotIn, Exists and DoesNotExist. 5860 type: string 5861 values: 5862 description: |- 5863 values is an array of string values. If the operator is In or NotIn, 5864 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5865 the values array must be empty. This array is replaced during a strategic 5866 merge patch. 5867 type: array 5868 items: 5869 type: string 5870 x-kubernetes-list-type: atomic 5871 x-kubernetes-list-type: atomic 5872 matchLabels: 5873 description: |- 5874 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 5875 map is equivalent to an element of matchExpressions, whose key field is "key", the 5876 operator is "In", and the values array contains only "value". The requirements are ANDed. 5877 type: object 5878 additionalProperties: 5879 type: string 5880 x-kubernetes-map-type: atomic 5881 matchLabelKeys: 5882 description: |- 5883 MatchLabelKeys is a set of pod label keys to select which pods will 5884 be taken into consideration. The keys are used to lookup values from the 5885 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 5886 to select the group of existing pods which pods will be taken into consideration 5887 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 5888 pod labels will be ignored. The default value is empty. 5889 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 5890 Also, matchLabelKeys cannot be set when labelSelector isn't set. 5891 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 5892 type: array 5893 items: 5894 type: string 5895 x-kubernetes-list-type: atomic 5896 mismatchLabelKeys: 5897 description: |- 5898 MismatchLabelKeys is a set of pod label keys to select which pods will 5899 be taken into consideration. The keys are used to lookup values from the 5900 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 5901 to select the group of existing pods which pods will be taken into consideration 5902 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 5903 pod labels will be ignored. The default value is empty. 5904 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 5905 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 5906 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 5907 type: array 5908 items: 5909 type: string 5910 x-kubernetes-list-type: atomic 5911 namespaceSelector: 5912 description: |- 5913 A label query over the set of namespaces that the term applies to. 5914 The term is applied to the union of the namespaces selected by this field 5915 and the ones listed in the namespaces field. 5916 null selector and null or empty namespaces list means "this pod's namespace". 5917 An empty selector ({}) matches all namespaces. 5918 type: object 5919 properties: 5920 matchExpressions: 5921 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 5922 type: array 5923 items: 5924 description: |- 5925 A label selector requirement is a selector that contains values, a key, and an operator that 5926 relates the key and values. 5927 type: object 5928 required: 5929 - key 5930 - operator 5931 properties: 5932 key: 5933 description: key is the label key that the selector applies to. 5934 type: string 5935 operator: 5936 description: |- 5937 operator represents a key's relationship to a set of values. 5938 Valid operators are In, NotIn, Exists and DoesNotExist. 5939 type: string 5940 values: 5941 description: |- 5942 values is an array of string values. If the operator is In or NotIn, 5943 the values array must be non-empty. If the operator is Exists or DoesNotExist, 5944 the values array must be empty. This array is replaced during a strategic 5945 merge patch. 5946 type: array 5947 items: 5948 type: string 5949 x-kubernetes-list-type: atomic 5950 x-kubernetes-list-type: atomic 5951 matchLabels: 5952 description: |- 5953 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 5954 map is equivalent to an element of matchExpressions, whose key field is "key", the 5955 operator is "In", and the values array contains only "value". The requirements are ANDed. 5956 type: object 5957 additionalProperties: 5958 type: string 5959 x-kubernetes-map-type: atomic 5960 namespaces: 5961 description: |- 5962 namespaces specifies a static list of namespace names that the term applies to. 5963 The term is applied to the union of the namespaces listed in this field 5964 and the ones selected by namespaceSelector. 5965 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 5966 type: array 5967 items: 5968 type: string 5969 x-kubernetes-list-type: atomic 5970 topologyKey: 5971 description: |- 5972 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 5973 the labelSelector in the specified namespaces, where co-located is defined as running on a node 5974 whose value of the label with key topologyKey matches that of any node on which any of the 5975 selected pods is running. 5976 Empty topologyKey is not allowed. 5977 type: string 5978 weight: 5979 description: |- 5980 weight associated with matching the corresponding podAffinityTerm, 5981 in the range 1-100. 5982 type: integer 5983 format: int32 5984 x-kubernetes-list-type: atomic 5985 requiredDuringSchedulingIgnoredDuringExecution: 5986 description: |- 5987 If the anti-affinity requirements specified by this field are not met at 5988 scheduling time, the pod will not be scheduled onto the node. 5989 If the anti-affinity requirements specified by this field cease to be met 5990 at some point during pod execution (e.g. due to a pod label update), the 5991 system may or may not try to eventually evict the pod from its node. 5992 When there are multiple elements, the lists of nodes corresponding to each 5993 podAffinityTerm are intersected, i.e. all terms must be satisfied. 5994 type: array 5995 items: 5996 description: |- 5997 Defines a set of pods (namely those matching the labelSelector 5998 relative to the given namespace(s)) that this pod should be 5999 co-located (affinity) or not co-located (anti-affinity) with, 6000 where co-located is defined as running on a node whose value of 6001 the label with key <topologyKey> matches that of any node on which 6002 a pod of the set of pods is running 6003 type: object 6004 required: 6005 - topologyKey 6006 properties: 6007 labelSelector: 6008 description: |- 6009 A label query over a set of resources, in this case pods. 6010 If it's null, this PodAffinityTerm matches with no Pods. 6011 type: object 6012 properties: 6013 matchExpressions: 6014 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 6015 type: array 6016 items: 6017 description: |- 6018 A label selector requirement is a selector that contains values, a key, and an operator that 6019 relates the key and values. 6020 type: object 6021 required: 6022 - key 6023 - operator 6024 properties: 6025 key: 6026 description: key is the label key that the selector applies to. 6027 type: string 6028 operator: 6029 description: |- 6030 operator represents a key's relationship to a set of values. 6031 Valid operators are In, NotIn, Exists and DoesNotExist. 6032 type: string 6033 values: 6034 description: |- 6035 values is an array of string values. If the operator is In or NotIn, 6036 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6037 the values array must be empty. This array is replaced during a strategic 6038 merge patch. 6039 type: array 6040 items: 6041 type: string 6042 x-kubernetes-list-type: atomic 6043 x-kubernetes-list-type: atomic 6044 matchLabels: 6045 description: |- 6046 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 6047 map is equivalent to an element of matchExpressions, whose key field is "key", the 6048 operator is "In", and the values array contains only "value". The requirements are ANDed. 6049 type: object 6050 additionalProperties: 6051 type: string 6052 x-kubernetes-map-type: atomic 6053 matchLabelKeys: 6054 description: |- 6055 MatchLabelKeys is a set of pod label keys to select which pods will 6056 be taken into consideration. The keys are used to lookup values from the 6057 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 6058 to select the group of existing pods which pods will be taken into consideration 6059 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 6060 pod labels will be ignored. The default value is empty. 6061 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 6062 Also, matchLabelKeys cannot be set when labelSelector isn't set. 6063 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 6064 type: array 6065 items: 6066 type: string 6067 x-kubernetes-list-type: atomic 6068 mismatchLabelKeys: 6069 description: |- 6070 MismatchLabelKeys is a set of pod label keys to select which pods will 6071 be taken into consideration. The keys are used to lookup values from the 6072 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 6073 to select the group of existing pods which pods will be taken into consideration 6074 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 6075 pod labels will be ignored. The default value is empty. 6076 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 6077 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 6078 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 6079 type: array 6080 items: 6081 type: string 6082 x-kubernetes-list-type: atomic 6083 namespaceSelector: 6084 description: |- 6085 A label query over the set of namespaces that the term applies to. 6086 The term is applied to the union of the namespaces selected by this field 6087 and the ones listed in the namespaces field. 6088 null selector and null or empty namespaces list means "this pod's namespace". 6089 An empty selector ({}) matches all namespaces. 6090 type: object 6091 properties: 6092 matchExpressions: 6093 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 6094 type: array 6095 items: 6096 description: |- 6097 A label selector requirement is a selector that contains values, a key, and an operator that 6098 relates the key and values. 6099 type: object 6100 required: 6101 - key 6102 - operator 6103 properties: 6104 key: 6105 description: key is the label key that the selector applies to. 6106 type: string 6107 operator: 6108 description: |- 6109 operator represents a key's relationship to a set of values. 6110 Valid operators are In, NotIn, Exists and DoesNotExist. 6111 type: string 6112 values: 6113 description: |- 6114 values is an array of string values. If the operator is In or NotIn, 6115 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6116 the values array must be empty. This array is replaced during a strategic 6117 merge patch. 6118 type: array 6119 items: 6120 type: string 6121 x-kubernetes-list-type: atomic 6122 x-kubernetes-list-type: atomic 6123 matchLabels: 6124 description: |- 6125 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 6126 map is equivalent to an element of matchExpressions, whose key field is "key", the 6127 operator is "In", and the values array contains only "value". The requirements are ANDed. 6128 type: object 6129 additionalProperties: 6130 type: string 6131 x-kubernetes-map-type: atomic 6132 namespaces: 6133 description: |- 6134 namespaces specifies a static list of namespace names that the term applies to. 6135 The term is applied to the union of the namespaces listed in this field 6136 and the ones selected by namespaceSelector. 6137 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 6138 type: array 6139 items: 6140 type: string 6141 x-kubernetes-list-type: atomic 6142 topologyKey: 6143 description: |- 6144 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 6145 the labelSelector in the specified namespaces, where co-located is defined as running on a node 6146 whose value of the label with key topologyKey matches that of any node on which any of the 6147 selected pods is running. 6148 Empty topologyKey is not allowed. 6149 type: string 6150 x-kubernetes-list-type: atomic 6151 imagePullSecrets: 6152 description: If specified, the pod's imagePullSecrets 6153 type: array 6154 items: 6155 description: |- 6156 LocalObjectReference contains enough information to let you locate the 6157 referenced object inside the same namespace. 6158 type: object 6159 properties: 6160 name: 6161 description: |- 6162 Name of the referent. 6163 This field is effectively required, but due to backwards compatibility is 6164 allowed to be empty. Instances of this type with an empty value here are 6165 almost certainly wrong. 6166 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 6167 type: string 6168 default: "" 6169 x-kubernetes-map-type: atomic 6170 nodeSelector: 6171 description: |- 6172 NodeSelector is a selector which must be true for the pod to fit on a node. 6173 Selector which must match a node's labels for the pod to be scheduled on that node. 6174 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 6175 type: object 6176 additionalProperties: 6177 type: string 6178 priorityClassName: 6179 description: If specified, the pod's priorityClassName. 6180 type: string 6181 securityContext: 6182 description: If specified, the pod's security context 6183 type: object 6184 properties: 6185 fsGroup: 6186 description: |- 6187 A special supplemental group that applies to all containers in a pod. 6188 Some volume types allow the Kubelet to change the ownership of that volume 6189 to be owned by the pod: 6190 6191 1. The owning GID will be the FSGroup 6192 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 6193 3. The permission bits are OR'd with rw-rw---- 6194 6195 If unset, the Kubelet will not modify the ownership and permissions of any volume. 6196 Note that this field cannot be set when spec.os.name is windows. 6197 type: integer 6198 format: int64 6199 fsGroupChangePolicy: 6200 description: |- 6201 fsGroupChangePolicy defines behavior of changing ownership and permission of the volume 6202 before being exposed inside Pod. This field will only apply to 6203 volume types which support fsGroup based ownership(and permissions). 6204 It will have no effect on ephemeral volume types such as: secret, configmaps 6205 and emptydir. 6206 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. 6207 Note that this field cannot be set when spec.os.name is windows. 6208 type: string 6209 runAsGroup: 6210 description: |- 6211 The GID to run the entrypoint of the container process. 6212 Uses runtime default if unset. 6213 May also be set in SecurityContext. If set in both SecurityContext and 6214 PodSecurityContext, the value specified in SecurityContext takes precedence 6215 for that container. 6216 Note that this field cannot be set when spec.os.name is windows. 6217 type: integer 6218 format: int64 6219 runAsNonRoot: 6220 description: |- 6221 Indicates that the container must run as a non-root user. 6222 If true, the Kubelet will validate the image at runtime to ensure that it 6223 does not run as UID 0 (root) and fail to start the container if it does. 6224 If unset or false, no such validation will be performed. 6225 May also be set in SecurityContext. If set in both SecurityContext and 6226 PodSecurityContext, the value specified in SecurityContext takes precedence. 6227 type: boolean 6228 runAsUser: 6229 description: |- 6230 The UID to run the entrypoint of the container process. 6231 Defaults to user specified in image metadata if unspecified. 6232 May also be set in SecurityContext. If set in both SecurityContext and 6233 PodSecurityContext, the value specified in SecurityContext takes precedence 6234 for that container. 6235 Note that this field cannot be set when spec.os.name is windows. 6236 type: integer 6237 format: int64 6238 seLinuxOptions: 6239 description: |- 6240 The SELinux context to be applied to all containers. 6241 If unspecified, the container runtime will allocate a random SELinux context for each 6242 container. May also be set in SecurityContext. If set in 6243 both SecurityContext and PodSecurityContext, the value specified in SecurityContext 6244 takes precedence for that container. 6245 Note that this field cannot be set when spec.os.name is windows. 6246 type: object 6247 properties: 6248 level: 6249 description: Level is SELinux level label that applies to the container. 6250 type: string 6251 role: 6252 description: Role is a SELinux role label that applies to the container. 6253 type: string 6254 type: 6255 description: Type is a SELinux type label that applies to the container. 6256 type: string 6257 user: 6258 description: User is a SELinux user label that applies to the container. 6259 type: string 6260 seccompProfile: 6261 description: |- 6262 The seccomp options to use by the containers in this pod. 6263 Note that this field cannot be set when spec.os.name is windows. 6264 type: object 6265 required: 6266 - type 6267 properties: 6268 localhostProfile: 6269 description: |- 6270 localhostProfile indicates a profile defined in a file on the node should be used. 6271 The profile must be preconfigured on the node to work. 6272 Must be a descending path, relative to the kubelet's configured seccomp profile location. 6273 Must be set if type is "Localhost". Must NOT be set for any other type. 6274 type: string 6275 type: 6276 description: |- 6277 type indicates which kind of seccomp profile will be applied. 6278 Valid options are: 6279 6280 Localhost - a profile defined in a file on the node should be used. 6281 RuntimeDefault - the container runtime default profile should be used. 6282 Unconfined - no profile should be applied. 6283 type: string 6284 supplementalGroups: 6285 description: |- 6286 A list of groups applied to the first process run in each container, in addition 6287 to the container's primary GID, the fsGroup (if specified), and group memberships 6288 defined in the container image for the uid of the container process. If unspecified, 6289 no additional groups are added to any container. Note that group memberships 6290 defined in the container image for the uid of the container process are still effective, 6291 even if they are not included in this list. 6292 Note that this field cannot be set when spec.os.name is windows. 6293 type: array 6294 items: 6295 type: integer 6296 format: int64 6297 sysctls: 6298 description: |- 6299 Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported 6300 sysctls (by the container runtime) might fail to launch. 6301 Note that this field cannot be set when spec.os.name is windows. 6302 type: array 6303 items: 6304 description: Sysctl defines a kernel parameter to be set 6305 type: object 6306 required: 6307 - name 6308 - value 6309 properties: 6310 name: 6311 description: Name of a property to set 6312 type: string 6313 value: 6314 description: Value of a property to set 6315 type: string 6316 serviceAccountName: 6317 description: If specified, the pod's service account 6318 type: string 6319 tolerations: 6320 description: If specified, the pod's tolerations. 6321 type: array 6322 items: 6323 description: |- 6324 The pod this Toleration is attached to tolerates any taint that matches 6325 the triple <key,value,effect> using the matching operator <operator>. 6326 type: object 6327 properties: 6328 effect: 6329 description: |- 6330 Effect indicates the taint effect to match. Empty means match all taint effects. 6331 When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 6332 type: string 6333 key: 6334 description: |- 6335 Key is the taint key that the toleration applies to. Empty means match all taint keys. 6336 If the key is empty, operator must be Exists; this combination means to match all values and all keys. 6337 type: string 6338 operator: 6339 description: |- 6340 Operator represents a key's relationship to the value. 6341 Valid operators are Exists and Equal. Defaults to Equal. 6342 Exists is equivalent to wildcard for value, so that a pod can 6343 tolerate all taints of a particular category. 6344 type: string 6345 tolerationSeconds: 6346 description: |- 6347 TolerationSeconds represents the period of time the toleration (which must be 6348 of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, 6349 it is not set, which means tolerate the taint forever (do not evict). Zero and 6350 negative values will be treated as 0 (evict immediately) by the system. 6351 type: integer 6352 format: int64 6353 value: 6354 description: |- 6355 Value is the taint value the toleration matches to. 6356 If the operator is Exists, the value should be empty, otherwise just a regular string. 6357 type: string 6358 serviceType: 6359 description: |- 6360 Optional service type for Kubernetes solver service. Supported values 6361 are NodePort or ClusterIP. If unset, defaults to NodePort. 6362 type: string 6363 ingress: 6364 description: |- 6365 The ingress based HTTP01 challenge solver will solve challenges by 6366 creating or modifying Ingress resources in order to route requests for 6367 '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are 6368 provisioned by cert-manager for each Challenge to be completed. 6369 type: object 6370 properties: 6371 class: 6372 description: |- 6373 This field configures the annotation `kubernetes.io/ingress.class` when 6374 creating Ingress resources to solve ACME challenges that use this 6375 challenge solver. Only one of `class`, `name` or `ingressClassName` may 6376 be specified. 6377 type: string 6378 ingressClassName: 6379 description: |- 6380 This field configures the field `ingressClassName` on the created Ingress 6381 resources used to solve ACME challenges that use this challenge solver. 6382 This is the recommended way of configuring the ingress class. Only one of 6383 `class`, `name` or `ingressClassName` may be specified. 6384 type: string 6385 ingressTemplate: 6386 description: |- 6387 Optional ingress template used to configure the ACME challenge solver 6388 ingress used for HTTP01 challenges. 6389 type: object 6390 properties: 6391 metadata: 6392 description: |- 6393 ObjectMeta overrides for the ingress used to solve HTTP01 challenges. 6394 Only the 'labels' and 'annotations' fields may be set. 6395 If labels or annotations overlap with in-built values, the values here 6396 will override the in-built values. 6397 type: object 6398 properties: 6399 annotations: 6400 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 6401 type: object 6402 additionalProperties: 6403 type: string 6404 labels: 6405 description: Labels that should be added to the created ACME HTTP01 solver ingress. 6406 type: object 6407 additionalProperties: 6408 type: string 6409 name: 6410 description: |- 6411 The name of the ingress resource that should have ACME challenge solving 6412 routes inserted into it in order to solve HTTP01 challenges. 6413 This is typically used in conjunction with ingress controllers like 6414 ingress-gce, which maintains a 1:1 mapping between external IPs and 6415 ingress resources. Only one of `class`, `name` or `ingressClassName` may 6416 be specified. 6417 type: string 6418 podTemplate: 6419 description: |- 6420 Optional pod template used to configure the ACME challenge solver pods 6421 used for HTTP01 challenges. 6422 type: object 6423 properties: 6424 metadata: 6425 description: |- 6426 ObjectMeta overrides for the pod used to solve HTTP01 challenges. 6427 Only the 'labels' and 'annotations' fields may be set. 6428 If labels or annotations overlap with in-built values, the values here 6429 will override the in-built values. 6430 type: object 6431 properties: 6432 annotations: 6433 description: Annotations that should be added to the created ACME HTTP01 solver pods. 6434 type: object 6435 additionalProperties: 6436 type: string 6437 labels: 6438 description: Labels that should be added to the created ACME HTTP01 solver pods. 6439 type: object 6440 additionalProperties: 6441 type: string 6442 spec: 6443 description: |- 6444 PodSpec defines overrides for the HTTP01 challenge solver pod. 6445 Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. 6446 All other fields will be ignored. 6447 type: object 6448 properties: 6449 affinity: 6450 description: If specified, the pod's scheduling constraints 6451 type: object 6452 properties: 6453 nodeAffinity: 6454 description: Describes node affinity scheduling rules for the pod. 6455 type: object 6456 properties: 6457 preferredDuringSchedulingIgnoredDuringExecution: 6458 description: |- 6459 The scheduler will prefer to schedule pods to nodes that satisfy 6460 the affinity expressions specified by this field, but it may choose 6461 a node that violates one or more of the expressions. The node that is 6462 most preferred is the one with the greatest sum of weights, i.e. 6463 for each node that meets all of the scheduling requirements (resource 6464 request, requiredDuringScheduling affinity expressions, etc.), 6465 compute a sum by iterating through the elements of this field and adding 6466 "weight" to the sum if the node matches the corresponding matchExpressions; the 6467 node(s) with the highest sum are the most preferred. 6468 type: array 6469 items: 6470 description: |- 6471 An empty preferred scheduling term matches all objects with implicit weight 0 6472 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 6473 type: object 6474 required: 6475 - preference 6476 - weight 6477 properties: 6478 preference: 6479 description: A node selector term, associated with the corresponding weight. 6480 type: object 6481 properties: 6482 matchExpressions: 6483 description: A list of node selector requirements by node's labels. 6484 type: array 6485 items: 6486 description: |- 6487 A node selector requirement is a selector that contains values, a key, and an operator 6488 that relates the key and values. 6489 type: object 6490 required: 6491 - key 6492 - operator 6493 properties: 6494 key: 6495 description: The label key that the selector applies to. 6496 type: string 6497 operator: 6498 description: |- 6499 Represents a key's relationship to a set of values. 6500 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 6501 type: string 6502 values: 6503 description: |- 6504 An array of string values. If the operator is In or NotIn, 6505 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6506 the values array must be empty. If the operator is Gt or Lt, the values 6507 array must have a single element, which will be interpreted as an integer. 6508 This array is replaced during a strategic merge patch. 6509 type: array 6510 items: 6511 type: string 6512 x-kubernetes-list-type: atomic 6513 x-kubernetes-list-type: atomic 6514 matchFields: 6515 description: A list of node selector requirements by node's fields. 6516 type: array 6517 items: 6518 description: |- 6519 A node selector requirement is a selector that contains values, a key, and an operator 6520 that relates the key and values. 6521 type: object 6522 required: 6523 - key 6524 - operator 6525 properties: 6526 key: 6527 description: The label key that the selector applies to. 6528 type: string 6529 operator: 6530 description: |- 6531 Represents a key's relationship to a set of values. 6532 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 6533 type: string 6534 values: 6535 description: |- 6536 An array of string values. If the operator is In or NotIn, 6537 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6538 the values array must be empty. If the operator is Gt or Lt, the values 6539 array must have a single element, which will be interpreted as an integer. 6540 This array is replaced during a strategic merge patch. 6541 type: array 6542 items: 6543 type: string 6544 x-kubernetes-list-type: atomic 6545 x-kubernetes-list-type: atomic 6546 x-kubernetes-map-type: atomic 6547 weight: 6548 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 6549 type: integer 6550 format: int32 6551 x-kubernetes-list-type: atomic 6552 requiredDuringSchedulingIgnoredDuringExecution: 6553 description: |- 6554 If the affinity requirements specified by this field are not met at 6555 scheduling time, the pod will not be scheduled onto the node. 6556 If the affinity requirements specified by this field cease to be met 6557 at some point during pod execution (e.g. due to an update), the system 6558 may or may not try to eventually evict the pod from its node. 6559 type: object 6560 required: 6561 - nodeSelectorTerms 6562 properties: 6563 nodeSelectorTerms: 6564 description: Required. A list of node selector terms. The terms are ORed. 6565 type: array 6566 items: 6567 description: |- 6568 A null or empty node selector term matches no objects. The requirements of 6569 them are ANDed. 6570 The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 6571 type: object 6572 properties: 6573 matchExpressions: 6574 description: A list of node selector requirements by node's labels. 6575 type: array 6576 items: 6577 description: |- 6578 A node selector requirement is a selector that contains values, a key, and an operator 6579 that relates the key and values. 6580 type: object 6581 required: 6582 - key 6583 - operator 6584 properties: 6585 key: 6586 description: The label key that the selector applies to. 6587 type: string 6588 operator: 6589 description: |- 6590 Represents a key's relationship to a set of values. 6591 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 6592 type: string 6593 values: 6594 description: |- 6595 An array of string values. If the operator is In or NotIn, 6596 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6597 the values array must be empty. If the operator is Gt or Lt, the values 6598 array must have a single element, which will be interpreted as an integer. 6599 This array is replaced during a strategic merge patch. 6600 type: array 6601 items: 6602 type: string 6603 x-kubernetes-list-type: atomic 6604 x-kubernetes-list-type: atomic 6605 matchFields: 6606 description: A list of node selector requirements by node's fields. 6607 type: array 6608 items: 6609 description: |- 6610 A node selector requirement is a selector that contains values, a key, and an operator 6611 that relates the key and values. 6612 type: object 6613 required: 6614 - key 6615 - operator 6616 properties: 6617 key: 6618 description: The label key that the selector applies to. 6619 type: string 6620 operator: 6621 description: |- 6622 Represents a key's relationship to a set of values. 6623 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 6624 type: string 6625 values: 6626 description: |- 6627 An array of string values. If the operator is In or NotIn, 6628 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6629 the values array must be empty. If the operator is Gt or Lt, the values 6630 array must have a single element, which will be interpreted as an integer. 6631 This array is replaced during a strategic merge patch. 6632 type: array 6633 items: 6634 type: string 6635 x-kubernetes-list-type: atomic 6636 x-kubernetes-list-type: atomic 6637 x-kubernetes-map-type: atomic 6638 x-kubernetes-list-type: atomic 6639 x-kubernetes-map-type: atomic 6640 podAffinity: 6641 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 6642 type: object 6643 properties: 6644 preferredDuringSchedulingIgnoredDuringExecution: 6645 description: |- 6646 The scheduler will prefer to schedule pods to nodes that satisfy 6647 the affinity expressions specified by this field, but it may choose 6648 a node that violates one or more of the expressions. The node that is 6649 most preferred is the one with the greatest sum of weights, i.e. 6650 for each node that meets all of the scheduling requirements (resource 6651 request, requiredDuringScheduling affinity expressions, etc.), 6652 compute a sum by iterating through the elements of this field and adding 6653 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 6654 node(s) with the highest sum are the most preferred. 6655 type: array 6656 items: 6657 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 6658 type: object 6659 required: 6660 - podAffinityTerm 6661 - weight 6662 properties: 6663 podAffinityTerm: 6664 description: Required. A pod affinity term, associated with the corresponding weight. 6665 type: object 6666 required: 6667 - topologyKey 6668 properties: 6669 labelSelector: 6670 description: |- 6671 A label query over a set of resources, in this case pods. 6672 If it's null, this PodAffinityTerm matches with no Pods. 6673 type: object 6674 properties: 6675 matchExpressions: 6676 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 6677 type: array 6678 items: 6679 description: |- 6680 A label selector requirement is a selector that contains values, a key, and an operator that 6681 relates the key and values. 6682 type: object 6683 required: 6684 - key 6685 - operator 6686 properties: 6687 key: 6688 description: key is the label key that the selector applies to. 6689 type: string 6690 operator: 6691 description: |- 6692 operator represents a key's relationship to a set of values. 6693 Valid operators are In, NotIn, Exists and DoesNotExist. 6694 type: string 6695 values: 6696 description: |- 6697 values is an array of string values. If the operator is In or NotIn, 6698 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6699 the values array must be empty. This array is replaced during a strategic 6700 merge patch. 6701 type: array 6702 items: 6703 type: string 6704 x-kubernetes-list-type: atomic 6705 x-kubernetes-list-type: atomic 6706 matchLabels: 6707 description: |- 6708 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 6709 map is equivalent to an element of matchExpressions, whose key field is "key", the 6710 operator is "In", and the values array contains only "value". The requirements are ANDed. 6711 type: object 6712 additionalProperties: 6713 type: string 6714 x-kubernetes-map-type: atomic 6715 matchLabelKeys: 6716 description: |- 6717 MatchLabelKeys is a set of pod label keys to select which pods will 6718 be taken into consideration. The keys are used to lookup values from the 6719 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 6720 to select the group of existing pods which pods will be taken into consideration 6721 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 6722 pod labels will be ignored. The default value is empty. 6723 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 6724 Also, matchLabelKeys cannot be set when labelSelector isn't set. 6725 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 6726 type: array 6727 items: 6728 type: string 6729 x-kubernetes-list-type: atomic 6730 mismatchLabelKeys: 6731 description: |- 6732 MismatchLabelKeys is a set of pod label keys to select which pods will 6733 be taken into consideration. The keys are used to lookup values from the 6734 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 6735 to select the group of existing pods which pods will be taken into consideration 6736 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 6737 pod labels will be ignored. The default value is empty. 