diff --git a/README.md b/README.md
index 31b54eabbfdf0fa00f6b62292918a031fc998d31..20cde43395e2ed80ec1e1b2ce46a94a8e2be0e33 100644
--- a/README.md
+++ b/README.md
@@ -136,7 +136,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [ambassador](https://github.com/datawire/ambassador): v1.5
- [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11
- [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11
- - [cert-manager](https://github.com/jetstack/cert-manager) v0.11.1
+ - [cert-manager](https://github.com/jetstack/cert-manager) v0.15.2
- [coredns](https://github.com/coredns/coredns) v1.6.7
- [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v0.32.0
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index bbe497008975df2ba500b49527769bf27b308db1..1380c6b4c894f42429f9973bcfad045ac56dee85 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -546,9 +546,13 @@ ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operat
ingress_ambassador_image_tag: "v1.2.8"
alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
alb_ingress_image_tag: "v1.1.8"
-cert_manager_version: "v0.11.1"
+cert_manager_version: "v0.15.2"
cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
cert_manager_controller_image_tag: "{{ cert_manager_version }}"
+cert_manager_cainjector_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-cainjector"
+cert_manager_cainjector_image_tag: "{{ cert_manager_version }}"
+cert_manager_webhook_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-webhook"
+cert_manager_webhook_image_tag: "{{ cert_manager_version }}"
addon_resizer_version: "1.8.9"
addon_resizer_image_repo: "{{ kube_image_repo }}/addon-resizer"
addon_resizer_image_tag: "{{ addon_resizer_version }}"
@@ -1078,6 +1082,24 @@ downloads:
groups:
- kube-node
+ cert_manager_cainjector:
+ enabled: "{{ cert_manager_enabled }}"
+ container: true
+ repo: "{{ cert_manager_cainjector_image_repo }}"
+ tag: "{{ cert_manager_cainjector_image_tag }}"
+ sha256: "{{ cert_manager_cainjector_digest_checksum|default(None) }}"
+ groups:
+ - kube-node
+
+ cert_manager_webhook:
+ enabled: "{{ cert_manager_enabled }}"
+ container: true
+ repo: "{{ cert_manager_webhook_image_repo }}"
+ tag: "{{ cert_manager_webhook_image_tag }}"
+ sha256: "{{ cert_manager_webhook_digest_checksum|default(None) }}"
+ groups:
+ - kube-node
+
csi_attacher:
enabled: "{{ cinder_csi_enabled or aws_ebs_csi_enabled }}"
container: true
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
index b0f008676a1c63fcc0a3da7dab4937b9e202d4fa..99501f292518da6f03f2e5da7842a856203993e1 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/README.md
@@ -1,17 +1,179 @@
-Deployment files
-================
+# Installation Guide
-This directory contains example deployment manifests for cert-manager that can
-be used in place of the official Helm chart.
+- [Installation Guide](#installation-guide)
+ - [Kubernetes TLS Root CA Certificate/Key Secret](#kubernetes-tls-root-ca-certificatekey-secret)
+ - [Securing Ingress Resources](#securing-ingress-resources)
+ - [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key)
+ - [Install Cloudflare PKI/TLS `cfssl` Toolkit.](#install-cloudflare-pkitls-cfssl-toolkit)
+ - [Create Root Certificate Authority (CA) Configuration File](#create-root-certificate-authority-ca-configuration-file)
+ - [Create Certficate Signing Request (CSR) Configuration File](#create-certficate-signing-request-csr-configuration-file)
+ - [Create TLS Root CA Certificate and Key](#create-tls-root-ca-certificate-and-key)
-This is useful if you are deploying cert-manager into an environment without
-Helm, or want to inspect a 'bare minimum' deployment.
+Cert-Manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
-Where do these come from?
--------------------------
+The Kubespray out-of-the-box cert-manager deployment uses a TLS Root CA certificate and key stored as the Kubernetes `ca-key-pair` secret consisting of `tls.crt` and `tls.key`, which are the base64 encode values of the TLS Root CA certificate and key respectively.