6738 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 6739 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 6740 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 6741 type: array 6742 items: 6743 type: string 6744 x-kubernetes-list-type: atomic 6745 namespaceSelector: 6746 description: |- 6747 A label query over the set of namespaces that the term applies to. 6748 The term is applied to the union of the namespaces selected by this field 6749 and the ones listed in the namespaces field. 6750 null selector and null or empty namespaces list means "this pod's namespace". 6751 An empty selector ({}) matches all namespaces. 6752 type: object 6753 properties: 6754 matchExpressions: 6755 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 6756 type: array 6757 items: 6758 description: |- 6759 A label selector requirement is a selector that contains values, a key, and an operator that 6760 relates the key and values. 6761 type: object 6762 required: 6763 - key 6764 - operator 6765 properties: 6766 key: 6767 description: key is the label key that the selector applies to. 6768 type: string 6769 operator: 6770 description: |- 6771 operator represents a key's relationship to a set of values. 6772 Valid operators are In, NotIn, Exists and DoesNotExist. 6773 type: string 6774 values: 6775 description: |- 6776 values is an array of string values. If the operator is In or NotIn, 6777 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6778 the values array must be empty. This array is replaced during a strategic 6779 merge patch. 6780 type: array 6781 items: 6782 type: string 6783 x-kubernetes-list-type: atomic 6784 x-kubernetes-list-type: atomic 6785 matchLabels: 6786 description: |- 6787 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 6788 map is equivalent to an element of matchExpressions, whose key field is "key", the 6789 operator is "In", and the values array contains only "value". The requirements are ANDed. 6790 type: object 6791 additionalProperties: 6792 type: string 6793 x-kubernetes-map-type: atomic 6794 namespaces: 6795 description: |- 6796 namespaces specifies a static list of namespace names that the term applies to. 6797 The term is applied to the union of the namespaces listed in this field 6798 and the ones selected by namespaceSelector. 6799 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 6800 type: array 6801 items: 6802 type: string 6803 x-kubernetes-list-type: atomic 6804 topologyKey: 6805 description: |- 6806 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 6807 the labelSelector in the specified namespaces, where co-located is defined as running on a node 6808 whose value of the label with key topologyKey matches that of any node on which any of the 6809 selected pods is running. 6810 Empty topologyKey is not allowed. 6811 type: string 6812 weight: 6813 description: |- 6814 weight associated with matching the corresponding podAffinityTerm, 6815 in the range 1-100. 6816 type: integer 6817 format: int32 6818 x-kubernetes-list-type: atomic 6819 requiredDuringSchedulingIgnoredDuringExecution: 6820 description: |- 6821 If the affinity requirements specified by this field are not met at 6822 scheduling time, the pod will not be scheduled onto the node. 6823 If the affinity requirements specified by this field cease to be met 6824 at some point during pod execution (e.g. due to a pod label update), the 6825 system may or may not try to eventually evict the pod from its node. 6826 When there are multiple elements, the lists of nodes corresponding to each 6827 podAffinityTerm are intersected, i.e. all terms must be satisfied. 6828 type: array 6829 items: 6830 description: |- 6831 Defines a set of pods (namely those matching the labelSelector 6832 relative to the given namespace(s)) that this pod should be 6833 co-located (affinity) or not co-located (anti-affinity) with, 6834 where co-located is defined as running on a node whose value of 6835 the label with key <topologyKey> matches that of any node on which 6836 a pod of the set of pods is running 6837 type: object 6838 required: 6839 - topologyKey 6840 properties: 6841 labelSelector: 6842 description: |- 6843 A label query over a set of resources, in this case pods. 6844 If it's null, this PodAffinityTerm matches with no Pods. 6845 type: object 6846 properties: 6847 matchExpressions: 6848 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 6849 type: array 6850 items: 6851 description: |- 6852 A label selector requirement is a selector that contains values, a key, and an operator that 6853 relates the key and values. 6854 type: object 6855 required: 6856 - key 6857 - operator 6858 properties: 6859 key: 6860 description: key is the label key that the selector applies to. 6861 type: string 6862 operator: 6863 description: |- 6864 operator represents a key's relationship to a set of values. 6865 Valid operators are In, NotIn, Exists and DoesNotExist. 6866 type: string 6867 values: 6868 description: |- 6869 values is an array of string values. If the operator is In or NotIn, 6870 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6871 the values array must be empty. This array is replaced during a strategic 6872 merge patch. 6873 type: array 6874 items: 6875 type: string 6876 x-kubernetes-list-type: atomic 6877 x-kubernetes-list-type: atomic 6878 matchLabels: 6879 description: |- 6880 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 6881 map is equivalent to an element of matchExpressions, whose key field is "key", the 6882 operator is "In", and the values array contains only "value". The requirements are ANDed. 6883 type: object 6884 additionalProperties: 6885 type: string 6886 x-kubernetes-map-type: atomic 6887 matchLabelKeys: 6888 description: |- 6889 MatchLabelKeys is a set of pod label keys to select which pods will 6890 be taken into consideration. The keys are used to lookup values from the 6891 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 6892 to select the group of existing pods which pods will be taken into consideration 6893 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 6894 pod labels will be ignored. The default value is empty. 6895 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 6896 Also, matchLabelKeys cannot be set when labelSelector isn't set. 6897 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 6898 type: array 6899 items: 6900 type: string 6901 x-kubernetes-list-type: atomic 6902 mismatchLabelKeys: 6903 description: |- 6904 MismatchLabelKeys is a set of pod label keys to select which pods will 6905 be taken into consideration. The keys are used to lookup values from the 6906 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 6907 to select the group of existing pods which pods will be taken into consideration 6908 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 6909 pod labels will be ignored. The default value is empty. 6910 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 6911 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 6912 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 6913 type: array 6914 items: 6915 type: string 6916 x-kubernetes-list-type: atomic 6917 namespaceSelector: 6918 description: |- 6919 A label query over the set of namespaces that the term applies to. 6920 The term is applied to the union of the namespaces selected by this field 6921 and the ones listed in the namespaces field. 6922 null selector and null or empty namespaces list means "this pod's namespace". 6923 An empty selector ({}) matches all namespaces. 6924 type: object 6925 properties: 6926 matchExpressions: 6927 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 6928 type: array 6929 items: 6930 description: |- 6931 A label selector requirement is a selector that contains values, a key, and an operator that 6932 relates the key and values. 6933 type: object 6934 required: 6935 - key 6936 - operator 6937 properties: 6938 key: 6939 description: key is the label key that the selector applies to. 6940 type: string 6941 operator: 6942 description: |- 6943 operator represents a key's relationship to a set of values. 6944 Valid operators are In, NotIn, Exists and DoesNotExist. 6945 type: string 6946 values: 6947 description: |- 6948 values is an array of string values. If the operator is In or NotIn, 6949 the values array must be non-empty. If the operator is Exists or DoesNotExist, 6950 the values array must be empty. This array is replaced during a strategic 6951 merge patch. 6952 type: array 6953 items: 6954 type: string 6955 x-kubernetes-list-type: atomic 6956 x-kubernetes-list-type: atomic 6957 matchLabels: 6958 description: |- 6959 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 6960 map is equivalent to an element of matchExpressions, whose key field is "key", the 6961 operator is "In", and the values array contains only "value". The requirements are ANDed. 6962 type: object 6963 additionalProperties: 6964 type: string 6965 x-kubernetes-map-type: atomic 6966 namespaces: 6967 description: |- 6968 namespaces specifies a static list of namespace names that the term applies to. 6969 The term is applied to the union of the namespaces listed in this field 6970 and the ones selected by namespaceSelector. 6971 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 6972 type: array 6973 items: 6974 type: string 6975 x-kubernetes-list-type: atomic 6976 topologyKey: 6977 description: |- 6978 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 6979 the labelSelector in the specified namespaces, where co-located is defined as running on a node 6980 whose value of the label with key topologyKey matches that of any node on which any of the 6981 selected pods is running. 6982 Empty topologyKey is not allowed. 6983 type: string 6984 x-kubernetes-list-type: atomic 6985 podAntiAffinity: 6986 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 6987 type: object 6988 properties: 6989 preferredDuringSchedulingIgnoredDuringExecution: 6990 description: |- 6991 The scheduler will prefer to schedule pods to nodes that satisfy 6992 the anti-affinity expressions specified by this field, but it may choose 6993 a node that violates one or more of the expressions. The node that is 6994 most preferred is the one with the greatest sum of weights, i.e. 6995 for each node that meets all of the scheduling requirements (resource 6996 request, requiredDuringScheduling anti-affinity expressions, etc.), 6997 compute a sum by iterating through the elements of this field and adding 6998 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 6999 node(s) with the highest sum are the most preferred. 7000 type: array 7001 items: 7002 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 7003 type: object 7004 required: 7005 - podAffinityTerm 7006 - weight 7007 properties: 7008 podAffinityTerm: 7009 description: Required. A pod affinity term, associated with the corresponding weight. 7010 type: object 7011 required: 7012 - topologyKey 7013 properties: 7014 labelSelector: 7015 description: |- 7016 A label query over a set of resources, in this case pods. 7017 If it's null, this PodAffinityTerm matches with no Pods. 7018 type: object 7019 properties: 7020 matchExpressions: 7021 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 7022 type: array 7023 items: 7024 description: |- 7025 A label selector requirement is a selector that contains values, a key, and an operator that 7026 relates the key and values. 7027 type: object 7028 required: 7029 - key 7030 - operator 7031 properties: 7032 key: 7033 description: key is the label key that the selector applies to. 7034 type: string 7035 operator: 7036 description: |- 7037 operator represents a key's relationship to a set of values. 7038 Valid operators are In, NotIn, Exists and DoesNotExist. 7039 type: string 7040 values: 7041 description: |- 7042 values is an array of string values. If the operator is In or NotIn, 7043 the values array must be non-empty. If the operator is Exists or DoesNotExist, 7044 the values array must be empty. This array is replaced during a strategic 7045 merge patch. 7046 type: array 7047 items: 7048 type: string 7049 x-kubernetes-list-type: atomic 7050 x-kubernetes-list-type: atomic 7051 matchLabels: 7052 description: |- 7053 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 7054 map is equivalent to an element of matchExpressions, whose key field is "key", the 7055 operator is "In", and the values array contains only "value". The requirements are ANDed. 7056 type: object 7057 additionalProperties: 7058 type: string 7059 x-kubernetes-map-type: atomic 7060 matchLabelKeys: 7061 description: |- 7062 MatchLabelKeys is a set of pod label keys to select which pods will 7063 be taken into consideration. The keys are used to lookup values from the 7064 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 7065 to select the group of existing pods which pods will be taken into consideration 7066 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 7067 pod labels will be ignored. The default value is empty. 7068 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 7069 Also, matchLabelKeys cannot be set when labelSelector isn't set. 7070 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 7071 type: array 7072 items: 7073 type: string 7074 x-kubernetes-list-type: atomic 7075 mismatchLabelKeys: 7076 description: |- 7077 MismatchLabelKeys is a set of pod label keys to select which pods will 7078 be taken into consideration. The keys are used to lookup values from the 7079 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 7080 to select the group of existing pods which pods will be taken into consideration 7081 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 7082 pod labels will be ignored. The default value is empty. 7083 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 7084 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 7085 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 7086 type: array 7087 items: 7088 type: string 7089 x-kubernetes-list-type: atomic 7090 namespaceSelector: 7091 description: |- 7092 A label query over the set of namespaces that the term applies to. 7093 The term is applied to the union of the namespaces selected by this field 7094 and the ones listed in the namespaces field. 7095 null selector and null or empty namespaces list means "this pod's namespace". 7096 An empty selector ({}) matches all namespaces. 7097 type: object 7098 properties: 7099 matchExpressions: 7100 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 7101 type: array 7102 items: 7103 description: |- 7104 A label selector requirement is a selector that contains values, a key, and an operator that 7105 relates the key and values. 7106 type: object 7107 required: 7108 - key 7109 - operator 7110 properties: 7111 key: 7112 description: key is the label key that the selector applies to. 7113 type: string 7114 operator: 7115 description: |- 7116 operator represents a key's relationship to a set of values. 7117 Valid operators are In, NotIn, Exists and DoesNotExist. 7118 type: string 7119 values: 7120 description: |- 7121 values is an array of string values. If the operator is In or NotIn, 7122 the values array must be non-empty. If the operator is Exists or DoesNotExist, 7123 the values array must be empty. This array is replaced during a strategic 7124 merge patch. 7125 type: array 7126 items: 7127 type: string 7128 x-kubernetes-list-type: atomic 7129 x-kubernetes-list-type: atomic 7130 matchLabels: 7131 description: |- 7132 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 7133 map is equivalent to an element of matchExpressions, whose key field is "key", the 7134 operator is "In", and the values array contains only "value". The requirements are ANDed. 7135 type: object 7136 additionalProperties: 7137 type: string 7138 x-kubernetes-map-type: atomic 7139 namespaces: 7140 description: |- 7141 namespaces specifies a static list of namespace names that the term applies to. 7142 The term is applied to the union of the namespaces listed in this field 7143 and the ones selected by namespaceSelector. 7144 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 7145 type: array 7146 items: 7147 type: string 7148 x-kubernetes-list-type: atomic 7149 topologyKey: 7150 description: |- 7151 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 7152 the labelSelector in the specified namespaces, where co-located is defined as running on a node 7153 whose value of the label with key topologyKey matches that of any node on which any of the 7154 selected pods is running. 7155 Empty topologyKey is not allowed. 7156 type: string 7157 weight: 7158 description: |- 7159 weight associated with matching the corresponding podAffinityTerm, 7160 in the range 1-100. 7161 type: integer 7162 format: int32 7163 x-kubernetes-list-type: atomic 7164 requiredDuringSchedulingIgnoredDuringExecution: 7165 description: |- 7166 If the anti-affinity requirements specified by this field are not met at 7167 scheduling time, the pod will not be scheduled onto the node. 7168 If the anti-affinity requirements specified by this field cease to be met 7169 at some point during pod execution (e.g. due to a pod label update), the 7170 system may or may not try to eventually evict the pod from its node. 7171 When there are multiple elements, the lists of nodes corresponding to each 7172 podAffinityTerm are intersected, i.e. all terms must be satisfied. 7173 type: array 7174 items: 7175 description: |- 7176 Defines a set of pods (namely those matching the labelSelector 7177 relative to the given namespace(s)) that this pod should be 7178 co-located (affinity) or not co-located (anti-affinity) with, 7179 where co-located is defined as running on a node whose value of 7180 the label with key <topologyKey> matches that of any node on which 7181 a pod of the set of pods is running 7182 type: object 7183 required: 7184 - topologyKey 7185 properties: 7186 labelSelector: 7187 description: |- 7188 A label query over a set of resources, in this case pods. 7189 If it's null, this PodAffinityTerm matches with no Pods. 7190 type: object 7191 properties: 7192 matchExpressions: 7193 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 7194 type: array 7195 items: 7196 description: |- 7197 A label selector requirement is a selector that contains values, a key, and an operator that 7198 relates the key and values. 7199 type: object 7200 required: 7201 - key 7202 - operator 7203 properties: 7204 key: 7205 description: key is the label key that the selector applies to. 7206 type: string 7207 operator: 7208 description: |- 7209 operator represents a key's relationship to a set of values. 7210 Valid operators are In, NotIn, Exists and DoesNotExist. 7211 type: string 7212 values: 7213 description: |- 7214 values is an array of string values. If the operator is In or NotIn, 7215 the values array must be non-empty. If the operator is Exists or DoesNotExist, 7216 the values array must be empty. This array is replaced during a strategic 7217 merge patch. 7218 type: array 7219 items: 7220 type: string 7221 x-kubernetes-list-type: atomic 7222 x-kubernetes-list-type: atomic 7223 matchLabels: 7224 description: |- 7225 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 7226 map is equivalent to an element of matchExpressions, whose key field is "key", the 7227 operator is "In", and the values array contains only "value". The requirements are ANDed. 7228 type: object 7229 additionalProperties: 7230 type: string 7231 x-kubernetes-map-type: atomic 7232 matchLabelKeys: 7233 description: |- 7234 MatchLabelKeys is a set of pod label keys to select which pods will 7235 be taken into consideration. The keys are used to lookup values from the 7236 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 7237 to select the group of existing pods which pods will be taken into consideration 7238 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 7239 pod labels will be ignored. The default value is empty. 7240 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 7241 Also, matchLabelKeys cannot be set when labelSelector isn't set. 7242 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 7243 type: array 7244 items: 7245 type: string 7246 x-kubernetes-list-type: atomic 7247 mismatchLabelKeys: 7248 description: |- 7249 MismatchLabelKeys is a set of pod label keys to select which pods will 7250 be taken into consideration. The keys are used to lookup values from the 7251 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 7252 to select the group of existing pods which pods will be taken into consideration 7253 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 7254 pod labels will be ignored. The default value is empty. 7255 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 7256 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 7257 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 7258 type: array 7259 items: 7260 type: string 7261 x-kubernetes-list-type: atomic 7262 namespaceSelector: 7263 description: |- 7264 A label query over the set of namespaces that the term applies to. 7265 The term is applied to the union of the namespaces selected by this field 7266 and the ones listed in the namespaces field. 7267 null selector and null or empty namespaces list means "this pod's namespace". 7268 An empty selector ({}) matches all namespaces. 7269 type: object 7270 properties: 7271 matchExpressions: 7272 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 7273 type: array 7274 items: 7275 description: |- 7276 A label selector requirement is a selector that contains values, a key, and an operator that 7277 relates the key and values. 7278 type: object 7279 required: 7280 - key 7281 - operator 7282 properties: 7283 key: 7284 description: key is the label key that the selector applies to. 7285 type: string 7286 operator: 7287 description: |- 7288 operator represents a key's relationship to a set of values. 7289 Valid operators are In, NotIn, Exists and DoesNotExist. 7290 type: string 7291 values: 7292 description: |- 7293 values is an array of string values. If the operator is In or NotIn, 7294 the values array must be non-empty. If the operator is Exists or DoesNotExist, 7295 the values array must be empty. This array is replaced during a strategic 7296 merge patch. 7297 type: array 7298 items: 7299 type: string 7300 x-kubernetes-list-type: atomic 7301 x-kubernetes-list-type: atomic 7302 matchLabels: 7303 description: |- 7304 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 7305 map is equivalent to an element of matchExpressions, whose key field is "key", the 7306 operator is "In", and the values array contains only "value". The requirements are ANDed. 7307 type: object 7308 additionalProperties: 7309 type: string 7310 x-kubernetes-map-type: atomic 7311 namespaces: 7312 description: |- 7313 namespaces specifies a static list of namespace names that the term applies to. 7314 The term is applied to the union of the namespaces listed in this field 7315 and the ones selected by namespaceSelector. 7316 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 7317 type: array 7318 items: 7319 type: string 7320 x-kubernetes-list-type: atomic 7321 topologyKey: 7322 description: |- 7323 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 7324 the labelSelector in the specified namespaces, where co-located is defined as running on a node 7325 whose value of the label with key topologyKey matches that of any node on which any of the 7326 selected pods is running. 7327 Empty topologyKey is not allowed. 7328 type: string 7329 x-kubernetes-list-type: atomic 7330 imagePullSecrets: 7331 description: If specified, the pod's imagePullSecrets 7332 type: array 7333 items: 7334 description: |- 7335 LocalObjectReference contains enough information to let you locate the 7336 referenced object inside the same namespace. 7337 type: object 7338 properties: 7339 name: 7340 description: |- 7341 Name of the referent. 7342 This field is effectively required, but due to backwards compatibility is 7343 allowed to be empty. Instances of this type with an empty value here are 7344 almost certainly wrong. 7345 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7346 type: string 7347 default: "" 7348 x-kubernetes-map-type: atomic 7349 nodeSelector: 7350 description: |- 7351 NodeSelector is a selector which must be true for the pod to fit on a node. 7352 Selector which must match a node's labels for the pod to be scheduled on that node. 7353 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 7354 type: object 7355 additionalProperties: 7356 type: string 7357 priorityClassName: 7358 description: If specified, the pod's priorityClassName. 7359 type: string 7360 securityContext: 7361 description: If specified, the pod's security context 7362 type: object 7363 properties: 7364 fsGroup: 7365 description: |- 7366 A special supplemental group that applies to all containers in a pod. 7367 Some volume types allow the Kubelet to change the ownership of that volume 7368 to be owned by the pod: 7369 7370 1. The owning GID will be the FSGroup 7371 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 7372 3. The permission bits are OR'd with rw-rw---- 7373 7374 If unset, the Kubelet will not modify the ownership and permissions of any volume. 7375 Note that this field cannot be set when spec.os.name is windows. 7376 type: integer 7377 format: int64 7378 fsGroupChangePolicy: 7379 description: |- 7380 fsGroupChangePolicy defines behavior of changing ownership and permission of the volume 7381 before being exposed inside Pod. This field will only apply to 7382 volume types which support fsGroup based ownership(and permissions). 7383 It will have no effect on ephemeral volume types such as: secret, configmaps 7384 and emptydir. 7385 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. 7386 Note that this field cannot be set when spec.os.name is windows. 7387 type: string 7388 runAsGroup: 7389 description: |- 7390 The GID to run the entrypoint of the container process. 7391 Uses runtime default if unset. 7392 May also be set in SecurityContext. If set in both SecurityContext and 7393 PodSecurityContext, the value specified in SecurityContext takes precedence 7394 for that container. 7395 Note that this field cannot be set when spec.os.name is windows. 7396 type: integer 7397 format: int64 7398 runAsNonRoot: 7399 description: |- 7400 Indicates that the container must run as a non-root user. 7401 If true, the Kubelet will validate the image at runtime to ensure that it 7402 does not run as UID 0 (root) and fail to start the container if it does. 7403 If unset or false, no such validation will be performed. 7404 May also be set in SecurityContext. If set in both SecurityContext and 7405 PodSecurityContext, the value specified in SecurityContext takes precedence. 7406 type: boolean 7407 runAsUser: 7408 description: |- 7409 The UID to run the entrypoint of the container process. 7410 Defaults to user specified in image metadata if unspecified. 7411 May also be set in SecurityContext. If set in both SecurityContext and 7412 PodSecurityContext, the value specified in SecurityContext takes precedence 7413 for that container. 7414 Note that this field cannot be set when spec.os.name is windows. 7415 type: integer 7416 format: int64 7417 seLinuxOptions: 7418 description: |- 7419 The SELinux context to be applied to all containers. 7420 If unspecified, the container runtime will allocate a random SELinux context for each 7421 container. May also be set in SecurityContext. If set in 7422 both SecurityContext and PodSecurityContext, the value specified in SecurityContext 7423 takes precedence for that container. 7424 Note that this field cannot be set when spec.os.name is windows. 7425 type: object 7426 properties: 7427 level: 7428 description: Level is SELinux level label that applies to the container. 7429 type: string 7430 role: 7431 description: Role is a SELinux role label that applies to the container. 7432 type: string 7433 type: 7434 description: Type is a SELinux type label that applies to the container. 7435 type: string 7436 user: 7437 description: User is a SELinux user label that applies to the container. 7438 type: string 7439 seccompProfile: 7440 description: |- 7441 The seccomp options to use by the containers in this pod. 7442 Note that this field cannot be set when spec.os.name is windows. 7443 type: object 7444 required: 7445 - type 7446 properties: 7447 localhostProfile: 7448 description: |- 7449 localhostProfile indicates a profile defined in a file on the node should be used. 7450 The profile must be preconfigured on the node to work. 7451 Must be a descending path, relative to the kubelet's configured seccomp profile location. 7452 Must be set if type is "Localhost". Must NOT be set for any other type. 7453 type: string 7454 type: 7455 description: |- 7456 type indicates which kind of seccomp profile will be applied. 7457 Valid options are: 7458 7459 Localhost - a profile defined in a file on the node should be used. 7460 RuntimeDefault - the container runtime default profile should be used. 7461 Unconfined - no profile should be applied. 7462 type: string 7463 supplementalGroups: 7464 description: |- 7465 A list of groups applied to the first process run in each container, in addition 7466 to the container's primary GID, the fsGroup (if specified), and group memberships 7467 defined in the container image for the uid of the container process. If unspecified, 7468 no additional groups are added to any container. Note that group memberships 7469 defined in the container image for the uid of the container process are still effective, 7470 even if they are not included in this list. 7471 Note that this field cannot be set when spec.os.name is windows. 7472 type: array 7473 items: 7474 type: integer 7475 format: int64 7476 sysctls: 7477 description: |- 7478 Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported 7479 sysctls (by the container runtime) might fail to launch. 7480 Note that this field cannot be set when spec.os.name is windows. 7481 type: array 7482 items: 7483 description: Sysctl defines a kernel parameter to be set 7484 type: object 7485 required: 7486 - name 7487 - value 7488 properties: 7489 name: 7490 description: Name of a property to set 7491 type: string 7492 value: 7493 description: Value of a property to set 7494 type: string 7495 serviceAccountName: 7496 description: If specified, the pod's service account 7497 type: string 7498 tolerations: 7499 description: If specified, the pod's tolerations. 7500 type: array 7501 items: 7502 description: |- 7503 The pod this Toleration is attached to tolerates any taint that matches 7504 the triple <key,value,effect> using the matching operator <operator>. 7505 type: object 7506 properties: 7507 effect: 7508 description: |- 7509 Effect indicates the taint effect to match. Empty means match all taint effects. 7510 When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 7511 type: string 7512 key: 7513 description: |- 7514 Key is the taint key that the toleration applies to. Empty means match all taint keys. 7515 If the key is empty, operator must be Exists; this combination means to match all values and all keys. 7516 type: string 7517 operator: 7518 description: |- 7519 Operator represents a key's relationship to the value. 7520 Valid operators are Exists and Equal. Defaults to Equal. 7521 Exists is equivalent to wildcard for value, so that a pod can 7522 tolerate all taints of a particular category. 7523 type: string 7524 tolerationSeconds: 7525 description: |- 7526 TolerationSeconds represents the period of time the toleration (which must be 7527 of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, 7528 it is not set, which means tolerate the taint forever (do not evict). Zero and 7529 negative values will be treated as 0 (evict immediately) by the system. 7530 type: integer 7531 format: int64 7532 value: 7533 description: |- 7534 Value is the taint value the toleration matches to. 7535 If the operator is Exists, the value should be empty, otherwise just a regular string. 7536 type: string 7537 serviceType: 7538 description: |- 7539 Optional service type for Kubernetes solver service. Supported values 7540 are NodePort or ClusterIP. If unset, defaults to NodePort. 7541 type: string 7542 selector: 7543 description: |- 7544 Selector selects a set of DNSNames on the Certificate resource that 7545 should be solved using this challenge solver. 7546 If not specified, the solver will be treated as the 'default' solver 7547 with the lowest priority, i.e. if any other solver has a more specific 7548 match, it will be used instead. 7549 type: object 7550 properties: 7551 dnsNames: 7552 description: |- 7553 List of DNSNames that this solver will be used to solve. 7554 If specified and a match is found, a dnsNames selector will take 7555 precedence over a dnsZones selector. 7556 If multiple solvers match with the same dnsNames value, the solver 7557 with the most matching labels in matchLabels will be selected. 7558 If neither has more matches, the solver defined earlier in the list 7559 will be selected. 7560 type: array 7561 items: 7562 type: string 7563 dnsZones: 7564 description: |- 7565 List of DNSZones that this solver will be used to solve. 7566 The most specific DNS zone match specified here will take precedence 7567 over other DNS zone matches, so a solver specifying sys.example.com 7568 will be selected over one specifying example.com for the domain 7569 www.sys.example.com. 7570 If multiple solvers match with the same dnsZones value, the solver 7571 with the most matching labels in matchLabels will be selected. 7572 If neither has more matches, the solver defined earlier in the list 7573 will be selected. 7574 type: array 7575 items: 7576 type: string 7577 matchLabels: 7578 description: |- 7579 A label selector that is used to refine the set of certificate's that 7580 this challenge solver will apply to. 7581 type: object 7582 additionalProperties: 7583 type: string 7584 ca: 7585 description: |- 7586 CA configures this issuer to sign certificates using a signing CA keypair 7587 stored in a Secret resource. 7588 This is used to build internal PKIs that are managed by cert-manager. 7589 type: object 7590 required: 7591 - secretName 7592 properties: 7593 crlDistributionPoints: 7594 description: |- 7595 The CRL distribution points is an X.509 v3 certificate extension which identifies 7596 the location of the CRL from which the revocation of this certificate can be checked. 7597 If not set, certificates will be issued without distribution points set. 7598 type: array 7599 items: 7600 type: string 7601 issuingCertificateURLs: 7602 description: |- 7603 IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates 7604 it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. 7605 As an example, such a URL might be "http://ca.domain.com/ca.crt". 7606 type: array 7607 items: 7608 type: string 7609 ocspServers: 7610 description: |- 7611 The OCSP server list is an X.509 v3 extension that defines a list of 7612 URLs of OCSP responders. The OCSP responders can be queried for the 7613 revocation status of an issued certificate. If not set, the 7614 certificate will be issued with no OCSP servers set. For example, an 7615 OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 7616 type: array 7617 items: 7618 type: string 7619 secretName: 7620 description: |- 7621 SecretName is the name of the secret used to sign Certificates issued 7622 by this Issuer. 7623 type: string 7624 selfSigned: 7625 description: |- 7626 SelfSigned configures this issuer to 'self sign' certificates using the 7627 private key used to create the CertificateRequest object. 7628 type: object 7629 properties: 7630 crlDistributionPoints: 7631 description: |- 7632 The CRL distribution points is an X.509 v3 certificate extension which identifies 7633 the location of the CRL from which the revocation of this certificate can be checked. 7634 If not set certificate will be issued without CDP. Values are strings. 7635 type: array 7636 items: 7637 type: string 7638 vault: 7639 description: |- 7640 Vault configures this issuer to sign certificates using a HashiCorp Vault 7641 PKI backend. 7642 type: object 7643 required: 7644 - auth 7645 - path 7646 - server 7647 properties: 7648 auth: 7649 description: Auth configures how cert-manager authenticates with the Vault server. 7650 type: object 7651 properties: 7652 appRole: 7653 description: |- 7654 AppRole authenticates with Vault using the App Role auth mechanism, 7655 with the role and secret stored in a Kubernetes Secret resource. 7656 type: object 7657 required: 7658 - path 7659 - roleId 7660 - secretRef 7661 properties: 7662 path: 7663 description: |- 7664 Path where the App Role authentication backend is mounted in Vault, e.g: 7665 "approle" 7666 type: string 7667 roleId: 7668 description: |- 7669 RoleID configured in the App Role authentication backend when setting 7670 up the authentication backend in Vault. 7671 type: string 7672 secretRef: 7673 description: |- 7674 Reference to a key in a Secret that contains the App Role secret used 7675 to authenticate with Vault. 7676 The `key` field must be specified and denotes which entry within the Secret 7677 resource is used as the app role secret. 7678 type: object 7679 required: 7680 - name 7681 properties: 7682 key: 7683 description: |- 7684 The key of the entry in the Secret resource's `data` field to be used. 7685 Some instances of this field may be defaulted, in others it may be 7686 required. 7687 type: string 7688 name: 7689 description: |- 7690 Name of the resource being referred to. 7691 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7692 type: string 7693 clientCertificate: 7694 description: |- 7695 ClientCertificate authenticates with Vault by presenting a client 7696 certificate during the request's TLS handshake. 7697 Works only when using HTTPS protocol. 7698 type: object 7699 properties: 7700 mountPath: 7701 description: |- 7702 The Vault mountPath here is the mount path to use when authenticating with 7703 Vault. For example, setting a value to `/v1/auth/foo`, will use the path 7704 `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the 7705 default value "/v1/auth/cert" will be used. 7706 type: string 7707 name: 7708 description: |- 7709 Name of the certificate role to authenticate against. 7710 If not set, matching any certificate role, if available. 7711 type: string 7712 secretName: 7713 description: |- 7714 Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing 7715 tls.crt and tls.key) used to authenticate to Vault using TLS client 7716 authentication. 7717 type: string 7718 kubernetes: 7719 description: |- 7720 Kubernetes authenticates with Vault by passing the ServiceAccount 7721 token stored in the named Secret resource to the Vault server. 7722 type: object 7723 required: 7724 - role 7725 properties: 7726 mountPath: 7727 description: |- 7728 The Vault mountPath here is the mount path to use when authenticating with 7729 Vault. For example, setting a value to `/v1/auth/foo`, will use the path 7730 `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the 7731 default value "/v1/auth/kubernetes" will be used. 7732 type: string 7733 role: 7734 description: |- 7735 A required field containing the Vault Role to assume. A Role binds a 7736 Kubernetes ServiceAccount with a set of Vault policies. 7737 type: string 7738 secretRef: 7739 description: |- 7740 The required Secret field containing a Kubernetes ServiceAccount JWT used 7741 for authenticating with Vault. Use of 'ambient credentials' is not 7742 supported. 7743 type: object 7744 required: 7745 - name 7746 properties: 7747 key: 7748 description: |- 7749 The key of the entry in the Secret resource's `data` field to be used. 7750 Some instances of this field may be defaulted, in others it may be 7751 required. 7752 type: string 7753 name: 7754 description: |- 7755 Name of the resource being referred to. 7756 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7757 type: string 7758 serviceAccountRef: 7759 description: |- 7760 A reference to a service account that will be used to request a bound 7761 token (also known as "projected token"). Compared to using "secretRef", 7762 using this field means that you don't rely on statically bound tokens. To 7763 use this field, you must configure an RBAC rule to let cert-manager 7764 request a token. 7765 type: object 7766 required: 7767 - name 7768 properties: 7769 audiences: 7770 description: |- 7771 TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token 7772 consisting of the issuer's namespace and name is always included. 7773 type: array 7774 items: 7775 type: string 7776 name: 7777 description: Name of the ServiceAccount used to request a token. 7778 type: string 7779 tokenSecretRef: 7780 description: TokenSecretRef authenticates with Vault by presenting a token. 7781 type: object 7782 required: 7783 - name 7784 properties: 7785 key: 7786 description: |- 7787 The key of the entry in the Secret resource's `data` field to be used. 7788 Some instances of this field may be defaulted, in others it may be 7789 required. 7790 type: string 7791 name: 7792 description: |- 7793 Name of the resource being referred to. 7794 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7795 type: string 7796 caBundle: 7797 description: |- 7798 Base64-encoded bundle of PEM CAs which will be used to validate the certificate 7799 chain presented by Vault. Only used if using HTTPS to connect to Vault and 7800 ignored for HTTP connections. 7801 Mutually exclusive with CABundleSecretRef. 7802 If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in 7803 the cert-manager controller container is used to validate the TLS connection. 7804 type: string 7805 format: byte 7806 caBundleSecretRef: 7807 description: |- 7808 Reference to a Secret containing a bundle of PEM-encoded CAs to use when 7809 verifying the certificate chain presented by Vault when using HTTPS. 7810 Mutually exclusive with CABundle. 7811 If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in 7812 the cert-manager controller container is used to validate the TLS connection. 7813 If no key for the Secret is specified, cert-manager will default to 'ca.crt'. 7814 type: object 7815 required: 7816 - name 7817 properties: 7818 key: 7819 description: |- 7820 The key of the entry in the Secret resource's `data` field to be used. 7821 Some instances of this field may be defaulted, in others it may be 7822 required. 7823 type: string 7824 name: 7825 description: |- 7826 Name of the resource being referred to. 7827 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7828 type: string 7829 clientCertSecretRef: 7830 description: |- 7831 Reference to a Secret containing a PEM-encoded Client Certificate to use when the 7832 Vault server requires mTLS. 7833 type: object 7834 required: 7835 - name 7836 properties: 7837 key: 7838 description: |- 7839 The key of the entry in the Secret resource's `data` field to be used. 7840 Some instances of this field may be defaulted, in others it may be 7841 required. 7842 type: string 7843 name: 7844 description: |- 7845 Name of the resource being referred to. 7846 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7847 type: string 7848 clientKeySecretRef: 7849 description: |- 7850 Reference to a Secret containing a PEM-encoded Client Private Key to use when the 7851 Vault server requires mTLS. 7852 type: object 7853 required: 7854 - name 7855 properties: 7856 key: 7857 description: |- 7858 The key of the entry in the Secret resource's `data` field to be used. 7859 Some instances of this field may be defaulted, in others it may be 7860 required. 7861 type: string 7862 name: 7863 description: |- 7864 Name of the resource being referred to. 7865 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7866 type: string 7867 namespace: 7868 description: |- 7869 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" 7870 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces 7871 type: string 7872 path: 7873 description: |- 7874 Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: 7875 "my_pki_mount/sign/my-role-name". 7876 type: string 7877 server: 7878 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 7879 type: string 7880 venafi: 7881 description: |- 7882 Venafi configures this issuer to sign certificates using a Venafi TPP 7883 or Venafi Cloud policy zone. 7884 type: object 7885 required: 7886 - zone 7887 properties: 7888 cloud: 7889 description: |- 7890 Cloud specifies the Venafi cloud configuration settings. 7891 Only one of TPP or Cloud may be specified. 7892 type: object 7893 required: 7894 - apiTokenSecretRef 7895 properties: 7896 apiTokenSecretRef: 7897 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 7898 type: object 7899 required: 7900 - name 7901 properties: 7902 key: 7903 description: |- 7904 The key of the entry in the Secret resource's `data` field to be used. 7905 Some instances of this field may be defaulted, in others it may be 7906 required. 7907 type: string 7908 name: 7909 description: |- 7910 Name of the resource being referred to. 7911 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7912 type: string 7913 url: 7914 description: |- 7915 URL is the base URL for Venafi Cloud. 7916 Defaults to "https://api.venafi.cloud/v1". 7917 type: string 7918 tpp: 7919 description: |- 7920 TPP specifies Trust Protection Platform configuration settings. 7921 Only one of TPP or Cloud may be specified. 7922 type: object 7923 required: 7924 - credentialsRef 7925 - url 7926 properties: 7927 caBundle: 7928 description: |- 7929 Base64-encoded bundle of PEM CAs which will be used to validate the certificate 7930 chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. 7931 If undefined, the certificate bundle in the cert-manager controller container 7932 is used to validate the chain. 7933 type: string 7934 format: byte 7935 caBundleSecretRef: 7936 description: |- 7937 Reference to a Secret containing a base64-encoded bundle of PEM CAs 7938 which will be used to validate the certificate chain presented by the TPP server. 7939 Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. 7940 If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in 7941 the cert-manager controller container is used to validate the TLS connection. 7942 type: object 7943 required: 7944 - name 7945 properties: 7946 key: 7947 description: |- 7948 The key of the entry in the Secret resource's `data` field to be used. 7949 Some instances of this field may be defaulted, in others it may be 7950 required. 7951 type: string 7952 name: 7953 description: |- 7954 Name of the resource being referred to. 7955 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7956 type: string 7957 credentialsRef: 7958 description: |- 7959 CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. 7960 The secret must contain the key 'access-token' for the Access Token Authentication, 7961 or two keys, 'username' and 'password' for the API Keys Authentication. 7962 type: object 7963 required: 7964 - name 7965 properties: 7966 name: 7967 description: |- 7968 Name of the resource being referred to. 7969 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 7970 type: string 7971 url: 7972 description: |- 7973 URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, 7974 for example: "https://tpp.example.com/vedsdk". 7975 type: string 7976 zone: 7977 description: |- 7978 Zone is the Venafi Policy Zone to use for this issuer. 7979 All requests made to the Venafi platform will be restricted by the named 7980 zone policy. 7981 This field is required. 7982 type: string 7983 status: 7984 description: Status of the ClusterIssuer. This is set and managed automatically. 7985 type: object 7986 properties: 7987 acme: 7988 description: |- 7989 ACME specific status options. 7990 This field should only be set if the Issuer is configured to use an ACME 7991 server to issue certificates. 7992 type: object 7993 properties: 7994 lastPrivateKeyHash: 7995 description: |- 7996 LastPrivateKeyHash is a hash of the private key associated with the latest 7997 registered ACME account, in order to track changes made to registered account 7998 associated with the Issuer 7999 type: string 8000 lastRegisteredEmail: 8001 description: |- 8002 LastRegisteredEmail is the email associated with the latest registered 8003 ACME account, in order to track changes made to registered account 8004 associated with the Issuer 8005 type: string 8006 uri: 8007 description: |- 8008 URI is the unique account identifier, which can also be used to retrieve 8009 account details from the CA 8010 type: string 8011 conditions: 8012 description: |- 8013 List of status conditions to indicate the status of a CertificateRequest. 8014 Known condition types are `Ready`. 8015 type: array 8016 items: 8017 description: IssuerCondition contains condition information for an Issuer. 8018 type: object 8019 required: 8020 - status 8021 - type 8022 properties: 8023 lastTransitionTime: 8024 description: |- 8025 LastTransitionTime is the timestamp corresponding to the last status 8026 change of this condition. 8027 type: string 8028 format: date-time 8029 message: 8030 description: |- 8031 Message is a human readable description of the details of the last 8032 transition, complementing reason. 8033 type: string 8034 observedGeneration: 8035 description: |- 8036 If set, this represents the .metadata.generation that the condition was 8037 set based upon. 8038 For instance, if .metadata.generation is currently 12, but the 8039 .status.condition[x].observedGeneration is 9, the condition is out of date 8040 with respect to the current state of the Issuer. 8041 type: integer 8042 format: int64 8043 reason: 8044 description: |- 8045 Reason is a brief machine readable explanation for the condition's last 8046 transition. 8047 type: string 8048 status: 8049 description: Status of the condition, one of (`True`, `False`, `Unknown`). 8050 type: string 8051 enum: 8052 - "True" 8053 - "False" 8054 - Unknown 8055 type: 8056 description: Type of the condition, known values are (`Ready`). 8057 type: string 8058 x-kubernetes-list-map-keys: 8059 - type 8060 x-kubernetes-list-type: map 8061 served: true 8062 storage: true 8063 8064# END crd 8065--- 8066# Source: cert-manager/templates/crds.yaml 8067# START crd 8068apiVersion: apiextensions.k8s.io/v1 8069kind: CustomResourceDefinition 8070metadata: 8071 name: issuers.cert-manager.io 8072 # START annotations 8073 annotations: 8074 helm.sh/resource-policy: keep 8075 # END annotations 8076 labels: 8077 app: 'cert-manager' 8078 app.kubernetes.io/name: 'cert-manager' 8079 app.kubernetes.io/instance: 'cert-manager' 8080 app.kubernetes.io/component: "crds" 8081 # Generated labels 8082 app.kubernetes.io/version: "v1.17.0" 8083spec: 8084 group: cert-manager.io 8085 names: 8086 kind: Issuer 8087 listKind: IssuerList 8088 plural: issuers 8089 singular: issuer 8090 categories: 8091 - cert-manager 8092 scope: Namespaced 8093 versions: 8094 - name: v1 8095 subresources: 8096 status: {} 8097 additionalPrinterColumns: 8098 - jsonPath: .status.conditions[?(@.type=="Ready")].status 8099 name: Ready 8100 type: string 8101 - jsonPath: .status.conditions[?(@.type=="Ready")].message 8102 name: Status 8103 priority: 1 8104 type: string 8105 - jsonPath: .metadata.creationTimestamp 8106 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 8107 name: Age 8108 type: date 8109 schema: 8110 openAPIV3Schema: 8111 description: |- 8112 An Issuer represents a certificate issuing authority which can be 8113 referenced as part of `issuerRef` fields. 8114 It is scoped to a single namespace and can therefore only be referenced by 8115 resources within the same namespace. 8116 type: object 8117 required: 8118 - spec 8119 properties: 8120 apiVersion: 8121 description: |- 8122 APIVersion defines the versioned schema of this representation of an object. 8123 Servers should convert recognized schemas to the latest internal value, and 8124 may reject unrecognized values. 8125 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 8126 type: string 8127 kind: 8128 description: |- 8129 Kind is a string value representing the REST resource this object represents. 8130 Servers may infer this from the endpoint the client submits requests to. 8131 Cannot be updated. 8132 In CamelCase. 8133 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 8134 type: string 8135 metadata: 8136 type: object 8137 spec: 8138 description: Desired state of the Issuer resource. 8139 type: object 8140 properties: 8141 acme: 8142 description: |- 8143 ACME configures this issuer to communicate with a RFC8555 (ACME) server 8144 to obtain signed x509 certificates. 8145 type: object 8146 required: 8147 - privateKeySecretRef 8148 - server 8149 properties: 8150 caBundle: 8151 description: |- 8152 Base64-encoded bundle of PEM CAs which can be used to validate the certificate 8153 chain presented by the ACME server. 8154 Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various 8155 kinds of security vulnerabilities. 8156 If CABundle and SkipTLSVerify are unset, the system certificate bundle inside 8157 the container is used to validate the TLS connection. 8158 type: string 8159 format: byte 8160 disableAccountKeyGeneration: 8161 description: |- 8162 Enables or disables generating a new ACME account key. 8163 If true, the Issuer resource will *not* request a new account but will expect 8164 the account key to be supplied via an existing secret. 8165 If false, the cert-manager system will generate a new ACME account key 8166 for the Issuer. 8167 Defaults to false. 8168 type: boolean 8169 email: 8170 description: |- 8171 Email is the email address to be associated with the ACME account. 8172 This field is optional, but it is strongly recommended to be set. 8173 It will be used to contact you in case of issues with your account or 8174 certificates, including expiry notification emails. 8175 This field may be updated after the account is initially registered. 8176 type: string 8177 enableDurationFeature: 8178 description: |- 8179 Enables requesting a Not After date on certificates that matches the 8180 duration of the certificate. This is not supported by all ACME servers 8181 like Let's Encrypt. If set to true when the ACME server does not support 8182 it, it will create an error on the Order. 8183 Defaults to false. 8184 type: boolean 8185 externalAccountBinding: 8186 description: |- 8187 ExternalAccountBinding is a reference to a CA external account of the ACME 8188 server. 8189 If set, upon registration cert-manager will attempt to associate the given 8190 external account credentials with the registered ACME account. 8191 type: object 8192 required: 8193 - keyID 8194 - keySecretRef 8195 properties: 8196 keyAlgorithm: 8197 description: |- 8198 Deprecated: keyAlgorithm field exists for historical compatibility 8199 reasons and should not be used. The algorithm is now hardcoded to HS256 8200 in golang/x/crypto/acme. 8201 type: string 8202 enum: 8203 - HS256 8204 - HS384 8205 - HS512 8206 keyID: 8207 description: keyID is the ID of the CA key that the External Account is bound to. 8208 type: string 8209 keySecretRef: 8210 description: |- 8211 keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes 8212 Secret which holds the symmetric MAC key of the External Account Binding. 8213 The `key` is the index string that is paired with the key data in the 8214 Secret and should not be confused with the key data itself, or indeed with 8215 the External Account Binding keyID above. 8216 The secret key stored in the Secret **must** be un-padded, base64 URL 8217 encoded data. 8218 type: object 8219 required: 8220 - name 8221 properties: 8222 key: 8223 description: |- 8224 The key of the entry in the Secret resource's `data` field to be used. 8225 Some instances of this field may be defaulted, in others it may be 8226 required. 8227 type: string 8228 name: 8229 description: |- 8230 Name of the resource being referred to. 8231 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8232 type: string 8233 preferredChain: 8234 description: |- 8235 PreferredChain is the chain to use if the ACME server outputs multiple. 8236 PreferredChain is no guarantee that this one gets delivered by the ACME 8237 endpoint. 8238 For example, for Let's Encrypt's DST crosssign you would use: 8239 "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. 8240 This value picks the first certificate bundle in the combined set of 8241 ACME default and alternative chains that has a root-most certificate with 8242 this value as its issuer's commonname. 8243 type: string 8244 maxLength: 64 8245 privateKeySecretRef: 8246 description: |- 8247 PrivateKey is the name of a Kubernetes Secret resource that will be used to 8248 store the automatically generated ACME account private key. 8249 Optionally, a `key` may be specified to select a specific entry within 8250 the named Secret resource. 8251 If `key` is not specified, a default of `tls.key` will be used. 8252 type: object 8253 required: 8254 - name 8255 properties: 8256 key: 8257 description: |- 8258 The key of the entry in the Secret resource's `data` field to be used. 8259 Some instances of this field may be defaulted, in others it may be 8260 required. 8261 type: string 8262 name: 8263 description: |- 8264 Name of the resource being referred to. 8265 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8266 type: string 8267 server: 8268 description: |- 8269 Server is the URL used to access the ACME server's 'directory' endpoint. 8270 For example, for Let's Encrypt's staging endpoint, you would use: 8271 "https://acme-staging-v02.api.letsencrypt.org/directory". 8272 Only ACME v2 endpoints (i.e. RFC 8555) are supported. 8273 type: string 8274 skipTLSVerify: 8275 description: |- 8276 INSECURE: Enables or disables validation of the ACME server TLS certificate. 8277 If true, requests to the ACME server will not have the TLS certificate chain 8278 validated. 8279 Mutually exclusive with CABundle; prefer using CABundle to prevent various 8280 kinds of security vulnerabilities. 8281 Only enable this option in development environments. 8282 If CABundle and SkipTLSVerify are unset, the system certificate bundle inside 8283 the container is used to validate the TLS connection. 8284 Defaults to false. 8285 type: boolean 8286 solvers: 8287 description: |- 8288 Solvers is a list of challenge solvers that will be used to solve 8289 ACME challenges for the matching domains. 8290 Solver configurations must be provided in order to obtain certificates 8291 from an ACME server. 8292 For more information, see: https://cert-manager.io/docs/configuration/acme/ 8293 type: array 8294 items: 8295 description: |- 8296 An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. 8297 A selector may be provided to use different solving strategies for different DNS names. 8298 Only one of HTTP01 or DNS01 must be provided. 8299 type: object 8300 properties: 8301 dns01: 8302 description: |- 8303 Configures cert-manager to attempt to complete authorizations by 8304 performing the DNS01 challenge flow. 8305 type: object 8306 properties: 8307 acmeDNS: 8308 description: |- 8309 Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage 8310 DNS01 challenge records. 8311 type: object 8312 required: 8313 - accountSecretRef 8314 - host 8315 properties: 8316 accountSecretRef: 8317 description: |- 8318 A reference to a specific 'key' within a Secret resource. 8319 In some instances, `key` is a required field. 8320 type: object 8321 required: 8322 - name 8323 properties: 8324 key: 8325 description: |- 8326 The key of the entry in the Secret resource's `data` field to be used. 8327 Some instances of this field may be defaulted, in others it may be 8328 required. 8329 type: string 8330 name: 8331 description: |- 8332 Name of the resource being referred to. 8333 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8334 type: string 8335 host: 8336 type: string 8337 akamai: 8338 description: Use the Akamai DNS zone management API to manage DNS01 challenge records. 8339 type: object 8340 required: 8341 - accessTokenSecretRef 8342 - clientSecretSecretRef 8343 - clientTokenSecretRef 8344 - serviceConsumerDomain 8345 properties: 8346 accessTokenSecretRef: 8347 description: |- 8348 A reference to a specific 'key' within a Secret resource. 8349 In some instances, `key` is a required field. 8350 type: object 8351 required: 8352 - name 8353 properties: 8354 key: 8355 description: |- 8356 The key of the entry in the Secret resource's `data` field to be used. 8357 Some instances of this field may be defaulted, in others it may be 8358 required. 8359 type: string 8360 name: 8361 description: |- 8362 Name of the resource being referred to. 8363 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8364 type: string 8365 clientSecretSecretRef: 8366 description: |- 8367 A reference to a specific 'key' within a Secret resource. 8368 In some instances, `key` is a required field. 8369 type: object 8370 required: 8371 - name 8372 properties: 8373 key: 8374 description: |- 8375 The key of the entry in the Secret resource's `data` field to be used. 8376 Some instances of this field may be defaulted, in others it may be 8377 required. 8378 type: string 8379 name: 8380 description: |- 8381 Name of the resource being referred to. 8382 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8383 type: string 8384 clientTokenSecretRef: 8385 description: |- 8386 A reference to a specific 'key' within a Secret resource. 8387 In some instances, `key` is a required field. 8388 type: object 8389 required: 8390 - name 8391 properties: 8392 key: 8393 description: |- 8394 The key of the entry in the Secret resource's `data` field to be used. 8395 Some instances of this field may be defaulted, in others it may be 8396 required. 8397 type: string 8398 name: 8399 description: |- 8400 Name of the resource being referred to. 8401 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8402 type: string 8403 serviceConsumerDomain: 8404 type: string 8405 azureDNS: 8406 description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. 8407 type: object 8408 required: 8409 - resourceGroupName 8410 - subscriptionID 8411 properties: 8412 clientID: 8413 description: |- 8414 Auth: Azure Service Principal: 8415 The ClientID of the Azure Service Principal used to authenticate with Azure DNS. 8416 If set, ClientSecret and TenantID must also be set. 8417 type: string 8418 clientSecretSecretRef: 8419 description: |- 8420 Auth: Azure Service Principal: 8421 A reference to a Secret containing the password associated with the Service Principal. 8422 If set, ClientID and TenantID must also be set. 8423 type: object 8424 required: 8425 - name 8426 properties: 8427 key: 8428 description: |- 8429 The key of the entry in the Secret resource's `data` field to be used. 8430 Some instances of this field may be defaulted, in others it may be 8431 required. 8432 type: string 8433 name: 8434 description: |- 8435 Name of the resource being referred to. 8436 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8437 type: string 8438 environment: 8439 description: name of the Azure environment (default AzurePublicCloud) 8440 type: string 8441 enum: 8442 - AzurePublicCloud 8443 - AzureChinaCloud 8444 - AzureGermanCloud 8445 - AzureUSGovernmentCloud 8446 hostedZoneName: 8447 description: name of the DNS zone that should be used 8448 type: string 8449 managedIdentity: 8450 description: |- 8451 Auth: Azure Workload Identity or Azure Managed Service Identity: 8452 Settings to enable Azure Workload Identity or Azure Managed Service Identity 8453 If set, ClientID, ClientSecret and TenantID must not be set. 8454 type: object 8455 properties: 8456 clientID: 8457 description: client ID of the managed identity, can not be used at the same time as resourceID 8458 type: string 8459 resourceID: 8460 description: |- 8461 resource ID of the managed identity, can not be used at the same time as clientID 8462 Cannot be used for Azure Managed Service Identity 8463 type: string 8464 tenantID: 8465 description: tenant ID of the managed identity, can not be used at the same time as resourceID 8466 type: string 8467 resourceGroupName: 8468 description: resource group the DNS zone is located in 8469 type: string 8470 subscriptionID: 8471 description: ID of the Azure subscription 8472 type: string 8473 tenantID: 8474 description: |- 8475 Auth: Azure Service Principal: 8476 The TenantID of the Azure Service Principal used to authenticate with Azure DNS. 8477 If set, ClientID and ClientSecret must also be set. 8478 type: string 8479 cloudDNS: 8480 description: Use the Google Cloud DNS API to manage DNS01 challenge records. 8481 type: object 8482 required: 8483 - project 8484 properties: 8485 hostedZoneName: 8486 description: |- 8487 HostedZoneName is an optional field that tells cert-manager in which 8488 Cloud DNS zone the challenge record has to be created. 8489 If left empty cert-manager will automatically choose a zone. 8490 type: string 8491 project: 8492 type: string 8493 serviceAccountSecretRef: 8494 description: |- 8495 A reference to a specific 'key' within a Secret resource. 8496 In some instances, `key` is a required field. 8497 type: object 8498 required: 8499 - name 8500 properties: 8501 key: 8502 description: |- 8503 The key of the entry in the Secret resource's `data` field to be used. 8504 Some instances of this field may be defaulted, in others it may be 8505 required. 8506 type: string 8507 name: 8508 description: |- 8509 Name of the resource being referred to. 8510 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8511 type: string 8512 cloudflare: 8513 description: Use the Cloudflare API to manage DNS01 challenge records. 8514 type: object 8515 properties: 8516 apiKeySecretRef: 8517 description: |- 8518 API key to use to authenticate with Cloudflare. 8519 Note: using an API token to authenticate is now the recommended method 8520 as it allows greater control of permissions. 8521 type: object 8522 required: 8523 - name 8524 properties: 8525 key: 8526 description: |- 8527 The key of the entry in the Secret resource's `data` field to be used. 8528 Some instances of this field may be defaulted, in others it may be 8529 required. 8530 type: string 8531 name: 8532 description: |- 8533 Name of the resource being referred to. 8534 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8535 type: string 8536 apiTokenSecretRef: 8537 description: API token used to authenticate with Cloudflare. 8538 type: object 8539 required: 8540 - name 8541 properties: 8542 key: 8543 description: |- 8544 The key of the entry in the Secret resource's `data` field to be used. 8545 Some instances of this field may be defaulted, in others it may be 8546 required. 8547 type: string 8548 name: 8549 description: |- 8550 Name of the resource being referred to. 8551 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8552 type: string 8553 email: 8554 description: Email of the account, only required when using API key based authentication. 8555 type: string 8556 cnameStrategy: 8557 description: |- 8558 CNAMEStrategy configures how the DNS01 provider should handle CNAME 8559 records when found in DNS zones. 8560 type: string 8561 enum: 8562 - None 8563 - Follow 8564 digitalocean: 8565 description: Use the DigitalOcean DNS API to manage DNS01 challenge records. 8566 type: object 8567 required: 8568 - tokenSecretRef 8569 properties: 8570 tokenSecretRef: 8571 description: |- 8572 A reference to a specific 'key' within a Secret resource. 8573 In some instances, `key` is a required field. 8574 type: object 8575 required: 8576 - name 8577 properties: 8578 key: 8579 description: |- 8580 The key of the entry in the Secret resource's `data` field to be used. 8581 Some instances of this field may be defaulted, in others it may be 8582 required. 8583 type: string 8584 name: 8585 description: |- 8586 Name of the resource being referred to. 8587 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8588 type: string 8589 rfc2136: 8590 description: |- 8591 Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) 8592 to manage DNS01 challenge records. 8593 type: object 8594 required: 8595 - nameserver 8596 properties: 8597 nameserver: 8598 description: |- 8599 The IP address or hostname of an authoritative DNS server supporting 8600 RFC2136 in the form host:port. If the host is an IPv6 address it must be 8601 enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. 8602 This field is required. 8603 type: string 8604 tsigAlgorithm: 8605 description: |- 8606 The TSIG Algorithm configured in the DNS supporting RFC2136. Used only 8607 when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. 8608 Supported values are (case-insensitive): ``HMACMD5`` (default), 8609 ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. 8610 type: string 8611 tsigKeyName: 8612 description: |- 8613 The TSIG Key name configured in the DNS. 8614 If ``tsigSecretSecretRef`` is defined, this field is required. 8615 type: string 8616 tsigSecretSecretRef: 8617 description: |- 8618 The name of the secret containing the TSIG value. 8619 If ``tsigKeyName`` is defined, this field is required. 8620 type: object 8621 required: 8622 - name 8623 properties: 8624 key: 8625 description: |- 8626 The key of the entry in the Secret resource's `data` field to be used. 8627 Some instances of this field may be defaulted, in others it may be 8628 required. 8629 type: string 8630 name: 8631 description: |- 8632 Name of the resource being referred to. 8633 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8634 type: string 8635 route53: 8636 description: Use the AWS Route53 API to manage DNS01 challenge records. 8637 type: object 8638 properties: 8639 accessKeyID: 8640 description: |- 8641 The AccessKeyID is used for authentication. 8642 Cannot be set when SecretAccessKeyID is set. 8643 If neither the Access Key nor Key ID are set, we fall-back to using env 8644 vars, shared credentials file or AWS Instance metadata, 8645 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 8646 type: string 8647 accessKeyIDSecretRef: 8648 description: |- 8649 The SecretAccessKey is used for authentication. If set, pull the AWS 8650 access key ID from a key within a Kubernetes Secret. 8651 Cannot be set when AccessKeyID is set. 8652 If neither the Access Key nor Key ID are set, we fall-back to using env 8653 vars, shared credentials file or AWS Instance metadata, 8654 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 8655 type: object 8656 required: 8657 - name 8658 properties: 8659 key: 8660 description: |- 8661 The key of the entry in the Secret resource's `data` field to be used. 8662 Some instances of this field may be defaulted, in others it may be 8663 required. 8664 type: string 8665 name: 8666 description: |- 8667 Name of the resource being referred to. 8668 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8669 type: string 8670 auth: 8671 description: Auth configures how cert-manager authenticates. 8672 type: object 8673 required: 8674 - kubernetes 8675 properties: 8676 kubernetes: 8677 description: |- 8678 Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity 8679 by passing a bound ServiceAccount token. 8680 type: object 8681 required: 8682 - serviceAccountRef 8683 properties: 8684 serviceAccountRef: 8685 description: |- 8686 A reference to a service account that will be used to request a bound 8687 token (also known as "projected token"). To use this field, you must 8688 configure an RBAC rule to let cert-manager request a token. 8689 type: object 8690 required: 8691 - name 8692 properties: 8693 audiences: 8694 description: |- 8695 TokenAudiences is an optional list of audiences to include in the 8696 token passed to AWS. The default token consisting of the issuer's namespace 8697 and name is always included. 8698 If unset the audience defaults to `sts.amazonaws.com`. 8699 type: array 8700 items: 8701 type: string 8702 name: 8703 description: Name of the ServiceAccount used to request a token. 8704 type: string 8705 hostedZoneID: 8706 description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call. 8707 type: string 8708 region: 8709 description: |- 8710 Override the AWS region. 8711 8712 Route53 is a global service and does not have regional endpoints but the 8713 region specified here (or via environment variables) is used as a hint to 8714 help compute the correct AWS credential scope and partition when it 8715 connects to Route53. See: 8716 - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) 8717 - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) 8718 8719 If you omit this region field, cert-manager will use the region from 8720 AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set 8721 in the cert-manager controller Pod. 8722 8723 The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). 8724 Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: 8725 [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). 8726 In this case this `region` field value is ignored. 8727 8728 The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). 8729 Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: 8730 [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), 8731 In this case this `region` field value is ignored. 8732 type: string 8733 role: 8734 description: |- 8735 Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey 8736 or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata 8737 type: string 8738 secretAccessKeySecretRef: 8739 description: |- 8740 The SecretAccessKey is used for authentication. 8741 If neither the Access Key nor Key ID are set, we fall-back to using env 8742 vars, shared credentials file or AWS Instance metadata, 8743 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials 8744 type: object 8745 required: 8746 - name 8747 properties: 8748 key: 8749 description: |- 8750 The key of the entry in the Secret resource's `data` field to be used. 8751 Some instances of this field may be defaulted, in others it may be 8752 required. 8753 type: string 8754 name: 8755 description: |- 8756 Name of the resource being referred to. 8757 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 8758 type: string 8759 webhook: 8760 description: |- 8761 Configure an external webhook based DNS01 challenge solver to manage 8762 DNS01 challenge records. 8763 type: object 8764 required: 8765 - groupName 8766 - solverName 8767 properties: 8768 config: 8769 description: |- 8770 Additional configuration that should be passed to the webhook apiserver 8771 when challenges are processed. 8772 This can contain arbitrary JSON data. 8773 Secret values should not be specified in this stanza. 8774 If secret values are needed (e.g. credentials for a DNS service), you 8775 should use a SecretKeySelector to reference a Secret resource. 8776 For details on the schema of this field, consult the webhook provider 8777 implementation's documentation. 8778 x-kubernetes-preserve-unknown-fields: true 8779 groupName: 8780 description: |- 8781 The API group name that should be used when POSTing ChallengePayload 8782 resources to the webhook apiserver. 8783 This should be the same as the GroupName specified in the webhook 8784 provider implementation. 8785 type: string 8786 solverName: 8787 description: |- 8788 The name of the solver to use, as defined in the webhook provider 8789 implementation. 8790 This will typically be the name of the provider, e.g. 'cloudflare'. 8791 type: string 8792 http01: 8793 description: |- 8794 Configures cert-manager to attempt to complete authorizations by 8795 performing the HTTP01 challenge flow. 8796 It is not possible to obtain certificates for wildcard domain names 8797 (e.g. `*.example.com`) using the HTTP01 challenge mechanism. 8798 type: object 8799 properties: 8800 gatewayHTTPRoute: 8801 description: |- 8802 The Gateway API is a sig-network community API that models service networking 8803 in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will 8804 create HTTPRoutes with the specified labels in the same namespace as the challenge. 8805 This solver is experimental, and fields / behaviour may change in the future. 8806 type: object 8807 properties: 8808 labels: 8809 description: |- 8810 Custom labels that will be applied to HTTPRoutes created by cert-manager 8811 while solving HTTP-01 challenges. 8812 type: object 8813 additionalProperties: 8814 type: string 8815 parentRefs: 8816 description: |- 8817 When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. 8818 cert-manager needs to know which parentRefs should be used when creating 8819 the HTTPRoute. Usually, the parentRef references a Gateway. See: 8820 https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways 8821 type: array 8822 items: 8823 description: |- 8824 ParentReference identifies an API object (usually a Gateway) that can be considered 8825 a parent of this resource (usually a route). There are two kinds of parent resources 8826 with "Core" support: 8827 8828 * Gateway (Gateway conformance profile) 8829 * Service (Mesh conformance profile, ClusterIP Services only) 8830 8831 This API may be extended in the future to support additional kinds of parent 8832 resources. 8833 8834 The API object must be valid in the cluster; the Group and Kind must 8835 be registered in the cluster for this reference to be valid. 8836 type: object 8837 required: 8838 - name 8839 properties: 8840 group: 8841 description: |- 8842 Group is the group of the referent. 8843 When unspecified, "gateway.networking.k8s.io" is inferred. 8844 To set the core API group (such as for a "Service" kind referent), 8845 Group must be explicitly set to "" (empty string). 8846 8847 Support: Core 8848 type: string 8849 default: gateway.networking.k8s.io 8850 maxLength: 253 8851 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8852 kind: 8853 description: |- 8854 Kind is kind of the referent. 8855 8856 There are two kinds of parent resources with "Core" support: 8857 8858 * Gateway (Gateway conformance profile) 8859 * Service (Mesh conformance profile, ClusterIP Services only) 8860 8861 Support for other resources is Implementation-Specific. 8862 type: string 8863 default: Gateway 8864 maxLength: 63 8865 minLength: 1 8866 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ 8867 name: 8868 description: |- 8869 Name is the name of the referent. 8870 8871 Support: Core 8872 type: string 8873 maxLength: 253 8874 minLength: 1 8875 namespace: 8876 description: |- 8877 Namespace is the namespace of the referent. When unspecified, this refers 8878 to the local namespace of the Route. 8879 8880 Note that there are specific rules for ParentRefs which cross namespace 8881 boundaries. Cross-namespace references are only valid if they are explicitly 8882 allowed by something in the namespace they are referring to. For example: 8883 Gateway has the AllowedRoutes field, and ReferenceGrant provides a 8884 generic way to enable any other kind of cross-namespace reference. 8885 8886 <gateway:experimental:description> 8887 ParentRefs from a Route to a Service in the same namespace are "producer" 8888 routes, which apply default routing rules to inbound connections from 8889 any namespace to the Service. 8890 8891 ParentRefs from a Route to a Service in a different namespace are 8892 "consumer" routes, and these routing rules are only applied to outbound 8893 connections originating from the same namespace as the Route, for which 8894 the intended destination of the connections are a Service targeted as a 8895 ParentRef of the Route. 8896 </gateway:experimental:description> 8897 8898 Support: Core 8899 type: string 8900 maxLength: 63 8901 minLength: 1 8902 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ 8903 port: 8904 description: |- 8905 Port is the network port this Route targets. It can be interpreted 8906 differently based on the type of parent resource. 8907 8908 When the parent resource is a Gateway, this targets all listeners 8909 listening on the specified port that also support this kind of Route(and 8910 select this Route). It's not recommended to set `Port` unless the 8911 networking behaviors specified in a Route must apply to a specific port 8912 as opposed to a listener(s) whose port(s) may be changed. When both Port 8913 and SectionName are specified, the name and port of the selected listener 8914 must match both specified values. 8915 8916 <gateway:experimental:description> 8917 When the parent resource is a Service, this targets a specific port in the 8918 Service spec. When both Port (experimental) and SectionName are specified, 8919 the name and port of the selected port must match both specified values. 8920 </gateway:experimental:description> 8921 8922 Implementations MAY choose to support other parent resources. 8923 Implementations supporting other types of parent resources MUST clearly 8924 document how/if Port is interpreted. 8925 8926 For the purpose of status, an attachment is considered successful as 8927 long as the parent resource accepts it partially. For example, Gateway 8928 listeners can restrict which Routes can attach to them by Route kind, 8929 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment 8930 from the referencing Route, the Route MUST be considered successfully 8931 attached. If no Gateway listeners accept attachment from this Route, 8932 the Route MUST be considered detached from the Gateway. 8933 8934 Support: Extended 8935 type: integer 8936 format: int32 8937 maximum: 65535 8938 minimum: 1 8939 sectionName: 8940 description: |- 8941 SectionName is the name of a section within the target resource. In the 8942 following resources, SectionName is interpreted as the following: 8943 8944 * Gateway: Listener name. When both Port (experimental) and SectionName 8945 are specified, the name and port of the selected listener must match 8946 both specified values. 8947 * Service: Port name. When both Port (experimental) and SectionName 8948 are specified, the name and port of the selected listener must match 8949 both specified values. 8950 8951 Implementations MAY choose to support attaching Routes to other resources. 8952 If that is the case, they MUST clearly document how SectionName is 8953 interpreted. 8954 8955 When unspecified (empty string), this will reference the entire resource. 8956 For the purpose of status, an attachment is considered successful if at 8957 least one section in the parent resource accepts it. For example, Gateway 8958 listeners can restrict which Routes can attach to them by Route kind, 8959 namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from 8960 the referencing Route, the Route MUST be considered successfully 8961 attached. If no Gateway listeners accept attachment from this Route, the 8962 Route MUST be considered detached from the Gateway. 8963 8964 Support: Core 8965 type: string 8966 maxLength: 253 8967 minLength: 1 8968 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 8969 podTemplate: 8970 description: |- 8971 Optional pod template used to configure the ACME challenge solver pods 8972 used for HTTP01 challenges. 8973 type: object 8974 properties: 8975 metadata: 8976 description: |- 8977 ObjectMeta overrides for the pod used to solve HTTP01 challenges. 8978 Only the 'labels' and 'annotations' fields may be set. 8979 If labels or annotations overlap with in-built values, the values here 8980 will override the in-built values. 8981 type: object 8982 properties: 8983 annotations: 8984 description: Annotations that should be added to the created ACME HTTP01 solver pods. 8985 type: object 8986 additionalProperties: 8987 type: string 8988 labels: 8989 description: Labels that should be added to the created ACME HTTP01 solver pods. 8990 type: object 8991 additionalProperties: 8992 type: string 8993 spec: 8994 description: |- 8995 PodSpec defines overrides for the HTTP01 challenge solver pod. 8996 Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. 8997 All other fields will be ignored. 8998 type: object 8999 properties: 9000 affinity: 9001 description: If specified, the pod's scheduling constraints 9002 type: object 9003 properties: 9004 nodeAffinity: 9005 description: Describes node affinity scheduling rules for the pod. 9006 type: object 9007 properties: 9008 preferredDuringSchedulingIgnoredDuringExecution: 9009 description: |- 9010 The scheduler will prefer to schedule pods to nodes that satisfy 9011 the affinity expressions specified by this field, but it may choose 9012 a node that violates one or more of the expressions. The node that is 9013 most preferred is the one with the greatest sum of weights, i.e. 9014 for each node that meets all of the scheduling requirements (resource 9015 request, requiredDuringScheduling affinity expressions, etc.), 9016 compute a sum by iterating through the elements of this field and adding 9017 "weight" to the sum if the node matches the corresponding matchExpressions; the 9018 node(s) with the highest sum are the most preferred. 9019 type: array 9020 items: 9021 description: |- 9022 An empty preferred scheduling term matches all objects with implicit weight 0 9023 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 9024 type: object 9025 required: 9026 - preference 9027 - weight 9028 properties: 9029 preference: 9030 description: A node selector term, associated with the corresponding weight. 9031 type: object 9032 properties: 9033 matchExpressions: 9034 description: A list of node selector requirements by node's labels. 9035 type: array 9036 items: 9037 description: |- 9038 A node selector requirement is a selector that contains values, a key, and an operator 9039 that relates the key and values. 9040 type: object 9041 required: 9042 - key 9043 - operator 9044 properties: 9045 key: 9046 description: The label key that the selector applies to. 9047 type: string 9048 operator: 9049 description: |- 9050 Represents a key's relationship to a set of values. 9051 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 9052 type: string 9053 values: 9054 description: |- 9055 An array of string values. If the operator is In or NotIn, 9056 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9057 the values array must be empty. If the operator is Gt or Lt, the values 9058 array must have a single element, which will be interpreted as an integer. 9059 This array is replaced during a strategic merge patch. 9060 type: array 9061 items: 9062 type: string 9063 x-kubernetes-list-type: atomic 9064 x-kubernetes-list-type: atomic 9065 matchFields: 9066 description: A list of node selector requirements by node's fields. 9067 type: array 9068 items: 9069 description: |- 9070 A node selector requirement is a selector that contains values, a key, and an operator 9071 that relates the key and values. 9072 type: object 9073 required: 9074 - key 9075 - operator 9076 properties: 9077 key: 9078 description: The label key that the selector applies to. 9079 type: string 9080 operator: 9081 description: |- 9082 Represents a key's relationship to a set of values. 9083 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 9084 type: string 9085 values: 9086 description: |- 9087 An array of string values. If the operator is In or NotIn, 9088 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9089 the values array must be empty. If the operator is Gt or Lt, the values 9090 array must have a single element, which will be interpreted as an integer. 9091 This array is replaced during a strategic merge patch. 9092 type: array 9093 items: 9094 type: string 9095 x-kubernetes-list-type: atomic 9096 x-kubernetes-list-type: atomic 9097 x-kubernetes-map-type: atomic 9098 weight: 9099 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 9100 type: integer 9101 format: int32 9102 x-kubernetes-list-type: atomic 9103 requiredDuringSchedulingIgnoredDuringExecution: 9104 description: |- 9105 If the affinity requirements specified by this field are not met at 9106 scheduling time, the pod will not be scheduled onto the node. 9107 If the affinity requirements specified by this field cease to be met 9108 at some point during pod execution (e.g. due to an update), the system 9109 may or may not try to eventually evict the pod from its node. 9110 type: object 9111 required: 9112 - nodeSelectorTerms 9113 properties: 9114 nodeSelectorTerms: 9115 description: Required. A list of node selector terms. The terms are ORed. 9116 type: array 9117 items: 9118 description: |- 9119 A null or empty node selector term matches no objects. The requirements of 9120 them are ANDed. 9121 The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 9122 type: object 9123 properties: 9124 matchExpressions: 9125 description: A list of node selector requirements by node's labels. 9126 type: array 9127 items: 9128 description: |- 9129 A node selector requirement is a selector that contains values, a key, and an operator 9130 that relates the key and values. 9131 type: object 9132 required: 9133 - key 9134 - operator 9135 properties: 9136 key: 9137 description: The label key that the selector applies to. 9138 type: string 9139 operator: 9140 description: |- 9141 Represents a key's relationship to a set of values. 9142 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 9143 type: string 9144 values: 9145 description: |- 9146 An array of string values. If the operator is In or NotIn, 9147 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9148 the values array must be empty. If the operator is Gt or Lt, the values 9149 array must have a single element, which will be interpreted as an integer. 9150 This array is replaced during a strategic merge patch. 9151 type: array 9152 items: 9153 type: string 9154 x-kubernetes-list-type: atomic 9155 x-kubernetes-list-type: atomic 9156 matchFields: 9157 description: A list of node selector requirements by node's fields. 9158 type: array 9159 items: 9160 description: |- 9161 A node selector requirement is a selector that contains values, a key, and an operator 9162 that relates the key and values. 9163 type: object 9164 required: 9165 - key 9166 - operator 9167 properties: 9168 key: 9169 description: The label key that the selector applies to. 9170 type: string 9171 operator: 9172 description: |- 9173 Represents a key's relationship to a set of values. 9174 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 9175 type: string 9176 values: 9177 description: |- 9178 An array of string values. If the operator is In or NotIn, 9179 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9180 the values array must be empty. If the operator is Gt or Lt, the values 9181 array must have a single element, which will be interpreted as an integer. 9182 This array is replaced during a strategic merge patch. 9183 type: array 9184 items: 9185 type: string 9186 x-kubernetes-list-type: atomic 9187 x-kubernetes-list-type: atomic 9188 x-kubernetes-map-type: atomic 9189 x-kubernetes-list-type: atomic 9190 x-kubernetes-map-type: atomic 9191 podAffinity: 9192 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 9193 type: object 9194 properties: 9195 preferredDuringSchedulingIgnoredDuringExecution: 9196 description: |- 9197 The scheduler will prefer to schedule pods to nodes that satisfy 9198 the affinity expressions specified by this field, but it may choose 9199 a node that violates one or more of the expressions. The node that is 9200 most preferred is the one with the greatest sum of weights, i.e. 9201 for each node that meets all of the scheduling requirements (resource 9202 request, requiredDuringScheduling affinity expressions, etc.), 9203 compute a sum by iterating through the elements of this field and adding 9204 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 9205 node(s) with the highest sum are the most preferred. 9206 type: array 9207 items: 9208 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 9209 type: object 9210 required: 9211 - podAffinityTerm 9212 - weight 9213 properties: 9214 podAffinityTerm: 9215 description: Required. A pod affinity term, associated with the corresponding weight. 9216 type: object 9217 required: 9218 - topologyKey 9219 properties: 9220 labelSelector: 9221 description: |- 9222 A label query over a set of resources, in this case pods. 9223 If it's null, this PodAffinityTerm matches with no Pods. 9224 type: object 9225 properties: 9226 matchExpressions: 9227 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9228 type: array 9229 items: 9230 description: |- 9231 A label selector requirement is a selector that contains values, a key, and an operator that 9232 relates the key and values. 9233 type: object 9234 required: 9235 - key 9236 - operator 9237 properties: 9238 key: 9239 description: key is the label key that the selector applies to. 9240 type: string 9241 operator: 9242 description: |- 9243 operator represents a key's relationship to a set of values. 9244 Valid operators are In, NotIn, Exists and DoesNotExist. 9245 type: string 9246 values: 9247 description: |- 9248 values is an array of string values. If the operator is In or NotIn, 9249 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9250 the values array must be empty. This array is replaced during a strategic 9251 merge patch. 9252 type: array 9253 items: 9254 type: string 9255 x-kubernetes-list-type: atomic 9256 x-kubernetes-list-type: atomic 9257 matchLabels: 9258 description: |- 9259 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9260 map is equivalent to an element of matchExpressions, whose key field is "key", the 9261 operator is "In", and the values array contains only "value". The requirements are ANDed. 9262 type: object 9263 additionalProperties: 9264 type: string 9265 x-kubernetes-map-type: atomic 9266 matchLabelKeys: 9267 description: |- 9268 MatchLabelKeys is a set of pod label keys to select which pods will 9269 be taken into consideration. The keys are used to lookup values from the 9270 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 9271 to select the group of existing pods which pods will be taken into consideration 9272 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9273 pod labels will be ignored. The default value is empty. 9274 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 9275 Also, matchLabelKeys cannot be set when labelSelector isn't set. 9276 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9277 type: array 9278 items: 9279 type: string 9280 x-kubernetes-list-type: atomic 9281 mismatchLabelKeys: 9282 description: |- 9283 MismatchLabelKeys is a set of pod label keys to select which pods will 9284 be taken into consideration. The keys are used to lookup values from the 9285 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 9286 to select the group of existing pods which pods will be taken into consideration 9287 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9288 pod labels will be ignored. The default value is empty. 9289 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 9290 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 9291 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9292 type: array 9293 items: 9294 type: string 9295 x-kubernetes-list-type: atomic 9296 namespaceSelector: 9297 description: |- 9298 A label query over the set of namespaces that the term applies to. 9299 The term is applied to the union of the namespaces selected by this field 9300 and the ones listed in the namespaces field. 9301 null selector and null or empty namespaces list means "this pod's namespace". 9302 An empty selector ({}) matches all namespaces. 9303 type: object 9304 properties: 9305 matchExpressions: 9306 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9307 type: array 9308 items: 9309 description: |- 9310 A label selector requirement is a selector that contains values, a key, and an operator that 9311 relates the key and values. 9312 type: object 9313 required: 9314 - key 9315 - operator 9316 properties: 9317 key: 9318 description: key is the label key that the selector applies to. 9319 type: string 9320 operator: 9321 description: |- 9322 operator represents a key's relationship to a set of values. 9323 Valid operators are In, NotIn, Exists and DoesNotExist. 9324 type: string 9325 values: 9326 description: |- 9327 values is an array of string values. If the operator is In or NotIn, 9328 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9329 the values array must be empty. This array is replaced during a strategic 9330 merge patch. 9331 type: array 9332 items: 9333 type: string 9334 x-kubernetes-list-type: atomic 9335 x-kubernetes-list-type: atomic 9336 matchLabels: 9337 description: |- 9338 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9339 map is equivalent to an element of matchExpressions, whose key field is "key", the 9340 operator is "In", and the values array contains only "value". The requirements are ANDed. 9341 type: object 9342 additionalProperties: 9343 type: string 9344 x-kubernetes-map-type: atomic 9345 namespaces: 9346 description: |- 9347 namespaces specifies a static list of namespace names that the term applies to. 9348 The term is applied to the union of the namespaces listed in this field 9349 and the ones selected by namespaceSelector. 9350 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 9351 type: array 9352 items: 9353 type: string 9354 x-kubernetes-list-type: atomic 9355 topologyKey: 9356 description: |- 9357 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 9358 the labelSelector in the specified namespaces, where co-located is defined as running on a node 9359 whose value of the label with key topologyKey matches that of any node on which any of the 9360 selected pods is running. 9361 Empty topologyKey is not allowed. 9362 type: string 9363 weight: 9364 description: |- 9365 weight associated with matching the corresponding podAffinityTerm, 9366 in the range 1-100. 9367 type: integer 9368 format: int32 9369 x-kubernetes-list-type: atomic 9370 requiredDuringSchedulingIgnoredDuringExecution: 9371 description: |- 9372 If the affinity requirements specified by this field are not met at 9373 scheduling time, the pod will not be scheduled onto the node. 9374 If the affinity requirements specified by this field cease to be met 9375 at some point during pod execution (e.g. due to a pod label update), the 9376 system may or may not try to eventually evict the pod from its node. 9377 When there are multiple elements, the lists of nodes corresponding to each 9378 podAffinityTerm are intersected, i.e. all terms must be satisfied. 9379 type: array 9380 items: 9381 description: |- 9382 Defines a set of pods (namely those matching the labelSelector 9383 relative to the given namespace(s)) that this pod should be 9384 co-located (affinity) or not co-located (anti-affinity) with, 9385 where co-located is defined as running on a node whose value of 9386 the label with key <topologyKey> matches that of any node on which 9387 a pod of the set of pods is running 9388 type: object 9389 required: 9390 - topologyKey 9391 properties: 9392 labelSelector: 9393 description: |- 9394 A label query over a set of resources, in this case pods. 9395 If it's null, this PodAffinityTerm matches with no Pods. 9396 type: object 9397 properties: 9398 matchExpressions: 9399 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9400 type: array 9401 items: 9402 description: |- 9403 A label selector requirement is a selector that contains values, a key, and an operator that 9404 relates the key and values. 9405 type: object 9406 required: 9407 - key 9408 - operator 9409 properties: 9410 key: 9411 description: key is the label key that the selector applies to. 9412 type: string 9413 operator: 9414 description: |- 9415 operator represents a key's relationship to a set of values. 9416 Valid operators are In, NotIn, Exists and DoesNotExist. 9417 type: string 9418 values: 9419 description: |- 9420 values is an array of string values. If the operator is In or NotIn, 9421 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9422 the values array must be empty. This array is replaced during a strategic 9423 merge patch. 9424 type: array 9425 items: 9426 type: string 9427 x-kubernetes-list-type: atomic 9428 x-kubernetes-list-type: atomic 9429 matchLabels: 9430 description: |- 9431 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9432 map is equivalent to an element of matchExpressions, whose key field is "key", the 9433 operator is "In", and the values array contains only "value". The requirements are ANDed. 9434 type: object 9435 additionalProperties: 9436 type: string 9437 x-kubernetes-map-type: atomic 9438 matchLabelKeys: 9439 description: |- 9440 MatchLabelKeys is a set of pod label keys to select which pods will 9441 be taken into consideration. The keys are used to lookup values from the 9442 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 9443 to select the group of existing pods which pods will be taken into consideration 9444 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9445 pod labels will be ignored. The default value is empty. 9446 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 9447 Also, matchLabelKeys cannot be set when labelSelector isn't set. 9448 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9449 type: array 9450 items: 9451 type: string 9452 x-kubernetes-list-type: atomic 9453 mismatchLabelKeys: 9454 description: |- 9455 MismatchLabelKeys is a set of pod label keys to select which pods will 9456 be taken into consideration. The keys are used to lookup values from the 9457 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 9458 to select the group of existing pods which pods will be taken into consideration 9459 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9460 pod labels will be ignored. The default value is empty. 9461 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 9462 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 9463 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9464 type: array 9465 items: 9466 type: string 9467 x-kubernetes-list-type: atomic 9468 namespaceSelector: 9469 description: |- 9470 A label query over the set of namespaces that the term applies to. 9471 The term is applied to the union of the namespaces selected by this field 9472 and the ones listed in the namespaces field. 9473 null selector and null or empty namespaces list means "this pod's namespace". 9474 An empty selector ({}) matches all namespaces. 9475 type: object 9476 properties: 9477 matchExpressions: 9478 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9479 type: array 9480 items: 9481 description: |- 9482 A label selector requirement is a selector that contains values, a key, and an operator that 9483 relates the key and values. 9484 type: object 9485 required: 9486 - key 9487 - operator 9488 properties: 9489 key: 9490 description: key is the label key that the selector applies to. 9491 type: string 9492 operator: 9493 description: |- 9494 operator represents a key's relationship to a set of values. 9495 Valid operators are In, NotIn, Exists and DoesNotExist. 9496 type: string 9497 values: 9498 description: |- 9499 values is an array of string values. If the operator is In or NotIn, 9500 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9501 the values array must be empty. This array is replaced during a strategic 9502 merge patch. 9503 type: array 9504 items: 9505 type: string 9506 x-kubernetes-list-type: atomic 9507 x-kubernetes-list-type: atomic 9508 matchLabels: 9509 description: |- 9510 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9511 map is equivalent to an element of matchExpressions, whose key field is "key", the 9512 operator is "In", and the values array contains only "value". The requirements are ANDed. 9513 type: object 9514 additionalProperties: 9515 type: string 9516 x-kubernetes-map-type: atomic 9517 namespaces: 9518 description: |- 9519 namespaces specifies a static list of namespace names that the term applies to. 9520 The term is applied to the union of the namespaces listed in this field 9521 and the ones selected by namespaceSelector. 9522 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 9523 type: array 9524 items: 9525 type: string 9526 x-kubernetes-list-type: atomic 9527 topologyKey: 9528 description: |- 9529 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 9530 the labelSelector in the specified namespaces, where co-located is defined as running on a node 9531 whose value of the label with key topologyKey matches that of any node on which any of the 9532 selected pods is running. 9533 Empty topologyKey is not allowed. 9534 type: string 9535 x-kubernetes-list-type: atomic 9536 podAntiAffinity: 9537 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 9538 type: object 9539 properties: 9540 preferredDuringSchedulingIgnoredDuringExecution: 9541 description: |- 9542 The scheduler will prefer to schedule pods to nodes that satisfy 9543 the anti-affinity expressions specified by this field, but it may choose 9544 a node that violates one or more of the expressions. The node that is 9545 most preferred is the one with the greatest sum of weights, i.e. 9546 for each node that meets all of the scheduling requirements (resource 9547 request, requiredDuringScheduling anti-affinity expressions, etc.), 9548 compute a sum by iterating through the elements of this field and adding 9549 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 9550 node(s) with the highest sum are the most preferred. 9551 type: array 9552 items: 9553 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 9554 type: object 9555 required: 9556 - podAffinityTerm 9557 - weight 9558 properties: 9559 podAffinityTerm: 9560 description: Required. A pod affinity term, associated with the corresponding weight. 9561 type: object 9562 required: 9563 - topologyKey 9564 properties: 9565 labelSelector: 9566 description: |- 9567 A label query over a set of resources, in this case pods. 9568 If it's null, this PodAffinityTerm matches with no Pods. 9569 type: object 9570 properties: 9571 matchExpressions: 9572 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9573 type: array 9574 items: 9575 description: |- 9576 A label selector requirement is a selector that contains values, a key, and an operator that 9577 relates the key and values. 9578 type: object 9579 required: 9580 - key 9581 - operator 9582 properties: 9583 key: 9584 description: key is the label key that the selector applies to. 9585 type: string 9586 operator: 9587 description: |- 9588 operator represents a key's relationship to a set of values. 9589 Valid operators are In, NotIn, Exists and DoesNotExist. 9590 type: string 9591 values: 9592 description: |- 9593 values is an array of string values. If the operator is In or NotIn, 9594 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9595 the values array must be empty. This array is replaced during a strategic 9596 merge patch. 9597 type: array 9598 items: 9599 type: string 9600 x-kubernetes-list-type: atomic 9601 x-kubernetes-list-type: atomic 9602 matchLabels: 9603 description: |- 9604 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9605 map is equivalent to an element of matchExpressions, whose key field is "key", the 9606 operator is "In", and the values array contains only "value". The requirements are ANDed. 9607 type: object 9608 additionalProperties: 9609 type: string 9610 x-kubernetes-map-type: atomic 9611 matchLabelKeys: 9612 description: |- 9613 MatchLabelKeys is a set of pod label keys to select which pods will 9614 be taken into consideration. The keys are used to lookup values from the 9615 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 9616 to select the group of existing pods which pods will be taken into consideration 9617 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9618 pod labels will be ignored. The default value is empty. 9619 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 9620 Also, matchLabelKeys cannot be set when labelSelector isn't set. 9621 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9622 type: array 9623 items: 9624 type: string 9625 x-kubernetes-list-type: atomic 9626 mismatchLabelKeys: 9627 description: |- 9628 MismatchLabelKeys is a set of pod label keys to select which pods will 9629 be taken into consideration. The keys are used to lookup values from the 9630 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 9631 to select the group of existing pods which pods will be taken into consideration 9632 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9633 pod labels will be ignored. The default value is empty. 9634 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 9635 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 9636 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9637 type: array 9638 items: 9639 type: string 9640 x-kubernetes-list-type: atomic 9641 namespaceSelector: 9642 description: |- 9643 A label query over the set of namespaces that the term applies to. 9644 The term is applied to the union of the namespaces selected by this field 9645 and the ones listed in the namespaces field. 9646 null selector and null or empty namespaces list means "this pod's namespace". 9647 An empty selector ({}) matches all namespaces. 9648 type: object 9649 properties: 9650 matchExpressions: 9651 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9652 type: array 9653 items: 9654 description: |- 9655 A label selector requirement is a selector that contains values, a key, and an operator that 9656 relates the key and values. 9657 type: object 9658 required: 9659 - key 9660 - operator 9661 properties: 9662 key: 9663 description: key is the label key that the selector applies to. 9664 type: string 9665 operator: 9666 description: |- 9667 operator represents a key's relationship to a set of values. 9668 Valid operators are In, NotIn, Exists and DoesNotExist. 9669 type: string 9670 values: 9671 description: |- 9672 values is an array of string values. If the operator is In or NotIn, 9673 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9674 the values array must be empty. This array is replaced during a strategic 9675 merge patch. 9676 type: array 9677 items: 9678 type: string 9679 x-kubernetes-list-type: atomic 9680 x-kubernetes-list-type: atomic 9681 matchLabels: 9682 description: |- 9683 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9684 map is equivalent to an element of matchExpressions, whose key field is "key", the 9685 operator is "In", and the values array contains only "value". The requirements are ANDed. 9686 type: object 9687 additionalProperties: 9688 type: string 9689 x-kubernetes-map-type: atomic 9690 namespaces: 9691 description: |- 9692 namespaces specifies a static list of namespace names that the term applies to. 9693 The term is applied to the union of the namespaces listed in this field 9694 and the ones selected by namespaceSelector. 9695 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 9696 type: array 9697 items: 9698 type: string 9699 x-kubernetes-list-type: atomic 9700 topologyKey: 9701 description: |- 9702 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 9703 the labelSelector in the specified namespaces, where co-located is defined as running on a node 9704 whose value of the label with key topologyKey matches that of any node on which any of the 9705 selected pods is running. 9706 Empty topologyKey is not allowed. 9707 type: string 9708 weight: 9709 description: |- 9710 weight associated with matching the corresponding podAffinityTerm, 9711 in the range 1-100. 9712 type: integer 9713 format: int32 9714 x-kubernetes-list-type: atomic 9715 requiredDuringSchedulingIgnoredDuringExecution: 9716 description: |- 9717 If the anti-affinity requirements specified by this field are not met at 9718 scheduling time, the pod will not be scheduled onto the node. 9719 If the anti-affinity requirements specified by this field cease to be met 9720 at some point during pod execution (e.g. due to a pod label update), the 9721 system may or may not try to eventually evict the pod from its node. 9722 When there are multiple elements, the lists of nodes corresponding to each 9723 podAffinityTerm are intersected, i.e. all terms must be satisfied. 9724 type: array 9725 items: 9726 description: |- 9727 Defines a set of pods (namely those matching the labelSelector 9728 relative to the given namespace(s)) that this pod should be 9729 co-located (affinity) or not co-located (anti-affinity) with, 9730 where co-located is defined as running on a node whose value of 9731 the label with key <topologyKey> matches that of any node on which 9732 a pod of the set of pods is running 9733 type: object 9734 required: 9735 - topologyKey 9736 properties: 9737 labelSelector: 9738 description: |- 9739 A label query over a set of resources, in this case pods. 9740 If it's null, this PodAffinityTerm matches with no Pods. 9741 type: object 9742 properties: 9743 matchExpressions: 9744 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9745 type: array 9746 items: 9747 description: |- 9748 A label selector requirement is a selector that contains values, a key, and an operator that 9749 relates the key and values. 9750 type: object 9751 required: 9752 - key 9753 - operator 9754 properties: 9755 key: 9756 description: key is the label key that the selector applies to. 9757 type: string 9758 operator: 9759 description: |- 9760 operator represents a key's relationship to a set of values. 9761 Valid operators are In, NotIn, Exists and DoesNotExist. 9762 type: string 9763 values: 9764 description: |- 9765 values is an array of string values. If the operator is In or NotIn, 9766 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9767 the values array must be empty. This array is replaced during a strategic 9768 merge patch. 9769 type: array 9770 items: 9771 type: string 9772 x-kubernetes-list-type: atomic 9773 x-kubernetes-list-type: atomic 9774 matchLabels: 9775 description: |- 9776 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9777 map is equivalent to an element of matchExpressions, whose key field is "key", the 9778 operator is "In", and the values array contains only "value". The requirements are ANDed. 9779 type: object 9780 additionalProperties: 9781 type: string 9782 x-kubernetes-map-type: atomic 9783 matchLabelKeys: 9784 description: |- 9785 MatchLabelKeys is a set of pod label keys to select which pods will 9786 be taken into consideration. The keys are used to lookup values from the 9787 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 9788 to select the group of existing pods which pods will be taken into consideration 9789 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9790 pod labels will be ignored. The default value is empty. 9791 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 9792 Also, matchLabelKeys cannot be set when labelSelector isn't set. 9793 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9794 type: array 9795 items: 9796 type: string 9797 x-kubernetes-list-type: atomic 9798 mismatchLabelKeys: 9799 description: |- 9800 MismatchLabelKeys is a set of pod label keys to select which pods will 9801 be taken into consideration. The keys are used to lookup values from the 9802 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 9803 to select the group of existing pods which pods will be taken into consideration 9804 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 9805 pod labels will be ignored. The default value is empty. 9806 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 9807 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 9808 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 9809 type: array 9810 items: 9811 type: string 9812 x-kubernetes-list-type: atomic 9813 namespaceSelector: 9814 description: |- 9815 A label query over the set of namespaces that the term applies to. 9816 The term is applied to the union of the namespaces selected by this field 9817 and the ones listed in the namespaces field. 9818 null selector and null or empty namespaces list means "this pod's namespace". 9819 An empty selector ({}) matches all namespaces. 9820 type: object 9821 properties: 9822 matchExpressions: 9823 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 9824 type: array 9825 items: 9826 description: |- 9827 A label selector requirement is a selector that contains values, a key, and an operator that 9828 relates the key and values. 9829 type: object 9830 required: 9831 - key 9832 - operator 9833 properties: 9834 key: 9835 description: key is the label key that the selector applies to. 9836 type: string 9837 operator: 9838 description: |- 9839 operator represents a key's relationship to a set of values. 9840 Valid operators are In, NotIn, Exists and DoesNotExist. 9841 type: string 9842 values: 9843 description: |- 9844 values is an array of string values. If the operator is In or NotIn, 9845 the values array must be non-empty. If the operator is Exists or DoesNotExist, 9846 the values array must be empty. This array is replaced during a strategic 9847 merge patch. 9848 type: array 9849 items: 9850 type: string 9851 x-kubernetes-list-type: atomic 9852 x-kubernetes-list-type: atomic 9853 matchLabels: 9854 description: |- 9855 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 9856 map is equivalent to an element of matchExpressions, whose key field is "key", the 9857 operator is "In", and the values array contains only "value". The requirements are ANDed. 9858 type: object 9859 additionalProperties: 9860 type: string 9861 x-kubernetes-map-type: atomic 9862 namespaces: 9863 description: |- 9864 namespaces specifies a static list of namespace names that the term applies to. 9865 The term is applied to the union of the namespaces listed in this field 9866 and the ones selected by namespaceSelector. 9867 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 9868 type: array 9869 items: 9870 type: string 9871 x-kubernetes-list-type: atomic 9872 topologyKey: 9873 description: |- 9874 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 9875 the labelSelector in the specified namespaces, where co-located is defined as running on a node 9876 whose value of the label with key topologyKey matches that of any node on which any of the 9877 selected pods is running. 9878 Empty topologyKey is not allowed. 9879 type: string 9880 x-kubernetes-list-type: atomic 9881 imagePullSecrets: 9882 description: If specified, the pod's imagePullSecrets 9883 type: array 9884 items: 9885 description: |- 9886 LocalObjectReference contains enough information to let you locate the 9887 referenced object inside the same namespace. 9888 type: object 9889 properties: 9890 name: 9891 description: |- 9892 Name of the referent. 9893 This field is effectively required, but due to backwards compatibility is 9894 allowed to be empty. Instances of this type with an empty value here are 9895 almost certainly wrong. 9896 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 9897 type: string 9898 default: "" 9899 x-kubernetes-map-type: atomic 9900 nodeSelector: 9901 description: |- 9902 NodeSelector is a selector which must be true for the pod to fit on a node. 9903 Selector which must match a node's labels for the pod to be scheduled on that node. 9904 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 9905 type: object 9906 additionalProperties: 9907 type: string 9908 priorityClassName: 9909 description: If specified, the pod's priorityClassName. 9910 type: string 9911 securityContext: 9912 description: If specified, the pod's security context 9913 type: object 9914 properties: 9915 fsGroup: 9916 description: |- 9917 A special supplemental group that applies to all containers in a pod. 9918 Some volume types allow the Kubelet to change the ownership of that volume 9919 to be owned by the pod: 9920 9921 1. The owning GID will be the FSGroup 9922 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 9923 3. The permission bits are OR'd with rw-rw---- 9924 9925 If unset, the Kubelet will not modify the ownership and permissions of any volume. 9926 Note that this field cannot be set when spec.os.name is windows. 9927 type: integer 9928 format: int64 9929 fsGroupChangePolicy: 9930 description: |- 9931 fsGroupChangePolicy defines behavior of changing ownership and permission of the volume 9932 before being exposed inside Pod. This field will only apply to 9933 volume types which support fsGroup based ownership(and permissions). 9934 It will have no effect on ephemeral volume types such as: secret, configmaps 9935 and emptydir. 9936 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. 9937 Note that this field cannot be set when spec.os.name is windows. 9938 type: string 9939 runAsGroup: 9940 description: |- 9941 The GID to run the entrypoint of the container process. 9942 Uses runtime default if unset. 9943 May also be set in SecurityContext. If set in both SecurityContext and 9944 PodSecurityContext, the value specified in SecurityContext takes precedence 9945 for that container. 9946 Note that this field cannot be set when spec.os.name is windows. 9947 type: integer 9948 format: int64 9949 runAsNonRoot: 9950 description: |- 9951 Indicates that the container must run as a non-root user. 9952 If true, the Kubelet will validate the image at runtime to ensure that it 9953 does not run as UID 0 (root) and fail to start the container if it does. 9954 If unset or false, no such validation will be performed. 9955 May also be set in SecurityContext. If set in both SecurityContext and 9956 PodSecurityContext, the value specified in SecurityContext takes precedence. 9957 type: boolean 9958 runAsUser: 9959 description: |- 9960 The UID to run the entrypoint of the container process. 9961 Defaults to user specified in image metadata if unspecified. 9962 May also be set in SecurityContext. If set in both SecurityContext and 9963 PodSecurityContext, the value specified in SecurityContext takes precedence 9964 for that container. 9965 Note that this field cannot be set when spec.os.name is windows. 9966 type: integer 9967 format: int64 9968 seLinuxOptions: 9969 description: |- 9970 The SELinux context to be applied to all containers. 9971 If unspecified, the container runtime will allocate a random SELinux context for each 9972 container. May also be set in SecurityContext. If set in 9973 both SecurityContext and PodSecurityContext, the value specified in SecurityContext 9974 takes precedence for that container. 9975 Note that this field cannot be set when spec.os.name is windows. 9976 type: object 9977 properties: 9978 level: 9979 description: Level is SELinux level label that applies to the container. 9980 type: string 9981 role: 9982 description: Role is a SELinux role label that applies to the container. 9983 type: string 9984 type: 9985 description: Type is a SELinux type label that applies to the container. 9986 type: string 9987 user: 9988 description: User is a SELinux user label that applies to the container. 9989 type: string 9990 seccompProfile: 9991 description: |- 9992 The seccomp options to use by the containers in this pod. 9993 Note that this field cannot be set when spec.os.name is windows. 9994 type: object 9995 required: 9996 - type 9997 properties: 9998 localhostProfile: 9999 description: |- 10000 localhostProfile indicates a profile defined in a file on the node should be used. 10001 The profile must be preconfigured on the node to work. 10002 Must be a descending path, relative to the kubelet's configured seccomp profile location. 10003 Must be set if type is "Localhost". Must NOT be set for any other type. 10004 type: string 10005 type: 10006 description: |- 10007 type indicates which kind of seccomp profile will be applied. 10008 Valid options are: 10009 10010 Localhost - a profile defined in a file on the node should be used. 10011 RuntimeDefault - the container runtime default profile should be used. 10012 Unconfined - no profile should be applied. 10013 type: string 10014 supplementalGroups: 10015 description: |- 10016 A list of groups applied to the first process run in each container, in addition 10017 to the container's primary GID, the fsGroup (if specified), and group memberships 10018 defined in the container image for the uid of the container process. If unspecified, 10019 no additional groups are added to any container. Note that group memberships 10020 defined in the container image for the uid of the container process are still effective, 10021 even if they are not included in this list. 10022 Note that this field cannot be set when spec.os.name is windows. 10023 type: array 10024 items: 10025 type: integer 10026 format: int64 10027 sysctls: 10028 description: |- 10029 Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported 10030 sysctls (by the container runtime) might fail to launch. 10031 Note that this field cannot be set when spec.os.name is windows. 10032 type: array 10033 items: 10034 description: Sysctl defines a kernel parameter to be set 10035 type: object 10036 required: 10037 - name 10038 - value 10039 properties: 10040 name: 10041 description: Name of a property to set 10042 type: string 10043 value: 10044 description: Value of a property to set 10045 type: string 10046 serviceAccountName: 10047 description: If specified, the pod's service account 10048 type: string 10049 tolerations: 10050 description: If specified, the pod's tolerations. 10051 type: array 10052 items: 10053 description: |- 10054 The pod this Toleration is attached to tolerates any taint that matches 10055 the triple <key,value,effect> using the matching operator <operator>. 10056 type: object 10057 properties: 10058 effect: 10059 description: |- 10060 Effect indicates the taint effect to match. Empty means match all taint effects. 10061 When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 10062 type: string 10063 key: 10064 description: |- 10065 Key is the taint key that the toleration applies to. Empty means match all taint keys. 10066 If the key is empty, operator must be Exists; this combination means to match all values and all keys. 10067 type: string 10068 operator: 10069 description: |- 10070 Operator represents a key's relationship to the value. 10071 Valid operators are Exists and Equal. Defaults to Equal. 10072 Exists is equivalent to wildcard for value, so that a pod can 10073 tolerate all taints of a particular category. 10074 type: string 10075 tolerationSeconds: 10076 description: |- 10077 TolerationSeconds represents the period of time the toleration (which must be 10078 of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, 10079 it is not set, which means tolerate the taint forever (do not evict). Zero and 10080 negative values will be treated as 0 (evict immediately) by the system. 10081 type: integer 10082 format: int64 10083 value: 10084 description: |- 10085 Value is the taint value the toleration matches to. 10086 If the operator is Exists, the value should be empty, otherwise just a regular string. 10087 type: string 10088 serviceType: 10089 description: |- 10090 Optional service type for Kubernetes solver service. Supported values 10091 are NodePort or ClusterIP. If unset, defaults to NodePort. 10092 type: string 10093 ingress: 10094 description: |- 10095 The ingress based HTTP01 challenge solver will solve challenges by 10096 creating or modifying Ingress resources in order to route requests for 10097 '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are 10098 provisioned by cert-manager for each Challenge to be completed. 10099 type: object 10100 properties: 10101 class: 10102 description: |- 10103 This field configures the annotation `kubernetes.io/ingress.class` when 10104 creating Ingress resources to solve ACME challenges that use this 10105 challenge solver. Only one of `class`, `name` or `ingressClassName` may 10106 be specified. 10107 type: string 10108 ingressClassName: 10109 description: |- 10110 This field configures the field `ingressClassName` on the created Ingress 10111 resources used to solve ACME challenges that use this challenge solver. 10112 This is the recommended way of configuring the ingress class. Only one of 10113 `class`, `name` or `ingressClassName` may be specified. 10114 type: string 10115 ingressTemplate: 10116 description: |- 10117 Optional ingress template used to configure the ACME challenge solver 10118 ingress used for HTTP01 challenges. 10119 type: object 10120 properties: 10121 metadata: 10122 description: |- 10123 ObjectMeta overrides for the ingress used to solve HTTP01 challenges. 10124 Only the 'labels' and 'annotations' fields may be set. 10125 If labels or annotations overlap with in-built values, the values here 10126 will override the in-built values. 10127 type: object 10128 properties: 10129 annotations: 10130 description: Annotations that should be added to the created ACME HTTP01 solver ingress. 10131 type: object 10132 additionalProperties: 10133 type: string 10134 labels: 10135 description: Labels that should be added to the created ACME HTTP01 solver ingress. 10136 type: object 10137 additionalProperties: 10138 type: string 10139 name: 10140 description: |- 10141 The name of the ingress resource that should have ACME challenge solving 10142 routes inserted into it in order to solve HTTP01 challenges. 10143 This is typically used in conjunction with ingress controllers like 10144 ingress-gce, which maintains a 1:1 mapping between external IPs and 10145 ingress resources. Only one of `class`, `name` or `ingressClassName` may 10146 be specified. 10147 type: string 10148 podTemplate: 10149 description: |- 10150 Optional pod template used to configure the ACME challenge solver pods 10151 used for HTTP01 challenges. 10152 type: object 10153 properties: 10154 metadata: 10155 description: |- 10156 ObjectMeta overrides for the pod used to solve HTTP01 challenges. 10157 Only the 'labels' and 'annotations' fields may be set. 10158 If labels or annotations overlap with in-built values, the values here 10159 will override the in-built values. 10160 type: object 10161 properties: 10162 annotations: 10163 description: Annotations that should be added to the created ACME HTTP01 solver pods. 10164 type: object 10165 additionalProperties: 10166 type: string 10167 labels: 10168 description: Labels that should be added to the created ACME HTTP01 solver pods. 10169 type: object 10170 additionalProperties: 10171 type: string 10172 spec: 10173 description: |- 10174 PodSpec defines overrides for the HTTP01 challenge solver pod. 10175 Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. 10176 All other fields will be ignored. 10177 type: object 10178 properties: 10179 affinity: 10180 description: If specified, the pod's scheduling constraints 10181 type: object 10182 properties: 10183 nodeAffinity: 10184 description: Describes node affinity scheduling rules for the pod. 10185 type: object 10186 properties: 10187 preferredDuringSchedulingIgnoredDuringExecution: 10188 description: |- 10189 The scheduler will prefer to schedule pods to nodes that satisfy 10190 the affinity expressions specified by this field, but it may choose 10191 a node that violates one or more of the expressions. The node that is 10192 most preferred is the one with the greatest sum of weights, i.e. 10193 for each node that meets all of the scheduling requirements (resource 10194 request, requiredDuringScheduling affinity expressions, etc.), 10195 compute a sum by iterating through the elements of this field and adding 10196 "weight" to the sum if the node matches the corresponding matchExpressions; the 10197 node(s) with the highest sum are the most preferred. 10198 type: array 10199 items: 10200 description: |- 10201 An empty preferred scheduling term matches all objects with implicit weight 0 10202 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). 10203 type: object 10204 required: 10205 - preference 10206 - weight 10207 properties: 10208 preference: 10209 description: A node selector term, associated with the corresponding weight. 10210 type: object 10211 properties: 10212 matchExpressions: 10213 description: A list of node selector requirements by node's labels. 10214 type: array 10215 items: 10216 description: |- 10217 A node selector requirement is a selector that contains values, a key, and an operator 10218 that relates the key and values. 10219 type: object 10220 required: 10221 - key 10222 - operator 10223 properties: 10224 key: 10225 description: The label key that the selector applies to. 10226 type: string 10227 operator: 10228 description: |- 10229 Represents a key's relationship to a set of values. 10230 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 10231 type: string 10232 values: 10233 description: |- 10234 An array of string values. If the operator is In or NotIn, 10235 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10236 the values array must be empty. If the operator is Gt or Lt, the values 10237 array must have a single element, which will be interpreted as an integer. 10238 This array is replaced during a strategic merge patch. 10239 type: array 10240 items: 10241 type: string 10242 x-kubernetes-list-type: atomic 10243 x-kubernetes-list-type: atomic 10244 matchFields: 10245 description: A list of node selector requirements by node's fields. 10246 type: array 10247 items: 10248 description: |- 10249 A node selector requirement is a selector that contains values, a key, and an operator 10250 that relates the key and values. 10251 type: object 10252 required: 10253 - key 10254 - operator 10255 properties: 10256 key: 10257 description: The label key that the selector applies to. 10258 type: string 10259 operator: 10260 description: |- 10261 Represents a key's relationship to a set of values. 10262 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 10263 type: string 10264 values: 10265 description: |- 10266 An array of string values. If the operator is In or NotIn, 10267 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10268 the values array must be empty. If the operator is Gt or Lt, the values 10269 array must have a single element, which will be interpreted as an integer. 10270 This array is replaced during a strategic merge patch. 10271 type: array 10272 items: 10273 type: string 10274 x-kubernetes-list-type: atomic 10275 x-kubernetes-list-type: atomic 10276 x-kubernetes-map-type: atomic 10277 weight: 10278 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. 10279 type: integer 10280 format: int32 10281 x-kubernetes-list-type: atomic 10282 requiredDuringSchedulingIgnoredDuringExecution: 10283 description: |- 10284 If the affinity requirements specified by this field are not met at 10285 scheduling time, the pod will not be scheduled onto the node. 10286 If the affinity requirements specified by this field cease to be met 10287 at some point during pod execution (e.g. due to an update), the system 10288 may or may not try to eventually evict the pod from its node. 10289 type: object 10290 required: 10291 - nodeSelectorTerms 10292 properties: 10293 nodeSelectorTerms: 10294 description: Required. A list of node selector terms. The terms are ORed. 10295 type: array 10296 items: 10297 description: |- 10298 A null or empty node selector term matches no objects. The requirements of 10299 them are ANDed. 10300 The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. 10301 type: object 10302 properties: 10303 matchExpressions: 10304 description: A list of node selector requirements by node's labels. 10305 type: array 10306 items: 10307 description: |- 10308 A node selector requirement is a selector that contains values, a key, and an operator 10309 that relates the key and values. 10310 type: object 10311 required: 10312 - key 10313 - operator 10314 properties: 10315 key: 10316 description: The label key that the selector applies to. 10317 type: string 10318 operator: 10319 description: |- 10320 Represents a key's relationship to a set of values. 10321 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 10322 type: string 10323 values: 10324 description: |- 10325 An array of string values. If the operator is In or NotIn, 10326 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10327 the values array must be empty. If the operator is Gt or Lt, the values 10328 array must have a single element, which will be interpreted as an integer. 10329 This array is replaced during a strategic merge patch. 10330 type: array 10331 items: 10332 type: string 10333 x-kubernetes-list-type: atomic 10334 x-kubernetes-list-type: atomic 10335 matchFields: 10336 description: A list of node selector requirements by node's fields. 10337 type: array 10338 items: 10339 description: |- 10340 A node selector requirement is a selector that contains values, a key, and an operator 10341 that relates the key and values. 10342 type: object 10343 required: 10344 - key 10345 - operator 10346 properties: 10347 key: 10348 description: The label key that the selector applies to. 10349 type: string 10350 operator: 10351 description: |- 10352 Represents a key's relationship to a set of values. 10353 Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. 10354 type: string 10355 values: 10356 description: |- 10357 An array of string values. If the operator is In or NotIn, 10358 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10359 the values array must be empty. If the operator is Gt or Lt, the values 10360 array must have a single element, which will be interpreted as an integer. 10361 This array is replaced during a strategic merge patch. 10362 type: array 10363 items: 10364 type: string 10365 x-kubernetes-list-type: atomic 10366 x-kubernetes-list-type: atomic 10367 x-kubernetes-map-type: atomic 10368 x-kubernetes-list-type: atomic 10369 x-kubernetes-map-type: atomic 10370 podAffinity: 10371 description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). 10372 type: object 10373 properties: 10374 preferredDuringSchedulingIgnoredDuringExecution: 10375 description: |- 10376 The scheduler will prefer to schedule pods to nodes that satisfy 10377 the affinity expressions specified by this field, but it may choose 10378 a node that violates one or more of the expressions. The node that is 10379 most preferred is the one with the greatest sum of weights, i.e. 10380 for each node that meets all of the scheduling requirements (resource 10381 request, requiredDuringScheduling affinity expressions, etc.), 10382 compute a sum by iterating through the elements of this field and adding 10383 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 10384 node(s) with the highest sum are the most preferred. 10385 type: array 10386 items: 10387 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 10388 type: object 10389 required: 10390 - podAffinityTerm 10391 - weight 10392 properties: 10393 podAffinityTerm: 10394 description: Required. A pod affinity term, associated with the corresponding weight. 10395 type: object 10396 required: 10397 - topologyKey 10398 properties: 10399 labelSelector: 10400 description: |- 10401 A label query over a set of resources, in this case pods. 10402 If it's null, this PodAffinityTerm matches with no Pods. 10403 type: object 10404 properties: 10405 matchExpressions: 10406 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10407 type: array 10408 items: 10409 description: |- 10410 A label selector requirement is a selector that contains values, a key, and an operator that 10411 relates the key and values. 10412 type: object 10413 required: 10414 - key 10415 - operator 10416 properties: 10417 key: 10418 description: key is the label key that the selector applies to. 10419 type: string 10420 operator: 10421 description: |- 10422 operator represents a key's relationship to a set of values. 10423 Valid operators are In, NotIn, Exists and DoesNotExist. 10424 type: string 10425 values: 10426 description: |- 10427 values is an array of string values. If the operator is In or NotIn, 10428 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10429 the values array must be empty. This array is replaced during a strategic 10430 merge patch. 10431 type: array 10432 items: 10433 type: string 10434 x-kubernetes-list-type: atomic 10435 x-kubernetes-list-type: atomic 10436 matchLabels: 10437 description: |- 10438 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10439 map is equivalent to an element of matchExpressions, whose key field is "key", the 10440 operator is "In", and the values array contains only "value". The requirements are ANDed. 10441 type: object 10442 additionalProperties: 10443 type: string 10444 x-kubernetes-map-type: atomic 10445 matchLabelKeys: 10446 description: |- 10447 MatchLabelKeys is a set of pod label keys to select which pods will 10448 be taken into consideration. The keys are used to lookup values from the 10449 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 10450 to select the group of existing pods which pods will be taken into consideration 10451 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10452 pod labels will be ignored. The default value is empty. 10453 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 10454 Also, matchLabelKeys cannot be set when labelSelector isn't set. 10455 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10456 type: array 10457 items: 10458 type: string 10459 x-kubernetes-list-type: atomic 10460 mismatchLabelKeys: 10461 description: |- 10462 MismatchLabelKeys is a set of pod label keys to select which pods will 10463 be taken into consideration. The keys are used to lookup values from the 10464 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 10465 to select the group of existing pods which pods will be taken into consideration 10466 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10467 pod labels will be ignored. The default value is empty. 10468 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 10469 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 10470 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10471 type: array 10472 items: 10473 type: string 10474 x-kubernetes-list-type: atomic 10475 namespaceSelector: 10476 description: |- 10477 A label query over the set of namespaces that the term applies to. 10478 The term is applied to the union of the namespaces selected by this field 10479 and the ones listed in the namespaces field. 10480 null selector and null or empty namespaces list means "this pod's namespace". 10481 An empty selector ({}) matches all namespaces. 10482 type: object 10483 properties: 10484 matchExpressions: 10485 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10486 type: array 10487 items: 10488 description: |- 10489 A label selector requirement is a selector that contains values, a key, and an operator that 10490 relates the key and values. 10491 type: object 10492 required: 10493 - key 10494 - operator 10495 properties: 10496 key: 10497 description: key is the label key that the selector applies to. 10498 type: string 10499 operator: 10500 description: |- 10501 operator represents a key's relationship to a set of values. 10502 Valid operators are In, NotIn, Exists and DoesNotExist. 10503 type: string 10504 values: 10505 description: |- 10506 values is an array of string values. If the operator is In or NotIn, 10507 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10508 the values array must be empty. This array is replaced during a strategic 10509 merge patch. 10510 type: array 10511 items: 10512 type: string 10513 x-kubernetes-list-type: atomic 10514 x-kubernetes-list-type: atomic 10515 matchLabels: 10516 description: |- 10517 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10518 map is equivalent to an element of matchExpressions, whose key field is "key", the 10519 operator is "In", and the values array contains only "value". The requirements are ANDed. 10520 type: object 10521 additionalProperties: 10522 type: string 10523 x-kubernetes-map-type: atomic 10524 namespaces: 10525 description: |- 10526 namespaces specifies a static list of namespace names that the term applies to. 10527 The term is applied to the union of the namespaces listed in this field 10528 and the ones selected by namespaceSelector. 10529 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 10530 type: array 10531 items: 10532 type: string 10533 x-kubernetes-list-type: atomic 10534 topologyKey: 10535 description: |- 10536 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 10537 the labelSelector in the specified namespaces, where co-located is defined as running on a node 10538 whose value of the label with key topologyKey matches that of any node on which any of the 10539 selected pods is running. 10540 Empty topologyKey is not allowed. 10541 type: string 10542 weight: 10543 description: |- 10544 weight associated with matching the corresponding podAffinityTerm, 10545 in the range 1-100. 10546 type: integer 10547 format: int32 10548 x-kubernetes-list-type: atomic 10549 requiredDuringSchedulingIgnoredDuringExecution: 10550 description: |- 10551 If the affinity requirements specified by this field are not met at 10552 scheduling time, the pod will not be scheduled onto the node. 10553 If the affinity requirements specified by this field cease to be met 10554 at some point during pod execution (e.g. due to a pod label update), the 10555 system may or may not try to eventually evict the pod from its node. 10556 When there are multiple elements, the lists of nodes corresponding to each 10557 podAffinityTerm are intersected, i.e. all terms must be satisfied. 10558 type: array 10559 items: 10560 description: |- 10561 Defines a set of pods (namely those matching the labelSelector 10562 relative to the given namespace(s)) that this pod should be 10563 co-located (affinity) or not co-located (anti-affinity) with, 10564 where co-located is defined as running on a node whose value of 10565 the label with key <topologyKey> matches that of any node on which 10566 a pod of the set of pods is running 10567 type: object 10568 required: 10569 - topologyKey 10570 properties: 10571 labelSelector: 10572 description: |- 10573 A label query over a set of resources, in this case pods. 10574 If it's null, this PodAffinityTerm matches with no Pods. 10575 type: object 10576 properties: 10577 matchExpressions: 10578 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10579 type: array 10580 items: 10581 description: |- 10582 A label selector requirement is a selector that contains values, a key, and an operator that 10583 relates the key and values. 10584 type: object 10585 required: 10586 - key 10587 - operator 10588 properties: 10589 key: 10590 description: key is the label key that the selector applies to. 10591 type: string 10592 operator: 10593 description: |- 10594 operator represents a key's relationship to a set of values. 10595 Valid operators are In, NotIn, Exists and DoesNotExist. 10596 type: string 10597 values: 10598 description: |- 10599 values is an array of string values. If the operator is In or NotIn, 10600 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10601 the values array must be empty. This array is replaced during a strategic 10602 merge patch. 10603 type: array 10604 items: 10605 type: string 10606 x-kubernetes-list-type: atomic 10607 x-kubernetes-list-type: atomic 10608 matchLabels: 10609 description: |- 10610 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10611 map is equivalent to an element of matchExpressions, whose key field is "key", the 10612 operator is "In", and the values array contains only "value". The requirements are ANDed. 10613 type: object 10614 additionalProperties: 10615 type: string 10616 x-kubernetes-map-type: atomic 10617 matchLabelKeys: 10618 description: |- 10619 MatchLabelKeys is a set of pod label keys to select which pods will 10620 be taken into consideration. The keys are used to lookup values from the 10621 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 10622 to select the group of existing pods which pods will be taken into consideration 10623 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10624 pod labels will be ignored. The default value is empty. 10625 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 10626 Also, matchLabelKeys cannot be set when labelSelector isn't set. 10627 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10628 type: array 10629 items: 10630 type: string 10631 x-kubernetes-list-type: atomic 10632 mismatchLabelKeys: 10633 description: |- 10634 MismatchLabelKeys is a set of pod label keys to select which pods will 10635 be taken into consideration. The keys are used to lookup values from the 10636 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 10637 to select the group of existing pods which pods will be taken into consideration 10638 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10639 pod labels will be ignored. The default value is empty. 10640 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 10641 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 10642 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10643 type: array 10644 items: 10645 type: string 10646 x-kubernetes-list-type: atomic 10647 namespaceSelector: 10648 description: |- 10649 A label query over the set of namespaces that the term applies to. 10650 The term is applied to the union of the namespaces selected by this field 10651 and the ones listed in the namespaces field. 10652 null selector and null or empty namespaces list means "this pod's namespace". 10653 An empty selector ({}) matches all namespaces. 10654 type: object 10655 properties: 10656 matchExpressions: 10657 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10658 type: array 10659 items: 10660 description: |- 10661 A label selector requirement is a selector that contains values, a key, and an operator that 10662 relates the key and values. 10663 type: object 10664 required: 10665 - key 10666 - operator 10667 properties: 10668 key: 10669 description: key is the label key that the selector applies to. 10670 type: string 10671 operator: 10672 description: |- 10673 operator represents a key's relationship to a set of values. 10674 Valid operators are In, NotIn, Exists and DoesNotExist. 10675 type: string 10676 values: 10677 description: |- 10678 values is an array of string values. If the operator is In or NotIn, 10679 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10680 the values array must be empty. This array is replaced during a strategic 10681 merge patch. 10682 type: array 10683 items: 10684 type: string 10685 x-kubernetes-list-type: atomic 10686 x-kubernetes-list-type: atomic 10687 matchLabels: 10688 description: |- 10689 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10690 map is equivalent to an element of matchExpressions, whose key field is "key", the 10691 operator is "In", and the values array contains only "value". The requirements are ANDed. 10692 type: object 10693 additionalProperties: 10694 type: string 10695 x-kubernetes-map-type: atomic 10696 namespaces: 10697 description: |- 10698 namespaces specifies a static list of namespace names that the term applies to. 10699 The term is applied to the union of the namespaces listed in this field 10700 and the ones selected by namespaceSelector. 10701 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 10702 type: array 10703 items: 10704 type: string 10705 x-kubernetes-list-type: atomic 10706 topologyKey: 10707 description: |- 10708 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 10709 the labelSelector in the specified namespaces, where co-located is defined as running on a node 10710 whose value of the label with key topologyKey matches that of any node on which any of the 10711 selected pods is running. 10712 Empty topologyKey is not allowed. 10713 type: string 10714 x-kubernetes-list-type: atomic 10715 podAntiAffinity: 10716 description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). 10717 type: object 10718 properties: 10719 preferredDuringSchedulingIgnoredDuringExecution: 10720 description: |- 10721 The scheduler will prefer to schedule pods to nodes that satisfy 10722 the anti-affinity expressions specified by this field, but it may choose 10723 a node that violates one or more of the expressions. The node that is 10724 most preferred is the one with the greatest sum of weights, i.e. 10725 for each node that meets all of the scheduling requirements (resource 10726 request, requiredDuringScheduling anti-affinity expressions, etc.), 10727 compute a sum by iterating through the elements of this field and adding 10728 "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the 10729 node(s) with the highest sum are the most preferred. 10730 type: array 10731 items: 10732 description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) 10733 type: object 10734 required: 10735 - podAffinityTerm 10736 - weight 10737 properties: 10738 podAffinityTerm: 10739 description: Required. A pod affinity term, associated with the corresponding weight. 10740 type: object 10741 required: 10742 - topologyKey 10743 properties: 10744 labelSelector: 10745 description: |- 10746 A label query over a set of resources, in this case pods. 10747 If it's null, this PodAffinityTerm matches with no Pods. 10748 type: object 10749 properties: 10750 matchExpressions: 10751 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10752 type: array 10753 items: 10754 description: |- 10755 A label selector requirement is a selector that contains values, a key, and an operator that 10756 relates the key and values. 10757 type: object 10758 required: 10759 - key 10760 - operator 10761 properties: 10762 key: 10763 description: key is the label key that the selector applies to. 10764 type: string 10765 operator: 10766 description: |- 10767 operator represents a key's relationship to a set of values. 10768 Valid operators are In, NotIn, Exists and DoesNotExist. 10769 type: string 10770 values: 10771 description: |- 10772 values is an array of string values. If the operator is In or NotIn, 10773 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10774 the values array must be empty. This array is replaced during a strategic 10775 merge patch. 10776 type: array 10777 items: 10778 type: string 10779 x-kubernetes-list-type: atomic 10780 x-kubernetes-list-type: atomic 10781 matchLabels: 10782 description: |- 10783 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10784 map is equivalent to an element of matchExpressions, whose key field is "key", the 10785 operator is "In", and the values array contains only "value". The requirements are ANDed. 10786 type: object 10787 additionalProperties: 10788 type: string 10789 x-kubernetes-map-type: atomic 10790 matchLabelKeys: 10791 description: |- 10792 MatchLabelKeys is a set of pod label keys to select which pods will 10793 be taken into consideration. The keys are used to lookup values from the 10794 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 10795 to select the group of existing pods which pods will be taken into consideration 10796 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10797 pod labels will be ignored. The default value is empty. 10798 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 10799 Also, matchLabelKeys cannot be set when labelSelector isn't set. 10800 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10801 type: array 10802 items: 10803 type: string 10804 x-kubernetes-list-type: atomic 10805 mismatchLabelKeys: 10806 description: |- 10807 MismatchLabelKeys is a set of pod label keys to select which pods will 10808 be taken into consideration. The keys are used to lookup values from the 10809 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 10810 to select the group of existing pods which pods will be taken into consideration 10811 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10812 pod labels will be ignored. The default value is empty. 10813 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 10814 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 10815 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10816 type: array 10817 items: 10818 type: string 10819 x-kubernetes-list-type: atomic 10820 namespaceSelector: 10821 description: |- 10822 A label query over the set of namespaces that the term applies to. 10823 The term is applied to the union of the namespaces selected by this field 10824 and the ones listed in the namespaces field. 10825 null selector and null or empty namespaces list means "this pod's namespace". 10826 An empty selector ({}) matches all namespaces. 10827 type: object 10828 properties: 10829 matchExpressions: 10830 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10831 type: array 10832 items: 10833 description: |- 10834 A label selector requirement is a selector that contains values, a key, and an operator that 10835 relates the key and values. 10836 type: object 10837 required: 10838 - key 10839 - operator 10840 properties: 10841 key: 10842 description: key is the label key that the selector applies to. 10843 type: string 10844 operator: 10845 description: |- 10846 operator represents a key's relationship to a set of values. 10847 Valid operators are In, NotIn, Exists and DoesNotExist. 10848 type: string 10849 values: 10850 description: |- 10851 values is an array of string values. If the operator is In or NotIn, 10852 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10853 the values array must be empty. This array is replaced during a strategic 10854 merge patch. 10855 type: array 10856 items: 10857 type: string 10858 x-kubernetes-list-type: atomic 10859 x-kubernetes-list-type: atomic 10860 matchLabels: 10861 description: |- 10862 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10863 map is equivalent to an element of matchExpressions, whose key field is "key", the 10864 operator is "In", and the values array contains only "value". The requirements are ANDed. 10865 type: object 10866 additionalProperties: 10867 type: string 10868 x-kubernetes-map-type: atomic 10869 namespaces: 10870 description: |- 10871 namespaces specifies a static list of namespace names that the term applies to. 10872 The term is applied to the union of the namespaces listed in this field 10873 and the ones selected by namespaceSelector. 10874 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 10875 type: array 10876 items: 10877 type: string 10878 x-kubernetes-list-type: atomic 10879 topologyKey: 10880 description: |- 10881 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 10882 the labelSelector in the specified namespaces, where co-located is defined as running on a node 10883 whose value of the label with key topologyKey matches that of any node on which any of the 10884 selected pods is running. 10885 Empty topologyKey is not allowed. 10886 type: string 10887 weight: 10888 description: |- 10889 weight associated with matching the corresponding podAffinityTerm, 10890 in the range 1-100. 10891 type: integer 10892 format: int32 10893 x-kubernetes-list-type: atomic 10894 requiredDuringSchedulingIgnoredDuringExecution: 10895 description: |- 10896 If the anti-affinity requirements specified by this field are not met at 10897 scheduling time, the pod will not be scheduled onto the node. 10898 If the anti-affinity requirements specified by this field cease to be met 10899 at some point during pod execution (e.g. due to a pod label update), the 10900 system may or may not try to eventually evict the pod from its node. 10901 When there are multiple elements, the lists of nodes corresponding to each 10902 podAffinityTerm are intersected, i.e. all terms must be satisfied. 10903 type: array 10904 items: 10905 description: |- 10906 Defines a set of pods (namely those matching the labelSelector 10907 relative to the given namespace(s)) that this pod should be 10908 co-located (affinity) or not co-located (anti-affinity) with, 10909 where co-located is defined as running on a node whose value of 10910 the label with key <topologyKey> matches that of any node on which 10911 a pod of the set of pods is running 10912 type: object 10913 required: 10914 - topologyKey 10915 properties: 10916 labelSelector: 10917 description: |- 10918 A label query over a set of resources, in this case pods. 10919 If it's null, this PodAffinityTerm matches with no Pods. 10920 type: object 10921 properties: 10922 matchExpressions: 10923 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 10924 type: array 10925 items: 10926 description: |- 10927 A label selector requirement is a selector that contains values, a key, and an operator that 10928 relates the key and values. 10929 type: object 10930 required: 10931 - key 10932 - operator 10933 properties: 10934 key: 10935 description: key is the label key that the selector applies to. 10936 type: string 10937 operator: 10938 description: |- 10939 operator represents a key's relationship to a set of values. 10940 Valid operators are In, NotIn, Exists and DoesNotExist. 10941 type: string 10942 values: 10943 description: |- 10944 values is an array of string values. If the operator is In or NotIn, 10945 the values array must be non-empty. If the operator is Exists or DoesNotExist, 10946 the values array must be empty. This array is replaced during a strategic 10947 merge patch. 10948 type: array 10949 items: 10950 type: string 10951 x-kubernetes-list-type: atomic 10952 x-kubernetes-list-type: atomic 10953 matchLabels: 10954 description: |- 10955 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 10956 map is equivalent to an element of matchExpressions, whose key field is "key", the 10957 operator is "In", and the values array contains only "value". The requirements are ANDed. 10958 type: object 10959 additionalProperties: 10960 type: string 10961 x-kubernetes-map-type: atomic 10962 matchLabelKeys: 10963 description: |- 10964 MatchLabelKeys is a set of pod label keys to select which pods will 10965 be taken into consideration. The keys are used to lookup values from the 10966 incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` 10967 to select the group of existing pods which pods will be taken into consideration 10968 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10969 pod labels will be ignored. The default value is empty. 10970 The same key is forbidden to exist in both matchLabelKeys and labelSelector. 10971 Also, matchLabelKeys cannot be set when labelSelector isn't set. 10972 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10973 type: array 10974 items: 10975 type: string 10976 x-kubernetes-list-type: atomic 10977 mismatchLabelKeys: 10978 description: |- 10979 MismatchLabelKeys is a set of pod label keys to select which pods will 10980 be taken into consideration. The keys are used to lookup values from the 10981 incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` 10982 to select the group of existing pods which pods will be taken into consideration 10983 for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming 10984 pod labels will be ignored. The default value is empty. 10985 The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. 10986 Also, mismatchLabelKeys cannot be set when labelSelector isn't set. 10987 This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). 10988 type: array 10989 items: 10990 type: string 10991 x-kubernetes-list-type: atomic 10992 namespaceSelector: 10993 description: |- 10994 A label query over the set of namespaces that the term applies to. 10995 The term is applied to the union of the namespaces selected by this field 10996 and the ones listed in the namespaces field. 10997 null selector and null or empty namespaces list means "this pod's namespace". 10998 An empty selector ({}) matches all namespaces. 10999 type: object 11000 properties: 11001 matchExpressions: 11002 description: matchExpressions is a list of label selector requirements. The requirements are ANDed. 11003 type: array 11004 items: 11005 description: |- 11006 A label selector requirement is a selector that contains values, a key, and an operator that 11007 relates the key and values. 11008 type: object 11009 required: 11010 - key 11011 - operator 11012 properties: 11013 key: 11014 description: key is the label key that the selector applies to. 11015 type: string 11016 operator: 11017 description: |- 11018 operator represents a key's relationship to a set of values. 11019 Valid operators are In, NotIn, Exists and DoesNotExist. 11020 type: string 11021 values: 11022 description: |- 11023 values is an array of string values. If the operator is In or NotIn, 11024 the values array must be non-empty. If the operator is Exists or DoesNotExist, 11025 the values array must be empty. This array is replaced during a strategic 11026 merge patch. 11027 type: array 11028 items: 11029 type: string 11030 x-kubernetes-list-type: atomic 11031 x-kubernetes-list-type: atomic 11032 matchLabels: 11033 description: |- 11034 matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels 11035 map is equivalent to an element of matchExpressions, whose key field is "key", the 11036 operator is "In", and the values array contains only "value". The requirements are ANDed. 11037 type: object 11038 additionalProperties: 11039 type: string 11040 x-kubernetes-map-type: atomic 11041 namespaces: 11042 description: |- 11043 namespaces specifies a static list of namespace names that the term applies to. 11044 The term is applied to the union of the namespaces listed in this field 11045 and the ones selected by namespaceSelector. 11046 null or empty namespaces list and null namespaceSelector means "this pod's namespace". 11047 type: array 11048 items: 11049 type: string 11050 x-kubernetes-list-type: atomic 11051 topologyKey: 11052 description: |- 11053 This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching 11054 the labelSelector in the specified namespaces, where co-located is defined as running on a node 11055 whose value of the label with key topologyKey matches that of any node on which any of the 11056 selected pods is running. 11057 Empty topologyKey is not allowed. 11058 type: string 11059 x-kubernetes-list-type: atomic 11060 imagePullSecrets: 11061 description: If specified, the pod's imagePullSecrets 11062 type: array 11063 items: 11064 description: |- 11065 LocalObjectReference contains enough information to let you locate the 11066 referenced object inside the same namespace. 11067 type: object 11068 properties: 11069 name: 11070 description: |- 11071 Name of the referent. 11072 This field is effectively required, but due to backwards compatibility is 11073 allowed to be empty. Instances of this type with an empty value here are 11074 almost certainly wrong. 11075 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11076 type: string 11077 default: "" 11078 x-kubernetes-map-type: atomic 11079 nodeSelector: 11080 description: |- 11081 NodeSelector is a selector which must be true for the pod to fit on a node. 11082 Selector which must match a node's labels for the pod to be scheduled on that node. 11083 More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 11084 type: object 11085 additionalProperties: 11086 type: string 11087 priorityClassName: 11088 description: If specified, the pod's priorityClassName. 11089 type: string 11090 securityContext: 11091 description: If specified, the pod's security context 11092 type: object 11093 properties: 11094 fsGroup: 11095 description: |- 11096 A special supplemental group that applies to all containers in a pod. 11097 Some volume types allow the Kubelet to change the ownership of that volume 11098 to be owned by the pod: 11099 11100 1. The owning GID will be the FSGroup 11101 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 11102 3. The permission bits are OR'd with rw-rw---- 11103 11104 If unset, the Kubelet will not modify the ownership and permissions of any volume. 11105 Note that this field cannot be set when spec.os.name is windows. 11106 type: integer 11107 format: int64 11108 fsGroupChangePolicy: 11109 description: |- 11110 fsGroupChangePolicy defines behavior of changing ownership and permission of the volume 11111 before being exposed inside Pod. This field will only apply to 11112 volume types which support fsGroup based ownership(and permissions). 11113 It will have no effect on ephemeral volume types such as: secret, configmaps 11114 and emptydir. 11115 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. 11116 Note that this field cannot be set when spec.os.name is windows. 11117 type: string 11118 runAsGroup: 11119 description: |- 11120 The GID to run the entrypoint of the container process. 11121 Uses runtime default if unset. 11122 May also be set in SecurityContext. If set in both SecurityContext and 11123 PodSecurityContext, the value specified in SecurityContext takes precedence 11124 for that container. 11125 Note that this field cannot be set when spec.os.name is windows. 11126 type: integer 11127 format: int64 11128 runAsNonRoot: 11129 description: |- 11130 Indicates that the container must run as a non-root user. 11131 If true, the Kubelet will validate the image at runtime to ensure that it 11132 does not run as UID 0 (root) and fail to start the container if it does. 11133 If unset or false, no such validation will be performed. 11134 May also be set in SecurityContext. If set in both SecurityContext and 11135 PodSecurityContext, the value specified in SecurityContext takes precedence. 11136 type: boolean 11137 runAsUser: 11138 description: |- 11139 The UID to run the entrypoint of the container process. 11140 Defaults to user specified in image metadata if unspecified. 11141 May also be set in SecurityContext. If set in both SecurityContext and 11142 PodSecurityContext, the value specified in SecurityContext takes precedence 11143 for that container. 11144 Note that this field cannot be set when spec.os.name is windows. 11145 type: integer 11146 format: int64 11147 seLinuxOptions: 11148 description: |- 11149 The SELinux context to be applied to all containers. 11150 If unspecified, the container runtime will allocate a random SELinux context for each 11151 container. May also be set in SecurityContext. If set in 11152 both SecurityContext and PodSecurityContext, the value specified in SecurityContext 11153 takes precedence for that container. 11154 Note that this field cannot be set when spec.os.name is windows. 11155 type: object 11156 properties: 11157 level: 11158 description: Level is SELinux level label that applies to the container. 11159 type: string 11160 role: 11161 description: Role is a SELinux role label that applies to the container. 11162 type: string 11163 type: 11164 description: Type is a SELinux type label that applies to the container. 11165 type: string 11166 user: 11167 description: User is a SELinux user label that applies to the container. 11168 type: string 11169 seccompProfile: 11170 description: |- 11171 The seccomp options to use by the containers in this pod. 11172 Note that this field cannot be set when spec.os.name is windows. 11173 type: object 11174 required: 11175 - type 11176 properties: 11177 localhostProfile: 11178 description: |- 11179 localhostProfile indicates a profile defined in a file on the node should be used. 11180 The profile must be preconfigured on the node to work. 11181 Must be a descending path, relative to the kubelet's configured seccomp profile location. 11182 Must be set if type is "Localhost". Must NOT be set for any other type. 11183 type: string 11184 type: 11185 description: |- 11186 type indicates which kind of seccomp profile will be applied. 11187 Valid options are: 11188 11189 Localhost - a profile defined in a file on the node should be used. 11190 RuntimeDefault - the container runtime default profile should be used. 11191 Unconfined - no profile should be applied. 11192 type: string 11193 supplementalGroups: 11194 description: |- 11195 A list of groups applied to the first process run in each container, in addition 11196 to the container's primary GID, the fsGroup (if specified), and group memberships 11197 defined in the container image for the uid of the container process. If unspecified, 11198 no additional groups are added to any container. Note that group memberships 11199 defined in the container image for the uid of the container process are still effective, 11200 even if they are not included in this list. 11201 Note that this field cannot be set when spec.os.name is windows. 11202 type: array 11203 items: 11204 type: integer 11205 format: int64 11206 sysctls: 11207 description: |- 11208 Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported 11209 sysctls (by the container runtime) might fail to launch. 11210 Note that this field cannot be set when spec.os.name is windows. 11211 type: array 11212 items: 11213 description: Sysctl defines a kernel parameter to be set 11214 type: object 11215 required: 11216 - name 11217 - value 11218 properties: 11219 name: 11220 description: Name of a property to set 11221 type: string 11222 value: 11223 description: Value of a property to set 11224 type: string 11225 serviceAccountName: 11226 description: If specified, the pod's service account 11227 type: string 11228 tolerations: 11229 description: If specified, the pod's tolerations. 11230 type: array 11231 items: 11232 description: |- 11233 The pod this Toleration is attached to tolerates any taint that matches 11234 the triple <key,value,effect> using the matching operator <operator>. 11235 type: object 11236 properties: 11237 effect: 11238 description: |- 11239 Effect indicates the taint effect to match. Empty means match all taint effects. 11240 When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. 11241 type: string 11242 key: 11243 description: |- 11244 Key is the taint key that the toleration applies to. Empty means match all taint keys. 11245 If the key is empty, operator must be Exists; this combination means to match all values and all keys. 11246 type: string 11247 operator: 11248 description: |- 11249 Operator represents a key's relationship to the value. 11250 Valid operators are Exists and Equal. Defaults to Equal. 11251 Exists is equivalent to wildcard for value, so that a pod can 11252 tolerate all taints of a particular category. 11253 type: string 11254 tolerationSeconds: 11255 description: |- 11256 TolerationSeconds represents the period of time the toleration (which must be 11257 of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, 11258 it is not set, which means tolerate the taint forever (do not evict). Zero and 11259 negative values will be treated as 0 (evict immediately) by the system. 11260 type: integer 11261 format: int64 11262 value: 11263 description: |- 11264 Value is the taint value the toleration matches to. 11265 If the operator is Exists, the value should be empty, otherwise just a regular string. 11266 type: string 11267 serviceType: 11268 description: |- 11269 Optional service type for Kubernetes solver service. Supported values 11270 are NodePort or ClusterIP. If unset, defaults to NodePort. 11271 type: string 11272 selector: 11273 description: |- 11274 Selector selects a set of DNSNames on the Certificate resource that 11275 should be solved using this challenge solver. 11276 If not specified, the solver will be treated as the 'default' solver 11277 with the lowest priority, i.e. if any other solver has a more specific 11278 match, it will be used instead. 11279 type: object 11280 properties: 11281 dnsNames: 11282 description: |- 11283 List of DNSNames that this solver will be used to solve. 11284 If specified and a match is found, a dnsNames selector will take 11285 precedence over a dnsZones selector. 11286 If multiple solvers match with the same dnsNames value, the solver 11287 with the most matching labels in matchLabels will be selected. 11288 If neither has more matches, the solver defined earlier in the list 11289 will be selected. 11290 type: array 11291 items: 11292 type: string 11293 dnsZones: 11294 description: |- 11295 List of DNSZones that this solver will be used to solve. 11296 The most specific DNS zone match specified here will take precedence 11297 over other DNS zone matches, so a solver specifying sys.example.com 11298 will be selected over one specifying example.com for the domain 11299 www.sys.example.com. 11300 If multiple solvers match with the same dnsZones value, the solver 11301 with the most matching labels in matchLabels will be selected. 11302 If neither has more matches, the solver defined earlier in the list 11303 will be selected. 11304 type: array 11305 items: 11306 type: string 11307 matchLabels: 11308 description: |- 11309 A label selector that is used to refine the set of certificate's that 11310 this challenge solver will apply to. 11311 type: object 11312 additionalProperties: 11313 type: string 11314 ca: 11315 description: |- 11316 CA configures this issuer to sign certificates using a signing CA keypair 11317 stored in a Secret resource. 11318 This is used to build internal PKIs that are managed by cert-manager. 11319 type: object 11320 required: 11321 - secretName 11322 properties: 11323 crlDistributionPoints: 11324 description: |- 11325 The CRL distribution points is an X.509 v3 certificate extension which identifies 11326 the location of the CRL from which the revocation of this certificate can be checked. 11327 If not set, certificates will be issued without distribution points set. 11328 type: array 11329 items: 11330 type: string 11331 issuingCertificateURLs: 11332 description: |- 11333 IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates 11334 it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. 11335 As an example, such a URL might be "http://ca.domain.com/ca.crt". 11336 type: array 11337 items: 11338 type: string 11339 ocspServers: 11340 description: |- 11341 The OCSP server list is an X.509 v3 extension that defines a list of 11342 URLs of OCSP responders. The OCSP responders can be queried for the 11343 revocation status of an issued certificate. If not set, the 11344 certificate will be issued with no OCSP servers set. For example, an 11345 OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". 11346 type: array 11347 items: 11348 type: string 11349 secretName: 11350 description: |- 11351 SecretName is the name of the secret used to sign Certificates issued 11352 by this Issuer. 11353 type: string 11354 selfSigned: 11355 description: |- 11356 SelfSigned configures this issuer to 'self sign' certificates using the 11357 private key used to create the CertificateRequest object. 11358 type: object 11359 properties: 11360 crlDistributionPoints: 11361 description: |- 11362 The CRL distribution points is an X.509 v3 certificate extension which identifies 11363 the location of the CRL from which the revocation of this certificate can be checked. 11364 If not set certificate will be issued without CDP. Values are strings. 11365 type: array 11366 items: 11367 type: string 11368 vault: 11369 description: |- 11370 Vault configures this issuer to sign certificates using a HashiCorp Vault 11371 PKI backend. 11372 type: object 11373 required: 11374 - auth 11375 - path 11376 - server 11377 properties: 11378 auth: 11379 description: Auth configures how cert-manager authenticates with the Vault server. 11380 type: object 11381 properties: 11382 appRole: 11383 description: |- 11384 AppRole authenticates with Vault using the App Role auth mechanism, 11385 with the role and secret stored in a Kubernetes Secret resource. 11386 type: object 11387 required: 11388 - path 11389 - roleId 11390 - secretRef 11391 properties: 11392 path: 11393 description: |- 11394 Path where the App Role authentication backend is mounted in Vault, e.g: 11395 "approle" 11396 type: string 11397 roleId: 11398 description: |- 11399 RoleID configured in the App Role authentication backend when setting 11400 up the authentication backend in Vault. 11401 type: string 11402 secretRef: 11403 description: |- 11404 Reference to a key in a Secret that contains the App Role secret used 11405 to authenticate with Vault. 11406 The `key` field must be specified and denotes which entry within the Secret 11407 resource is used as the app role secret. 11408 type: object 11409 required: 11410 - name 11411 properties: 11412 key: 11413 description: |- 11414 The key of the entry in the Secret resource's `data` field to be used. 11415 Some instances of this field may be defaulted, in others it may be 11416 required. 11417 type: string 11418 name: 11419 description: |- 11420 Name of the resource being referred to. 11421 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11422 type: string 11423 clientCertificate: 11424 description: |- 11425 ClientCertificate authenticates with Vault by presenting a client 11426 certificate during the request's TLS handshake. 11427 Works only when using HTTPS protocol. 11428 type: object 11429 properties: 11430 mountPath: 11431 description: |- 11432 The Vault mountPath here is the mount path to use when authenticating with 11433 Vault. For example, setting a value to `/v1/auth/foo`, will use the path 11434 `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the 11435 default value "/v1/auth/cert" will be used. 11436 type: string 11437 name: 11438 description: |- 11439 Name of the certificate role to authenticate against. 11440 If not set, matching any certificate role, if available. 11441 type: string 11442 secretName: 11443 description: |- 11444 Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing 11445 tls.crt and tls.key) used to authenticate to Vault using TLS client 11446 authentication. 11447 type: string 11448 kubernetes: 11449 description: |- 11450 Kubernetes authenticates with Vault by passing the ServiceAccount 11451 token stored in the named Secret resource to the Vault server. 11452 type: object 11453 required: 11454 - role 11455 properties: 11456 mountPath: 11457 description: |- 11458 The Vault mountPath here is the mount path to use when authenticating with 11459 Vault. For example, setting a value to `/v1/auth/foo`, will use the path 11460 `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the 11461 default value "/v1/auth/kubernetes" will be used. 11462 type: string 11463 role: 11464 description: |- 11465 A required field containing the Vault Role to assume. A Role binds a 11466 Kubernetes ServiceAccount with a set of Vault policies. 11467 type: string 11468 secretRef: 11469 description: |- 11470 The required Secret field containing a Kubernetes ServiceAccount JWT used 11471 for authenticating with Vault. Use of 'ambient credentials' is not 11472 supported. 11473 type: object 11474 required: 11475 - name 11476 properties: 11477 key: 11478 description: |- 11479 The key of the entry in the Secret resource's `data` field to be used. 11480 Some instances of this field may be defaulted, in others it may be 11481 required. 11482 type: string 11483 name: 11484 description: |- 11485 Name of the resource being referred to. 11486 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11487 type: string 11488 serviceAccountRef: 11489 description: |- 11490 A reference to a service account that will be used to request a bound 11491 token (also known as "projected token"). Compared to using "secretRef", 11492 using this field means that you don't rely on statically bound tokens. To 11493 use this field, you must configure an RBAC rule to let cert-manager 11494 request a token. 11495 type: object 11496 required: 11497 - name 11498 properties: 11499 audiences: 11500 description: |- 11501 TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token 11502 consisting of the issuer's namespace and name is always included. 11503 type: array 11504 items: 11505 type: string 11506 name: 11507 description: Name of the ServiceAccount used to request a token. 11508 type: string 11509 tokenSecretRef: 11510 description: TokenSecretRef authenticates with Vault by presenting a token. 11511 type: object 11512 required: 11513 - name 11514 properties: 11515 key: 11516 description: |- 11517 The key of the entry in the Secret resource's `data` field to be used. 11518 Some instances of this field may be defaulted, in others it may be 11519 required. 11520 type: string 11521 name: 11522 description: |- 11523 Name of the resource being referred to. 11524 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11525 type: string 11526 caBundle: 11527 description: |- 11528 Base64-encoded bundle of PEM CAs which will be used to validate the certificate 11529 chain presented by Vault. Only used if using HTTPS to connect to Vault and 11530 ignored for HTTP connections. 11531 Mutually exclusive with CABundleSecretRef. 11532 If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in 11533 the cert-manager controller container is used to validate the TLS connection. 11534 type: string 11535 format: byte 11536 caBundleSecretRef: 11537 description: |- 11538 Reference to a Secret containing a bundle of PEM-encoded CAs to use when 11539 verifying the certificate chain presented by Vault when using HTTPS. 11540 Mutually exclusive with CABundle. 11541 If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in 11542 the cert-manager controller container is used to validate the TLS connection. 11543 If no key for the Secret is specified, cert-manager will default to 'ca.crt'. 11544 type: object 11545 required: 11546 - name 11547 properties: 11548 key: 11549 description: |- 11550 The key of the entry in the Secret resource's `data` field to be used. 11551 Some instances of this field may be defaulted, in others it may be 11552 required. 11553 type: string 11554 name: 11555 description: |- 11556 Name of the resource being referred to. 11557 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11558 type: string 11559 clientCertSecretRef: 11560 description: |- 11561 Reference to a Secret containing a PEM-encoded Client Certificate to use when the 11562 Vault server requires mTLS. 11563 type: object 11564 required: 11565 - name 11566 properties: 11567 key: 11568 description: |- 11569 The key of the entry in the Secret resource's `data` field to be used. 11570 Some instances of this field may be defaulted, in others it may be 11571 required. 11572 type: string 11573 name: 11574 description: |- 11575 Name of the resource being referred to. 11576 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11577 type: string 11578 clientKeySecretRef: 11579 description: |- 11580 Reference to a Secret containing a PEM-encoded Client Private Key to use when the 11581 Vault server requires mTLS. 11582 type: object 11583 required: 11584 - name 11585 properties: 11586 key: 11587 description: |- 11588 The key of the entry in the Secret resource's `data` field to be used. 11589 Some instances of this field may be defaulted, in others it may be 11590 required. 11591 type: string 11592 name: 11593 description: |- 11594 Name of the resource being referred to. 11595 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11596 type: string 11597 namespace: 11598 description: |- 11599 Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" 11600 More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces 11601 type: string 11602 path: 11603 description: |- 11604 Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: 11605 "my_pki_mount/sign/my-role-name". 11606 type: string 11607 server: 11608 description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' 11609 type: string 11610 venafi: 11611 description: |- 11612 Venafi configures this issuer to sign certificates using a Venafi TPP 11613 or Venafi Cloud policy zone. 11614 type: object 11615 required: 11616 - zone 11617 properties: 11618 cloud: 11619 description: |- 11620 Cloud specifies the Venafi cloud configuration settings. 11621 Only one of TPP or Cloud may be specified. 11622 type: object 11623 required: 11624 - apiTokenSecretRef 11625 properties: 11626 apiTokenSecretRef: 11627 description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. 11628 type: object 11629 required: 11630 - name 11631 properties: 11632 key: 11633 description: |- 11634 The key of the entry in the Secret resource's `data` field to be used. 11635 Some instances of this field may be defaulted, in others it may be 11636 required. 11637 type: string 11638 name: 11639 description: |- 11640 Name of the resource being referred to. 11641 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11642 type: string 11643 url: 11644 description: |- 11645 URL is the base URL for Venafi Cloud. 11646 Defaults to "https://api.venafi.cloud/v1". 11647 type: string 11648 tpp: 11649 description: |- 11650 TPP specifies Trust Protection Platform configuration settings. 11651 Only one of TPP or Cloud may be specified. 11652 type: object 11653 required: 11654 - credentialsRef 11655 - url 11656 properties: 11657 caBundle: 11658 description: |- 11659 Base64-encoded bundle of PEM CAs which will be used to validate the certificate 11660 chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. 11661 If undefined, the certificate bundle in the cert-manager controller container 11662 is used to validate the chain. 11663 type: string 11664 format: byte 11665 caBundleSecretRef: 11666 description: |- 11667 Reference to a Secret containing a base64-encoded bundle of PEM CAs 11668 which will be used to validate the certificate chain presented by the TPP server. 11669 Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. 11670 If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in 11671 the cert-manager controller container is used to validate the TLS connection. 11672 type: object 11673 required: 11674 - name 11675 properties: 11676 key: 11677 description: |- 11678 The key of the entry in the Secret resource's `data` field to be used. 11679 Some instances of this field may be defaulted, in others it may be 11680 required. 11681 type: string 11682 name: 11683 description: |- 11684 Name of the resource being referred to. 11685 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11686 type: string 11687 credentialsRef: 11688 description: |- 11689 CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. 11690 The secret must contain the key 'access-token' for the Access Token Authentication, 11691 or two keys, 'username' and 'password' for the API Keys Authentication. 11692 type: object 11693 required: 11694 - name 11695 properties: 11696 name: 11697 description: |- 11698 Name of the resource being referred to. 11699 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 11700 type: string 11701 url: 11702 description: |- 11703 URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, 11704 for example: "https://tpp.example.com/vedsdk". 11705 type: string 11706 zone: 11707 description: |- 11708 Zone is the Venafi Policy Zone to use for this issuer. 11709 All requests made to the Venafi platform will be restricted by the named 11710 zone policy. 11711 This field is required. 11712 type: string 11713 status: 11714 description: Status of the Issuer. This is set and managed automatically. 11715 type: object 11716 properties: 11717 acme: 11718 description: |- 11719 ACME specific status options. 11720 This field should only be set if the Issuer is configured to use an ACME 11721 server to issue certificates. 11722 type: object 11723 properties: 11724 lastPrivateKeyHash: 11725 description: |- 11726 LastPrivateKeyHash is a hash of the private key associated with the latest 11727 registered ACME account, in order to track changes made to registered account 11728 associated with the Issuer 11729 type: string 11730 lastRegisteredEmail: 11731 description: |- 11732 LastRegisteredEmail is the email associated with the latest registered 11733 ACME account, in order to track changes made to registered account 11734 associated with the Issuer 11735 type: string 11736 uri: 11737 description: |- 11738 URI is the unique account identifier, which can also be used to retrieve 11739 account details from the CA 11740 type: string 11741 conditions: 11742 description: |- 11743 List of status conditions to indicate the status of a CertificateRequest. 11744 Known condition types are `Ready`. 11745 type: array 11746 items: 11747 description: IssuerCondition contains condition information for an Issuer. 11748 type: object 11749 required: 11750 - status 11751 - type 11752 properties: 11753 lastTransitionTime: 11754 description: |- 11755 LastTransitionTime is the timestamp corresponding to the last status 11756 change of this condition. 11757 type: string 11758 format: date-time 11759 message: 11760 description: |- 11761 Message is a human readable description of the details of the last 11762 transition, complementing reason. 11763 type: string 11764 observedGeneration: 11765 description: |- 11766 If set, this represents the .metadata.generation that the condition was 11767 set based upon. 11768 For instance, if .metadata.generation is currently 12, but the 11769 .status.condition[x].observedGeneration is 9, the condition is out of date 11770 with respect to the current state of the Issuer. 11771 type: integer 11772 format: int64 11773 reason: 11774 description: |- 11775 Reason is a brief machine readable explanation for the condition's last 11776 transition. 11777 type: string 11778 status: 11779 description: Status of the condition, one of (`True`, `False`, `Unknown`). 11780 type: string 11781 enum: 11782 - "True" 11783 - "False" 11784 - Unknown 11785 type: 11786 description: Type of the condition, known values are (`Ready`). 11787 type: string 11788 x-kubernetes-list-map-keys: 11789 - type 11790 x-kubernetes-list-type: map 11791 served: true 11792 storage: true 11793 11794# END crd 11795--- 11796# Source: cert-manager/templates/crds.yaml 11797# START crd 11798apiVersion: apiextensions.k8s.io/v1 11799kind: CustomResourceDefinition 11800metadata: 11801 name: orders.acme.cert-manager.io 11802 # START annotations 11803 annotations: 11804 helm.sh/resource-policy: keep 11805 # END annotations 11806 labels: 11807 app: 'cert-manager' 11808 app.kubernetes.io/name: 'cert-manager' 11809 app.kubernetes.io/instance: 'cert-manager' 11810 app.kubernetes.io/component: "crds" 11811 # Generated labels 11812 app.kubernetes.io/version: "v1.17.0" 11813spec: 11814 group: acme.cert-manager.io 11815 names: 11816 kind: Order 11817 listKind: OrderList 11818 plural: orders 11819 singular: order 11820 categories: 11821 - cert-manager 11822 - cert-manager-acme 11823 scope: Namespaced 11824 versions: 11825 - name: v1 11826 subresources: 11827 status: {} 11828 additionalPrinterColumns: 11829 - jsonPath: .status.state 11830 name: State 11831 type: string 11832 - jsonPath: .spec.issuerRef.name 11833 name: Issuer 11834 priority: 1 11835 type: string 11836 - jsonPath: .status.reason 11837 name: Reason 11838 priority: 1 11839 type: string 11840 - jsonPath: .metadata.creationTimestamp 11841 description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 11842 name: Age 11843 type: date 11844 schema: 11845 openAPIV3Schema: 11846 description: Order is a type to represent an Order with an ACME server 11847 type: object 11848 required: 11849 - metadata 11850 - spec 11851 properties: 11852 apiVersion: 11853 description: |- 11854 APIVersion defines the versioned schema of this representation of an object. 11855 Servers should convert recognized schemas to the latest internal value, and 11856 may reject unrecognized values. 11857 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 11858 type: string 11859 kind: 11860 description: |- 11861 Kind is a string value representing the REST resource this object represents. 11862 Servers may infer this from the endpoint the client submits requests to. 11863 Cannot be updated. 11864 In CamelCase. 11865 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 11866 type: string 11867 metadata: 11868 type: object 11869 spec: 11870 type: object 11871 required: 11872 - issuerRef 11873 - request 11874 properties: 11875 commonName: 11876 description: |- 11877 CommonName is the common name as specified on the DER encoded CSR. 11878 If specified, this value must also be present in `dnsNames` or `ipAddresses`. 11879 This field must match the corresponding field on the DER encoded CSR. 11880 type: string 11881 dnsNames: 11882 description: |- 11883 DNSNames is a list of DNS names that should be included as part of the Order 11884 validation process. 11885 This field must match the corresponding field on the DER encoded CSR. 11886 type: array 11887 items: 11888 type: string 11889 duration: 11890 description: |- 11891 Duration is the duration for the not after date for the requested certificate. 11892 this is set on order creation as pe the ACME spec. 11893 type: string 11894 ipAddresses: 11895 description: |- 11896 IPAddresses is a list of IP addresses that should be included as part of the Order 11897 validation process. 11898 This field must match the corresponding field on the DER encoded CSR. 11899 type: array 11900 items: 11901 type: string 11902 issuerRef: 11903 description: |- 11904 IssuerRef references a properly configured ACME-type Issuer which should 11905 be used to create this Order. 11906 If the Issuer does not exist, processing will be retried. 11907 If the Issuer is not an 'ACME' Issuer, an error will be returned and the 11908 Order will be marked as failed. 11909 type: object 11910 required: 11911 - name 11912 properties: 11913 group: 11914 description: Group of the resource being referred to. 11915 type: string 11916 kind: 11917 description: Kind of the resource being referred to. 11918 type: string 11919 name: 11920 description: Name of the resource being referred to. 11921 type: string 11922 request: 11923 description: |- 11924 Certificate signing request bytes in DER encoding. 11925 This will be used when finalizing the order. 11926 This field must be set on the order. 11927 type: string 11928 format: byte 11929 status: 11930 type: object 11931 properties: 11932 authorizations: 11933 description: |- 11934 Authorizations contains data returned from the ACME server on what 11935 authorizations must be completed in order to validate the DNS names 11936 specified on the Order. 11937 type: array 11938 items: 11939 description: |- 11940 ACMEAuthorization contains data returned from the ACME server on an 11941 authorization that must be completed in order validate a DNS name on an ACME 11942 Order resource. 11943 type: object 11944 required: 11945 - url 11946 properties: 11947 challenges: 11948 description: |- 11949 Challenges specifies the challenge types offered by the ACME server. 11950 One of these challenge types will be selected when validating the DNS 11951 name and an appropriate Challenge resource will be created to perform 11952 the ACME challenge process. 11953 type: array 11954 items: 11955 description: |- 11956 Challenge specifies a challenge offered by the ACME server for an Order. 11957 An appropriate Challenge resource can be created to perform the ACME 11958 challenge process. 11959 type: object 11960 required: 11961 - token 11962 - type 11963 - url 11964 properties: 11965 token: 11966 description: |- 11967 Token is the token that must be presented for this challenge. 11968 This is used to compute the 'key' that must also be presented. 11969 type: string 11970 type: 11971 description: |- 11972 Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 11973 'tls-sni-01', etc. 11974 This is the raw value retrieved from the ACME server. 11975 Only 'http-01' and 'dns-01' are supported by cert-manager, other values 11976 will be ignored. 11977 type: string 11978 url: 11979 description: |- 11980 URL is the URL of this challenge. It can be used to retrieve additional 11981 metadata about the Challenge from the ACME server. 11982 type: string 11983 identifier: 11984 description: Identifier is the DNS name to be validated as part of this authorization 11985 type: string 11986 initialState: 11987 description: |- 11988 InitialState is the initial state of the ACME authorization when first 11989 fetched from the ACME server. 11990 If an Authorization is already 'valid', the Order controller will not 11991 create a Challenge resource for the authorization. This will occur when 11992 working with an ACME server that enables 'authz reuse' (such as Let's 11993 Encrypt's production endpoint). 11994 If not set and 'identifier' is set, the state is assumed to be pending 11995 and a Challenge will be created. 11996 type: string 11997 enum: 11998 - valid 11999 - ready 12000 - pending 12001 - processing 12002 - invalid 12003 - expired 12004 - errored 12005 url: 12006 description: URL is the URL of the Authorization that must be completed 12007 type: string 12008 wildcard: 12009 description: |- 12010 Wildcard will be true if this authorization is for a wildcard DNS name. 12011 If this is true, the identifier will be the *non-wildcard* version of 12012 the DNS name. 12013 For example, if '*.example.com' is the DNS name being validated, this 12014 field will be 'true' and the 'identifier' field will be 'example.com'. 12015 type: boolean 12016 certificate: 12017 description: |- 12018 Certificate is a copy of the PEM encoded certificate for this Order. 12019 This field will be populated after the order has been successfully 12020 finalized with the ACME server, and the order has transitioned to the 12021 'valid' state. 12022 type: string 12023 format: byte 12024 failureTime: 12025 description: |- 12026 FailureTime stores the time that this order failed. 12027 This is used to influence garbage collection and back-off. 12028 type: string 12029 format: date-time 12030 finalizeURL: 12031 description: |- 12032 FinalizeURL of the Order. 12033 This is used to obtain certificates for this order once it has been completed. 12034 type: string 12035 reason: 12036 description: |- 12037 Reason optionally provides more information about a why the order is in 12038 the current state. 12039 type: string 12040 state: 12041 description: |- 12042 State contains the current state of this Order resource. 12043 States 'success' and 'expired' are 'final' 12044 type: string 12045 enum: 12046 - valid 12047 - ready 12048 - pending 12049 - processing 12050 - invalid 12051 - expired 12052 - errored 12053 url: 12054 description: |- 12055 URL of the Order. 12056 This will initially be empty when the resource is first created. 12057 The Order controller will populate this field when the Order is first processed. 12058 This field will be immutable after it is initially set. 12059 type: string 12060 served: true 12061 storage: true 12062 12063# END crd 12064 12065--- 12066# Source: cert-manager/templates/cainjector-serviceaccount.yaml 12067apiVersion: v1 12068kind: ServiceAccount 12069automountServiceAccountToken: true 12070metadata: 12071 name: cert-manager-cainjector 12072 namespace: cert-manager 12073 labels: 12074 app: cainjector 12075 app.kubernetes.io/name: cainjector 12076 app.kubernetes.io/instance: cert-manager 12077 app.kubernetes.io/component: "cainjector" 12078 app.kubernetes.io/version: "v1.17.0" 12079--- 12080# Source: cert-manager/templates/serviceaccount.yaml 12081apiVersion: v1 12082kind: ServiceAccount 12083automountServiceAccountToken: true 12084metadata: 12085 name: cert-manager 12086 namespace: cert-manager 12087 labels: 12088 app: cert-manager 12089 app.kubernetes.io/name: cert-manager 12090 app.kubernetes.io/instance: cert-manager 12091 app.kubernetes.io/component: "controller" 12092 app.kubernetes.io/version: "v1.17.0" 12093--- 12094# Source: cert-manager/templates/webhook-serviceaccount.yaml 12095apiVersion: v1 12096kind: ServiceAccount 12097automountServiceAccountToken: true 12098metadata: 12099 name: cert-manager-webhook 12100 namespace: cert-manager 12101 labels: 12102 app: webhook 12103 app.kubernetes.io/name: webhook 12104 app.kubernetes.io/instance: cert-manager 12105 app.kubernetes.io/component: "webhook" 12106 app.kubernetes.io/version: "v1.17.0" 12107--- 12108# Source: cert-manager/templates/cainjector-rbac.yaml 12109apiVersion: rbac.authorization.k8s.io/v1 12110kind: ClusterRole 12111metadata: 12112 name: cert-manager-cainjector 12113 labels: 12114 app: cainjector 12115 app.kubernetes.io/name: cainjector 12116 app.kubernetes.io/instance: cert-manager 12117 app.kubernetes.io/component: "cainjector" 12118 app.kubernetes.io/version: "v1.17.0" 12119rules: 12120 - apiGroups: ["cert-manager.io"] 12121 resources: ["certificates"] 12122 verbs: ["get", "list", "watch"] 12123 - apiGroups: [""] 12124 resources: ["secrets"] 12125 verbs: ["get", "list", "watch"] 12126 - apiGroups: [""] 12127 resources: ["events"] 12128 verbs: ["get", "create", "update", "patch"] 12129 - apiGroups: ["admissionregistration.k8s.io"] 12130 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] 12131 verbs: ["get", "list", "watch", "update", "patch"] 12132 - apiGroups: ["apiregistration.k8s.io"] 12133 resources: ["apiservices"] 12134 verbs: ["get", "list", "watch", "update", "patch"] 12135 - apiGroups: ["apiextensions.k8s.io"] 12136 resources: ["customresourcedefinitions"] 12137 verbs: ["get", "list", "watch", "update", "patch"] 12138--- 12139# Source: cert-manager/templates/rbac.yaml 12140# Issuer controller role 12141apiVersion: rbac.authorization.k8s.io/v1 12142kind: ClusterRole 12143metadata: 12144 name: cert-manager-controller-issuers 12145 labels: 12146 app: cert-manager 12147 app.kubernetes.io/name: cert-manager 12148 app.kubernetes.io/instance: cert-manager 12149 app.kubernetes.io/component: "controller" 12150 app.kubernetes.io/version: "v1.17.0" 12151rules: 12152 - apiGroups: ["cert-manager.io"] 12153 resources: ["issuers", "issuers/status"] 12154 verbs: ["update", "patch"] 12155 - apiGroups: ["cert-manager.io"] 12156 resources: ["issuers"] 12157 verbs: ["get", "list", "watch"] 12158 - apiGroups: [""] 12159 resources: ["secrets"] 12160 verbs: ["get", "list", "watch", "create", "update", "delete"] 12161 - apiGroups: [""] 12162 resources: ["events"] 12163 verbs: ["create", "patch"] 12164--- 12165# Source: cert-manager/templates/rbac.yaml 12166# ClusterIssuer controller role 12167apiVersion: rbac.authorization.k8s.io/v1 12168kind: ClusterRole 12169metadata: 12170 name: cert-manager-controller-clusterissuers 12171 labels: 12172 app: cert-manager 12173 app.kubernetes.io/name: cert-manager 12174 app.kubernetes.io/instance: cert-manager 12175 app.kubernetes.io/component: "controller" 12176 app.kubernetes.io/version: "v1.17.0" 12177rules: 12178 - apiGroups: ["cert-manager.io"] 12179 resources: ["clusterissuers", "clusterissuers/status"] 12180 verbs: ["update", "patch"] 12181 - apiGroups: ["cert-manager.io"] 12182 resources: ["clusterissuers"] 12183 verbs: ["get", "list", "watch"] 12184 - apiGroups: [""] 12185 resources: ["secrets"] 12186 verbs: ["get", "list", "watch", "create", "update", "delete"] 12187 - apiGroups: [""] 12188 resources: ["events"] 12189 verbs: ["create", "patch"] 12190--- 12191# Source: cert-manager/templates/rbac.yaml 12192# Certificates controller role 12193apiVersion: rbac.authorization.k8s.io/v1 12194kind: ClusterRole 12195metadata: 12196 name: cert-manager-controller-certificates 12197 labels: 12198 app: cert-manager 12199 app.kubernetes.io/name: cert-manager 12200 app.kubernetes.io/instance: cert-manager 12201 app.kubernetes.io/component: "controller" 12202 app.kubernetes.io/version: "v1.17.0" 12203rules: 12204 - apiGroups: ["cert-manager.io"] 12205 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] 12206 verbs: ["update", "patch"] 12207 - apiGroups: ["cert-manager.io"] 12208 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] 12209 verbs: ["get", "list", "watch"] 12210 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 12211 # admission controller enabled: 12212 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 12213 - apiGroups: ["cert-manager.io"] 12214 resources: ["certificates/finalizers", "certificaterequests/finalizers"] 12215 verbs: ["update"] 12216 - apiGroups: ["acme.cert-manager.io"] 12217 resources: ["orders"] 12218 verbs: ["create", "delete", "get", "list", "watch"] 12219 - apiGroups: [""] 12220 resources: ["secrets"] 12221 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 12222 - apiGroups: [""] 12223 resources: ["events"] 12224 verbs: ["create", "patch"] 12225--- 12226# Source: cert-manager/templates/rbac.yaml 12227# Orders controller role 12228apiVersion: rbac.authorization.k8s.io/v1 12229kind: ClusterRole 12230metadata: 12231 name: cert-manager-controller-orders 12232 labels: 12233 app: cert-manager 12234 app.kubernetes.io/name: cert-manager 12235 app.kubernetes.io/instance: cert-manager 12236 app.kubernetes.io/component: "controller" 12237 app.kubernetes.io/version: "v1.17.0" 12238rules: 12239 - apiGroups: ["acme.cert-manager.io"] 12240 resources: ["orders", "orders/status"] 12241 verbs: ["update", "patch"] 12242 - apiGroups: ["acme.cert-manager.io"] 12243 resources: ["orders", "challenges"] 12244 verbs: ["get", "list", "watch"] 12245 - apiGroups: ["cert-manager.io"] 12246 resources: ["clusterissuers", "issuers"] 12247 verbs: ["get", "list", "watch"] 12248 - apiGroups: ["acme.cert-manager.io"] 12249 resources: ["challenges"] 12250 verbs: ["create", "delete"] 12251 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 12252 # admission controller enabled: 12253 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 12254 - apiGroups: ["acme.cert-manager.io"] 12255 resources: ["orders/finalizers"] 12256 verbs: ["update"] 12257 - apiGroups: [""] 12258 resources: ["secrets"] 12259 verbs: ["get", "list", "watch"] 12260 - apiGroups: [""] 12261 resources: ["events"] 12262 verbs: ["create", "patch"] 12263--- 12264# Source: cert-manager/templates/rbac.yaml 12265# Challenges controller role 12266apiVersion: rbac.authorization.k8s.io/v1 12267kind: ClusterRole 12268metadata: 12269 name: cert-manager-controller-challenges 12270 labels: 12271 app: cert-manager 12272 app.kubernetes.io/name: cert-manager 12273 app.kubernetes.io/instance: cert-manager 12274 app.kubernetes.io/component: "controller" 12275 app.kubernetes.io/version: "v1.17.0" 12276rules: 12277 # Use to update challenge resource status 12278 - apiGroups: ["acme.cert-manager.io"] 12279 resources: ["challenges", "challenges/status"] 12280 verbs: ["update", "patch"] 12281 # Used to watch challenge resources 12282 - apiGroups: ["acme.cert-manager.io"] 12283 resources: ["challenges"] 12284 verbs: ["get", "list", "watch"] 12285 # Used to watch challenges, issuer and clusterissuer resources 12286 - apiGroups: ["cert-manager.io"] 12287 resources: ["issuers", "clusterissuers"] 12288 verbs: ["get", "list", "watch"] 12289 # Need to be able to retrieve ACME account private key to complete challenges 12290 - apiGroups: [""] 12291 resources: ["secrets"] 12292 verbs: ["get", "list", "watch"] 12293 # Used to create events 12294 - apiGroups: [""] 12295 resources: ["events"] 12296 verbs: ["create", "patch"] 12297 # HTTP01 rules 12298 - apiGroups: [""] 12299 resources: ["pods", "services"] 12300 verbs: ["get", "list", "watch", "create", "delete"] 12301 - apiGroups: ["networking.k8s.io"] 12302 resources: ["ingresses"] 12303 verbs: ["get", "list", "watch", "create", "delete", "update"] 12304 - apiGroups: [ "gateway.networking.k8s.io" ] 12305 resources: [ "httproutes" ] 12306 verbs: ["get", "list", "watch", "create", "delete", "update"] 12307 # We require the ability to specify a custom hostname when we are creating 12308 # new ingress resources. 12309 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 12310 - apiGroups: ["route.openshift.io"] 12311 resources: ["routes/custom-host"] 12312 verbs: ["create"] 12313 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 12314 # admission controller enabled: 12315 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 12316 - apiGroups: ["acme.cert-manager.io"] 12317 resources: ["challenges/finalizers"] 12318 verbs: ["update"] 12319 # DNS01 rules (duplicated above) 12320 - apiGroups: [""] 12321 resources: ["secrets"] 12322 verbs: ["get", "list", "watch"] 12323--- 12324# Source: cert-manager/templates/rbac.yaml 12325# ingress-shim controller role 12326apiVersion: rbac.authorization.k8s.io/v1 12327kind: ClusterRole 12328metadata: 12329 name: cert-manager-controller-ingress-shim 12330 labels: 12331 app: cert-manager 12332 app.kubernetes.io/name: cert-manager 12333 app.kubernetes.io/instance: cert-manager 12334 app.kubernetes.io/component: "controller" 12335 app.kubernetes.io/version: "v1.17.0" 12336rules: 12337 - apiGroups: ["cert-manager.io"] 12338 resources: ["certificates", "certificaterequests"] 12339 verbs: ["create", "update", "delete"] 12340 - apiGroups: ["cert-manager.io"] 12341 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] 12342 verbs: ["get", "list", "watch"] 12343 - apiGroups: ["networking.k8s.io"] 12344 resources: ["ingresses"] 12345 verbs: ["get", "list", "watch"] 12346 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 12347 # admission controller enabled: 12348 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 12349 - apiGroups: ["networking.k8s.io"] 12350 resources: ["ingresses/finalizers"] 12351 verbs: ["update"] 12352 - apiGroups: ["gateway.networking.k8s.io"] 12353 resources: ["gateways", "httproutes"] 12354 verbs: ["get", "list", "watch"] 12355 - apiGroups: ["gateway.networking.k8s.io"] 12356 resources: ["gateways/finalizers", "httproutes/finalizers"] 12357 verbs: ["update"] 12358 - apiGroups: [""] 12359 resources: ["events"] 12360 verbs: ["create", "patch"] 12361--- 12362# Source: cert-manager/templates/rbac.yaml 12363apiVersion: rbac.authorization.k8s.io/v1 12364kind: ClusterRole 12365metadata: 12366 name: cert-manager-cluster-view 12367 labels: 12368 app: cert-manager 12369 app.kubernetes.io/name: cert-manager 12370 app.kubernetes.io/instance: cert-manager 12371 app.kubernetes.io/component: "controller" 12372 app.kubernetes.io/version: "v1.17.0" 12373 rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" 12374rules: 12375 - apiGroups: ["cert-manager.io"] 12376 resources: ["clusterissuers"] 12377 verbs: ["get", "list", "watch"] 12378--- 12379# Source: cert-manager/templates/rbac.yaml 12380apiVersion: rbac.authorization.k8s.io/v1 12381kind: ClusterRole 12382metadata: 12383 name: cert-manager-view 12384 labels: 12385 app: cert-manager 12386 app.kubernetes.io/name: cert-manager 12387 app.kubernetes.io/instance: cert-manager 12388 app.kubernetes.io/component: "controller" 12389 app.kubernetes.io/version: "v1.17.0" 12390 rbac.authorization.k8s.io/aggregate-to-view: "true" 12391 rbac.authorization.k8s.io/aggregate-to-edit: "true" 12392 rbac.authorization.k8s.io/aggregate-to-admin: "true" 12393 rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" 12394rules: 12395 - apiGroups: ["cert-manager.io"] 12396 resources: ["certificates", "certificaterequests", "issuers"] 12397 verbs: ["get", "list", "watch"] 12398 - apiGroups: ["acme.cert-manager.io"] 12399 resources: ["challenges", "orders"] 12400 verbs: ["get", "list", "watch"] 12401--- 12402# Source: cert-manager/templates/rbac.yaml 12403apiVersion: rbac.authorization.k8s.io/v1 12404kind: ClusterRole 12405metadata: 12406 name: cert-manager-edit 12407 labels: 12408 app: cert-manager 12409 app.kubernetes.io/name: cert-manager 12410 app.kubernetes.io/instance: cert-manager 12411 app.kubernetes.io/component: "controller" 12412 app.kubernetes.io/version: "v1.17.0" 12413 rbac.authorization.k8s.io/aggregate-to-edit: "true" 12414 rbac.authorization.k8s.io/aggregate-to-admin: "true" 12415rules: 12416 - apiGroups: ["cert-manager.io"] 12417 resources: ["certificates", "certificaterequests", "issuers"] 12418 verbs: ["create", "delete", "deletecollection", "patch", "update"] 12419 - apiGroups: ["cert-manager.io"] 12420 resources: ["certificates/status"] 12421 verbs: ["update"] 12422 - apiGroups: ["acme.cert-manager.io"] 12423 resources: ["challenges", "orders"] 12424 verbs: ["create", "delete", "deletecollection", "patch", "update"] 12425--- 12426# Source: cert-manager/templates/rbac.yaml 12427# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers 12428apiVersion: rbac.authorization.k8s.io/v1 12429kind: ClusterRole 12430metadata: 12431 name: cert-manager-controller-approve:cert-manager-io 12432 labels: 12433 app: cert-manager 12434 app.kubernetes.io/name: cert-manager 12435 app.kubernetes.io/instance: cert-manager 12436 app.kubernetes.io/component: "cert-manager" 12437 app.kubernetes.io/version: "v1.17.0" 12438rules: 12439 - apiGroups: ["cert-manager.io"] 12440 resources: ["signers"] 12441 verbs: ["approve"] 12442 resourceNames: 12443 - "issuers.cert-manager.io/*" 12444 - "clusterissuers.cert-manager.io/*" 12445--- 12446# Source: cert-manager/templates/rbac.yaml 12447# Permission to: 12448# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers 12449# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers 12450apiVersion: rbac.authorization.k8s.io/v1 12451kind: ClusterRole 12452metadata: 12453 name: cert-manager-controller-certificatesigningrequests 12454 labels: 12455 app: cert-manager 12456 app.kubernetes.io/name: cert-manager 12457 app.kubernetes.io/instance: cert-manager 12458 app.kubernetes.io/component: "cert-manager" 12459 app.kubernetes.io/version: "v1.17.0" 12460rules: 12461 - apiGroups: ["certificates.k8s.io"] 12462 resources: ["certificatesigningrequests"] 12463 verbs: ["get", "list", "watch", "update"] 12464 - apiGroups: ["certificates.k8s.io"] 12465 resources: ["certificatesigningrequests/status"] 12466 verbs: ["update", "patch"] 12467 - apiGroups: ["certificates.k8s.io"] 12468 resources: ["signers"] 12469 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 12470 verbs: ["sign"] 12471 - apiGroups: ["authorization.k8s.io"] 12472 resources: ["subjectaccessreviews"] 12473 verbs: ["create"] 12474--- 12475# Source: cert-manager/templates/webhook-rbac.yaml 12476apiVersion: rbac.authorization.k8s.io/v1 12477kind: ClusterRole 12478metadata: 12479 name: cert-manager-webhook:subjectaccessreviews 12480 labels: 12481 app: webhook 12482 app.kubernetes.io/name: webhook 12483 app.kubernetes.io/instance: cert-manager 12484 app.kubernetes.io/component: "webhook" 12485 app.kubernetes.io/version: "v1.17.0" 12486rules: 12487- apiGroups: ["authorization.k8s.io"] 12488 resources: ["subjectaccessreviews"] 12489 verbs: ["create"] 12490--- 12491# Source: cert-manager/templates/cainjector-rbac.yaml 12492apiVersion: rbac.authorization.k8s.io/v1 12493kind: ClusterRoleBinding 12494metadata: 12495 name: cert-manager-cainjector 12496 labels: 12497 app: cainjector 12498 app.kubernetes.io/name: cainjector 12499 app.kubernetes.io/instance: cert-manager 12500 app.kubernetes.io/component: "cainjector" 12501 app.kubernetes.io/version: "v1.17.0" 12502roleRef: 12503 apiGroup: rbac.authorization.k8s.io 12504 kind: ClusterRole 12505 name: cert-manager-cainjector 12506subjects: 12507 - name: cert-manager-cainjector 12508 namespace: cert-manager 12509 kind: ServiceAccount 12510--- 12511# Source: cert-manager/templates/rbac.yaml 12512apiVersion: rbac.authorization.k8s.io/v1 12513kind: ClusterRoleBinding 12514metadata: 12515 name: cert-manager-controller-issuers 12516 labels: 12517 app: cert-manager 12518 app.kubernetes.io/name: cert-manager 12519 app.kubernetes.io/instance: cert-manager 12520 app.kubernetes.io/component: "controller" 12521 app.kubernetes.io/version: "v1.17.0" 12522roleRef: 12523 apiGroup: rbac.authorization.k8s.io 12524 kind: ClusterRole 12525 name: cert-manager-controller-issuers 12526subjects: 12527 - name: cert-manager 12528 namespace: cert-manager 12529 kind: ServiceAccount 12530--- 12531# Source: cert-manager/templates/rbac.yaml 12532apiVersion: rbac.authorization.k8s.io/v1 12533kind: ClusterRoleBinding 12534metadata: 12535 name: cert-manager-controller-clusterissuers 12536 labels: 12537 app: cert-manager 12538 app.kubernetes.io/name: cert-manager 12539 app.kubernetes.io/instance: cert-manager 12540 app.kubernetes.io/component: "controller" 12541 app.kubernetes.io/version: "v1.17.0" 12542roleRef: 12543 apiGroup: rbac.authorization.k8s.io 12544 kind: ClusterRole 12545 name: cert-manager-controller-clusterissuers 12546subjects: 12547 - name: cert-manager 12548 namespace: cert-manager 12549 kind: ServiceAccount 12550--- 12551# Source: cert-manager/templates/rbac.yaml 12552apiVersion: rbac.authorization.k8s.io/v1 12553kind: ClusterRoleBinding 12554metadata: 12555 name: cert-manager-controller-certificates 12556 labels: 12557 app: cert-manager 12558 app.kubernetes.io/name: cert-manager 12559 app.kubernetes.io/instance: cert-manager 12560 app.kubernetes.io/component: "controller" 12561 app.kubernetes.io/version: "v1.17.0" 12562roleRef: 12563 apiGroup: rbac.authorization.k8s.io 12564 kind: ClusterRole 12565 name: cert-manager-controller-certificates 12566subjects: 12567 - name: cert-manager 12568 namespace: cert-manager 12569 kind: ServiceAccount 12570--- 12571# Source: cert-manager/templates/rbac.yaml 12572apiVersion: rbac.authorization.k8s.io/v1 12573kind: ClusterRoleBinding 12574metadata: 12575 name: cert-manager-controller-orders 12576 labels: 12577 app: cert-manager 12578 app.kubernetes.io/name: cert-manager 12579 app.kubernetes.io/instance: cert-manager 12580 app.kubernetes.io/component: "controller" 12581 app.kubernetes.io/version: "v1.17.0" 12582roleRef: 12583 apiGroup: rbac.authorization.k8s.io 12584 kind: ClusterRole 12585 name: cert-manager-controller-orders 12586subjects: 12587 - name: cert-manager 12588 namespace: cert-manager 12589 kind: ServiceAccount 12590--- 12591# Source: cert-manager/templates/rbac.yaml 12592apiVersion: rbac.authorization.k8s.io/v1 12593kind: ClusterRoleBinding 12594metadata: 12595 name: cert-manager-controller-challenges 12596 labels: 12597 app: cert-manager 12598 app.kubernetes.io/name: cert-manager 12599 app.kubernetes.io/instance: cert-manager 12600 app.kubernetes.io/component: "controller" 12601 app.kubernetes.io/version: "v1.17.0" 12602roleRef: 12603 apiGroup: rbac.authorization.k8s.io 12604 kind: ClusterRole 12605 name: cert-manager-controller-challenges 12606subjects: 12607 - name: cert-manager 12608 namespace: cert-manager 12609 kind: ServiceAccount 12610--- 12611# Source: cert-manager/templates/rbac.yaml 12612apiVersion: rbac.authorization.k8s.io/v1 12613kind: ClusterRoleBinding 12614metadata: 12615 name: cert-manager-controller-ingress-shim 12616 labels: 12617 app: cert-manager 12618 app.kubernetes.io/name: cert-manager 12619 app.kubernetes.io/instance: cert-manager 12620 app.kubernetes.io/component: "controller" 12621 app.kubernetes.io/version: "v1.17.0" 12622roleRef: 12623 apiGroup: rbac.authorization.k8s.io 12624 kind: ClusterRole 12625 name: cert-manager-controller-ingress-shim 12626subjects: 12627 - name: cert-manager 12628 namespace: cert-manager 12629 kind: ServiceAccount 12630--- 12631# Source: cert-manager/templates/rbac.yaml 12632apiVersion: rbac.authorization.k8s.io/v1 12633kind: ClusterRoleBinding 12634metadata: 12635 name: cert-manager-controller-approve:cert-manager-io 12636 labels: 12637 app: cert-manager 12638 app.kubernetes.io/name: cert-manager 12639 app.kubernetes.io/instance: cert-manager 12640 app.kubernetes.io/component: "cert-manager" 12641 app.kubernetes.io/version: "v1.17.0" 12642roleRef: 12643 apiGroup: rbac.authorization.k8s.io 12644 kind: ClusterRole 12645 name: cert-manager-controller-approve:cert-manager-io 12646subjects: 12647 - name: cert-manager 12648 namespace: cert-manager 12649 kind: ServiceAccount 12650--- 12651# Source: cert-manager/templates/rbac.yaml 12652apiVersion: rbac.authorization.k8s.io/v1 12653kind: ClusterRoleBinding 12654metadata: 12655 name: cert-manager-controller-certificatesigningrequests 12656 labels: 12657 app: cert-manager 12658 app.kubernetes.io/name: cert-manager 12659 app.kubernetes.io/instance: cert-manager 12660 app.kubernetes.io/component: "cert-manager" 12661 app.kubernetes.io/version: "v1.17.0" 12662roleRef: 12663 apiGroup: rbac.authorization.k8s.io 12664 kind: ClusterRole 12665 name: cert-manager-controller-certificatesigningrequests 12666subjects: 12667 - name: cert-manager 12668 namespace: cert-manager 12669 kind: ServiceAccount 12670--- 12671# Source: cert-manager/templates/webhook-rbac.yaml 12672apiVersion: rbac.authorization.k8s.io/v1 12673kind: ClusterRoleBinding 12674metadata: 12675 name: cert-manager-webhook:subjectaccessreviews 12676 labels: 12677 app: webhook 12678 app.kubernetes.io/name: webhook 12679 app.kubernetes.io/instance: cert-manager 12680 app.kubernetes.io/component: "webhook" 12681 app.kubernetes.io/version: "v1.17.0" 12682roleRef: 12683 apiGroup: rbac.authorization.k8s.io 12684 kind: ClusterRole 12685 name: cert-manager-webhook:subjectaccessreviews 12686subjects: 12687- kind: ServiceAccount 12688 name: cert-manager-webhook 12689 namespace: cert-manager 12690--- 12691# Source: cert-manager/templates/cainjector-rbac.yaml 12692# leader election rules 12693apiVersion: rbac.authorization.k8s.io/v1 12694kind: Role 12695metadata: 12696 name: cert-manager-cainjector:leaderelection 12697 namespace: kube-system 12698 labels: 12699 app: cainjector 12700 app.kubernetes.io/name: cainjector 12701 app.kubernetes.io/instance: cert-manager 12702 app.kubernetes.io/component: "cainjector" 12703 app.kubernetes.io/version: "v1.17.0" 12704rules: 12705 # Used for leader election by the controller 12706 # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller 12707 # see cmd/cainjector/start.go#L113 12708 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller 12709 # see cmd/cainjector/start.go#L137 12710 - apiGroups: ["coordination.k8s.io"] 12711 resources: ["leases"] 12712 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] 12713 verbs: ["get", "update", "patch"] 12714 - apiGroups: ["coordination.k8s.io"] 12715 resources: ["leases"] 12716 verbs: ["create"] 12717--- 12718# Source: cert-manager/templates/rbac.yaml 12719apiVersion: rbac.authorization.k8s.io/v1 12720kind: Role 12721metadata: 12722 name: cert-manager:leaderelection 12723 namespace: kube-system 12724 labels: 12725 app: cert-manager 12726 app.kubernetes.io/name: cert-manager 12727 app.kubernetes.io/instance: cert-manager 12728 app.kubernetes.io/component: "controller" 12729 app.kubernetes.io/version: "v1.17.0" 12730rules: 12731 - apiGroups: ["coordination.k8s.io"] 12732 resources: ["leases"] 12733 resourceNames: ["cert-manager-controller"] 12734 verbs: ["get", "update", "patch"] 12735 - apiGroups: ["coordination.k8s.io"] 12736 resources: ["leases"] 12737 verbs: ["create"] 12738--- 12739# Source: cert-manager/templates/rbac.yaml 12740apiVersion: rbac.authorization.k8s.io/v1 12741kind: Role 12742metadata: 12743 name: cert-manager-tokenrequest 12744 namespace: cert-manager 12745 labels: 12746 app: cert-manager 12747 app.kubernetes.io/name: cert-manager 12748 app.kubernetes.io/instance: cert-manager 12749 app.kubernetes.io/component: "controller" 12750 app.kubernetes.io/version: "v1.17.0" 12751rules: 12752 - apiGroups: [""] 12753 resources: ["serviceaccounts/token"] 12754 resourceNames: ["cert-manager"] 12755 verbs: ["create"] 12756--- 12757# Source: cert-manager/templates/webhook-rbac.yaml 12758apiVersion: rbac.authorization.k8s.io/v1 12759kind: Role 12760metadata: 12761 name: cert-manager-webhook:dynamic-serving 12762 namespace: cert-manager 12763 labels: 12764 app: webhook 12765 app.kubernetes.io/name: webhook 12766 app.kubernetes.io/instance: cert-manager 12767 app.kubernetes.io/component: "webhook" 12768 app.kubernetes.io/version: "v1.17.0" 12769rules: 12770- apiGroups: [""] 12771 resources: ["secrets"] 12772 resourceNames: 12773 - 'cert-manager-webhook-ca' 12774 verbs: ["get", "list", "watch", "update"] 12775# It's not possible to grant CREATE permission on a single resourceName. 12776- apiGroups: [""] 12777 resources: ["secrets"] 12778 verbs: ["create"] 12779--- 12780# Source: cert-manager/templates/cainjector-rbac.yaml 12781# grant cert-manager permission to manage the leaderelection configmap in the 12782# leader election namespace 12783apiVersion: rbac.authorization.k8s.io/v1 12784kind: RoleBinding 12785metadata: 12786 name: cert-manager-cainjector:leaderelection 12787 namespace: kube-system 12788 labels: 12789 app: cainjector 12790 app.kubernetes.io/name: cainjector 12791 app.kubernetes.io/instance: cert-manager 12792 app.kubernetes.io/component: "cainjector" 12793 app.kubernetes.io/version: "v1.17.0" 12794roleRef: 12795 apiGroup: rbac.authorization.k8s.io 12796 kind: Role 12797 name: cert-manager-cainjector:leaderelection 12798subjects: 12799 - kind: ServiceAccount 12800 name: cert-manager-cainjector 12801 namespace: cert-manager 12802--- 12803# Source: cert-manager/templates/rbac.yaml 12804# grant cert-manager permission to manage the leaderelection configmap in the 12805# leader election namespace 12806apiVersion: rbac.authorization.k8s.io/v1 12807kind: RoleBinding 12808metadata: 12809 name: cert-manager:leaderelection 12810 namespace: kube-system 12811 labels: 12812 app: cert-manager 12813 app.kubernetes.io/name: cert-manager 12814 app.kubernetes.io/instance: cert-manager 12815 app.kubernetes.io/component: "controller" 12816 app.kubernetes.io/version: "v1.17.0" 12817roleRef: 12818 apiGroup: rbac.authorization.k8s.io 12819 kind: Role 12820 name: cert-manager:leaderelection 12821subjects: 12822 - kind: ServiceAccount 12823 name: cert-manager 12824 namespace: cert-manager 12825--- 12826# Source: cert-manager/templates/rbac.yaml 12827# grant cert-manager permission to create tokens for the serviceaccount 12828apiVersion: rbac.authorization.k8s.io/v1 12829kind: RoleBinding 12830metadata: 12831 name: cert-manager-cert-manager-tokenrequest 12832 namespace: cert-manager 12833 labels: 12834 app: cert-manager 12835 app.kubernetes.io/name: cert-manager 12836 app.kubernetes.io/instance: cert-manager 12837 app.kubernetes.io/component: "controller" 12838 app.kubernetes.io/version: "v1.17.0" 12839roleRef: 12840 apiGroup: rbac.authorization.k8s.io 12841 kind: Role 12842 name: cert-manager-tokenrequest 12843subjects: 12844 - kind: ServiceAccount 12845 name: cert-manager 12846 namespace: cert-manager 12847--- 12848# Source: cert-manager/templates/webhook-rbac.yaml 12849apiVersion: rbac.authorization.k8s.io/v1 12850kind: RoleBinding 12851metadata: 12852 name: cert-manager-webhook:dynamic-serving 12853 namespace: cert-manager 12854 labels: 12855 app: webhook 12856 app.kubernetes.io/name: webhook 12857 app.kubernetes.io/instance: cert-manager 12858 app.kubernetes.io/component: "webhook" 12859 app.kubernetes.io/version: "v1.17.0" 12860roleRef: 12861 apiGroup: rbac.authorization.k8s.io 12862 kind: Role 12863 name: cert-manager-webhook:dynamic-serving 12864subjects: 12865- kind: ServiceAccount 12866 name: cert-manager-webhook 12867 namespace: cert-manager 12868--- 12869# Source: cert-manager/templates/cainjector-service.yaml 12870apiVersion: v1 12871kind: Service 12872metadata: 12873 name: cert-manager-cainjector 12874 namespace: cert-manager 12875 labels: 12876 app: cainjector 12877 app.kubernetes.io/name: cainjector 12878 app.kubernetes.io/instance: cert-manager 12879 app.kubernetes.io/component: "cainjector" 12880 app.kubernetes.io/version: "v1.17.0" 12881spec: 12882 type: ClusterIP 12883 ports: 12884 - protocol: TCP 12885 port: 9402 12886 name: http-metrics 12887 selector: 12888 app.kubernetes.io/name: cainjector 12889 app.kubernetes.io/instance: cert-manager 12890 app.kubernetes.io/component: "cainjector" 12891--- 12892# Source: cert-manager/templates/service.yaml 12893apiVersion: v1 12894kind: Service 12895metadata: 12896 name: cert-manager 12897 namespace: cert-manager 12898 labels: 12899 app: cert-manager 12900 app.kubernetes.io/name: cert-manager 12901 app.kubernetes.io/instance: cert-manager 12902 app.kubernetes.io/component: "controller" 12903 app.kubernetes.io/version: "v1.17.0" 12904spec: 12905 type: ClusterIP 12906 ports: 12907 - protocol: TCP 12908 port: 9402 12909 name: tcp-prometheus-servicemonitor 12910 targetPort: 9402 12911 selector: 12912 app.kubernetes.io/name: cert-manager 12913 app.kubernetes.io/instance: cert-manager 12914 app.kubernetes.io/component: "controller" 12915--- 12916# Source: cert-manager/templates/webhook-service.yaml 12917apiVersion: v1 12918kind: Service 12919metadata: 12920 name: cert-manager-webhook 12921 namespace: cert-manager 12922 labels: 12923 app: webhook 12924 app.kubernetes.io/name: webhook 12925 app.kubernetes.io/instance: cert-manager 12926 app.kubernetes.io/component: "webhook" 12927 app.kubernetes.io/version: "v1.17.0" 12928spec: 12929 type: ClusterIP 12930 ports: 12931 - name: https 12932 port: 443 12933 protocol: TCP 12934 targetPort: "https" 12935 - name: metrics 12936 port: 9402 12937 protocol: TCP 12938 targetPort: "http-metrics" 12939 selector: 12940 app.kubernetes.io/name: webhook 12941 app.kubernetes.io/instance: cert-manager 12942 app.kubernetes.io/component: "webhook" 12943--- 12944# Source: cert-manager/templates/cainjector-deployment.yaml 12945apiVersion: apps/v1 12946kind: Deployment 12947metadata: 12948 name: cert-manager-cainjector 12949 namespace: cert-manager 12950 labels: 12951 app: cainjector 12952 app.kubernetes.io/name: cainjector 12953 app.kubernetes.io/instance: cert-manager 12954 app.kubernetes.io/component: "cainjector" 12955 app.kubernetes.io/version: "v1.17.0" 12956spec: 12957 replicas: 1 12958 selector: 12959 matchLabels: 12960 app.kubernetes.io/name: cainjector 12961 app.kubernetes.io/instance: cert-manager 12962 app.kubernetes.io/component: "cainjector" 12963 template: 12964 metadata: 12965 labels: 12966 app: cainjector 12967 app.kubernetes.io/name: cainjector 12968 app.kubernetes.io/instance: cert-manager 12969 app.kubernetes.io/component: "cainjector" 12970 app.kubernetes.io/version: "v1.17.0" 12971 annotations: 12972 prometheus.io/path: "/metrics" 12973 prometheus.io/scrape: 'true' 12974 prometheus.io/port: '9402' 12975 spec: 12976 serviceAccountName: cert-manager-cainjector 12977 enableServiceLinks: false 12978 securityContext: 12979 runAsNonRoot: true 12980 seccompProfile: 12981 type: RuntimeDefault 12982 containers: 12983 - name: cert-manager-cainjector 12984 image: "quay.io/jetstack/cert-manager-cainjector:v1.17.0" 12985 imagePullPolicy: IfNotPresent 12986 args: 12987 - --v=2 12988 - --leader-election-namespace=kube-system 12989 ports: 12990 - containerPort: 9402 12991 name: http-metrics 12992 protocol: TCP 12993 env: 12994 - name: POD_NAMESPACE 12995 valueFrom: 12996 fieldRef: 12997 fieldPath: metadata.namespace 12998 securityContext: 12999 allowPrivilegeEscalation: false 13000 capabilities: 13001 drop: 13002 - ALL 13003 readOnlyRootFilesystem: true 13004 nodeSelector: 13005 kubernetes.io/os: linux 13006--- 13007# Source: cert-manager/templates/deployment.yaml 13008apiVersion: apps/v1 13009kind: Deployment 13010metadata: 13011 name: cert-manager 13012 namespace: cert-manager 13013 labels: 13014 app: cert-manager 13015 app.kubernetes.io/name: cert-manager 13016 app.kubernetes.io/instance: cert-manager 13017 app.kubernetes.io/component: "controller" 13018 app.kubernetes.io/version: "v1.17.0" 13019spec: 13020 replicas: 1 13021 selector: 13022 matchLabels: 13023 app.kubernetes.io/name: cert-manager 13024 app.kubernetes.io/instance: cert-manager 13025 app.kubernetes.io/component: "controller" 13026 template: 13027 metadata: 13028 labels: 13029 app: cert-manager 13030 app.kubernetes.io/name: cert-manager 13031 app.kubernetes.io/instance: cert-manager 13032 app.kubernetes.io/component: "controller" 13033 app.kubernetes.io/version: "v1.17.0" 13034 annotations: 13035 prometheus.io/path: "/metrics" 13036 prometheus.io/scrape: 'true' 13037 prometheus.io/port: '9402' 13038 spec: 13039 serviceAccountName: cert-manager 13040 enableServiceLinks: false 13041 securityContext: 13042 runAsNonRoot: true 13043 seccompProfile: 13044 type: RuntimeDefault 13045 containers: 13046 - name: cert-manager-controller 13047 image: "quay.io/jetstack/cert-manager-controller:v1.17.0" 13048 imagePullPolicy: IfNotPresent 13049 args: 13050 - --v=2 13051 - --cluster-resource-namespace=$(POD_NAMESPACE) 13052 - --leader-election-namespace=kube-system 13053 - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.17.0 13054 - --max-concurrent-challenges=60 13055 ports: 13056 - containerPort: 9402 13057 name: http-metrics 13058 protocol: TCP 13059 - containerPort: 9403 13060 name: http-healthz 13061 protocol: TCP 13062 securityContext: 13063 allowPrivilegeEscalation: false 13064 capabilities: 13065 drop: 13066 - ALL 13067 readOnlyRootFilesystem: true 13068 env: 13069 - name: POD_NAMESPACE 13070 valueFrom: 13071 fieldRef: 13072 fieldPath: metadata.namespace 13073 # LivenessProbe settings are based on those used for the Kubernetes 13074 # controller-manager. See: 13075 # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 13076 livenessProbe: 13077 httpGet: 13078 port: http-healthz 13079 path: /livez 13080 scheme: HTTP 13081 initialDelaySeconds: 10 13082 periodSeconds: 10 13083 timeoutSeconds: 15 13084 successThreshold: 1 13085 failureThreshold: 8 13086 nodeSelector: 13087 kubernetes.io/os: linux 13088--- 13089# Source: cert-manager/templates/webhook-deployment.yaml 13090apiVersion: apps/v1 13091kind: Deployment 13092metadata: 13093 name: cert-manager-webhook 13094 namespace: cert-manager 13095 labels: 13096 app: webhook 13097 app.kubernetes.io/name: webhook 13098 app.kubernetes.io/instance: cert-manager 13099 app.kubernetes.io/component: "webhook" 13100 app.kubernetes.io/version: "v1.17.0" 13101spec: 13102 replicas: 1 13103 selector: 13104 matchLabels: 13105 app.kubernetes.io/name: webhook 13106 app.kubernetes.io/instance: cert-manager 13107 app.kubernetes.io/component: "webhook" 13108 template: 13109 metadata: 13110 labels: 13111 app: webhook 13112 app.kubernetes.io/name: webhook 13113 app.kubernetes.io/instance: cert-manager 13114 app.kubernetes.io/component: "webhook" 13115 app.kubernetes.io/version: "v1.17.0" 13116 annotations: 13117 prometheus.io/path: "/metrics" 13118 prometheus.io/scrape: 'true' 13119 prometheus.io/port: '9402' 13120 spec: 13121 serviceAccountName: cert-manager-webhook 13122 enableServiceLinks: false 13123 securityContext: 13124 runAsNonRoot: true 13125 seccompProfile: 13126 type: RuntimeDefault 13127 containers: 13128 - name: cert-manager-webhook 13129 image: "quay.io/jetstack/cert-manager-webhook:v1.17.0" 13130 imagePullPolicy: IfNotPresent 13131 args: 13132 - --v=2 13133 - --secure-port=10250 13134 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) 13135 - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca 13136 - --dynamic-serving-dns-names=cert-manager-webhook 13137 - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) 13138 - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc 13139 13140 ports: 13141 - name: https 13142 protocol: TCP 13143 containerPort: 10250 13144 - name: healthcheck 13145 protocol: TCP 13146 containerPort: 6080 13147 - containerPort: 9402 13148 name: http-metrics 13149 protocol: TCP 13150 livenessProbe: 13151 httpGet: 13152 path: /livez 13153 port: 6080 13154 scheme: HTTP 13155 initialDelaySeconds: 60 13156 periodSeconds: 10 13157 timeoutSeconds: 1 13158 successThreshold: 1 13159 failureThreshold: 3 13160 readinessProbe: 13161 httpGet: 13162 path: /healthz 13163 port: 6080 13164 scheme: HTTP 13165 initialDelaySeconds: 5 13166 periodSeconds: 5 13167 timeoutSeconds: 1 13168 successThreshold: 1 13169 failureThreshold: 3 13170 securityContext: 13171 allowPrivilegeEscalation: false 13172 capabilities: 13173 drop: 13174 - ALL 13175 readOnlyRootFilesystem: true 13176 env: 13177 - name: POD_NAMESPACE 13178 valueFrom: 13179 fieldRef: 13180 fieldPath: metadata.namespace 13181 nodeSelector: 13182 kubernetes.io/os: linux 13183--- 13184# Source: cert-manager/templates/crds.yaml 13185# 13186# START crd 13187--- 13188# Source: cert-manager/templates/crds.yaml 13189# START crd 13190--- 13191# Source: cert-manager/templates/crds.yaml 13192# START crd 13193--- 13194# Source: cert-manager/templates/crds.yaml 13195# START crd 13196--- 13197# Source: cert-manager/templates/crds.yaml 13198# START crd 13199--- 13200# Source: cert-manager/templates/crds.yaml 13201# START crd 13202--- 13203# Source: cert-manager/templates/webhook-mutating-webhook.yaml 13204apiVersion: admissionregistration.k8s.io/v1 13205kind: MutatingWebhookConfiguration 13206metadata: 13207 name: cert-manager-webhook 13208 labels: 13209 app: webhook 13210 app.kubernetes.io/name: webhook 13211 app.kubernetes.io/instance: cert-manager 13212 app.kubernetes.io/component: "webhook" 13213 app.kubernetes.io/version: "v1.17.0" 13214 annotations: 13215 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" 13216webhooks: 13217 - name: webhook.cert-manager.io 13218 rules: 13219 - apiGroups: 13220 - "cert-manager.io" 13221 apiVersions: 13222 - "v1" 13223 operations: 13224 - CREATE 13225 resources: 13226 - "certificaterequests" 13227 admissionReviewVersions: ["v1"] 13228 # This webhook only accepts v1 cert-manager resources. 13229 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 13230 # this webhook (after the resources have been converted to v1). 13231 matchPolicy: Equivalent 13232 timeoutSeconds: 30 13233 failurePolicy: Fail 13234 # Only include 'sideEffects' field in Kubernetes 1.12+ 13235 sideEffects: None 13236 clientConfig: 13237 service: 13238 name: cert-manager-webhook 13239 namespace: cert-manager 13240 path: /mutate 13241--- 13242# Source: cert-manager/templates/webhook-validating-webhook.yaml 13243apiVersion: admissionregistration.k8s.io/v1 13244kind: ValidatingWebhookConfiguration 13245metadata: 13246 name: cert-manager-webhook 13247 labels: 13248 app: webhook 13249 app.kubernetes.io/name: webhook 13250 app.kubernetes.io/instance: cert-manager 13251 app.kubernetes.io/component: "webhook" 13252 app.kubernetes.io/version: "v1.17.0" 13253 annotations: 13254 cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" 13255webhooks: 13256 - name: webhook.cert-manager.io 13257 namespaceSelector: 13258 matchExpressions: 13259 - key: cert-manager.io/disable-validation 13260 operator: NotIn 13261 values: 13262 - "true" 13263 rules: 13264 - apiGroups: 13265 - "cert-manager.io" 13266 - "acme.cert-manager.io" 13267 apiVersions: 13268 - "v1" 13269 operations: 13270 - CREATE 13271 - UPDATE 13272 resources: 13273 - "*/*" 13274 admissionReviewVersions: ["v1"] 13275 # This webhook only accepts v1 cert-manager resources. 13276 # Equivalent matchPolicy ensures that non-v1 resource requests are sent to 13277 # this webhook (after the resources have been converted to v1). 13278 matchPolicy: Equivalent 13279 timeoutSeconds: 30 13280 failurePolicy: Fail 13281 sideEffects: None 13282 clientConfig: 13283 service: 13284 name: cert-manager-webhook 13285 namespace: cert-manager 13286 path: /validate