-The manifests in these subdirectories are generated from the Helm chart
-automatically. The `values.yaml` files used to configure cert-manager can be
-found in [`hack/deploy`](../../hack/deploy/).
+Integration with other PKI/Certificate management solutions, such as HashiCorp Vault will require some further development changes to the current cert-manager deployment and may be introduced in the future.
-They are automatically generated by running `./hack/update-deploy-gen.sh`.
+## Kubernetes TLS Root CA Certificate/Key Secret
+
+If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.
+
+If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
+
+e.g.
+
+```shell
+$ cat ca.pem | base64 -w 0
+LS0tLS1CRUdJTiBDRVJU...
+
+$ cat ca-key.pem | base64 -w 0
+LS0tLS1CRUdJTiBSU0Eg...
+```
+
+For further information, read the official [Cert-Manager CA Configuration](https://cert-manager.io/docs/configuration/ca/) doc.
+
+Once the base64 encoded values have been added to `templates\secret-cert-manager.yml.j2`, cert-manager can now be enabled by editing your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and setting `cert_manager_enabled` to true.
+
+```ini
+# Cert manager deployment
+cert_manager_enabled: true
+```
+
+If you don't have a TLS Root CA certificate and key available, you can create these by following the steps outlined in section [Create New TLS Root CA Certificate and Key](#create-new-tls-root-ca-certificate-and-key) using the Cloudflare PKI/TLS `cfssl` toolkit. TLS Root CA certificates and keys can also be created using `ssh-keygen` and OpenSSL, if `cfssl` is not available.
+
+## Securing Ingress Resources
+
+A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources. This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you. A small sub-component of cert-manager, ingress-shim, is responsible for this.
+
+To enable the Nginx Ingress controller as part of your Kubespray deployment, simply edit your K8s cluster addons inventory e.g. `inventory\sample\group_vars\k8s-cluster\addons.yml` and set `ingress_nginx_enabled` to true.
+
+```ini
+# Nginx ingress controller deployment
+ingress_nginx_enabled: true
+```
+
+For example, if you're using the Nginx ingress controller, you can secure the Prometheus ingress by adding the annotation `cert-manager.io/cluster-issuer: ca-issuer` and the `spec.tls` section to the `Ingress` resource definition.
+
+```yaml
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ name: prometheus-k8s
+ namespace: monitoring
+ labels:
+ prometheus: k8s
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+spec:
+ tls:
+ - hosts:
+ - prometheus.example.com
+ secretName: prometheus-dashboard-certs
+ rules:
+ - host: prometheus.example.com
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: prometheus-k8s
+ servicePort: web
+```
+
+Once deployed to your K8s cluster, every 3 months cert-manager will automatically rotate the Prometheus `prometheus.example.com` TLS client certificate and key, and store these as the Kubernetes `prometheus-dashboard-certs` secret.
+
+For further information, read the official [Cert-Manager Ingress](https://cert-manager.io/docs/usage/ingress/) doc.
+
+### Create New TLS Root CA Certificate and Key
+
+#### Install Cloudflare PKI/TLS `cfssl` Toolkit.
+
+e.g. For Ubuntu/Debian distibutions, the toolkit is part of the `golang-cfssl` package.
+
+```shell
+$ sudo apt-get install -y golang-cfssl
+```
+
+#### Create Root Certificate Authority (CA) Configuration File
+
+The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
+
+```shell
+$ cat > ca-config.json <<EOF
+{
+ "signing": {
+ "default": {
+ "expiry": "8760h"
+ },
+ "profiles": {
+ "kubernetes": {
+ "usages": ["signing", "key encipherment", "server auth", "client auth"],
+ "expiry": "8760h"
+ }
+ }
+ }
+}
+EOF
+```
+
+#### Create Certficate Signing Request (CSR) Configuration File
+
+The TLS certificate `names` details can be updated to your own specific requirements.
+
+```shell
+$ cat > ca-csr.json <<EOF
+{
+ "CN": "Kubernetes",
+ "key": {
+ "algo": "rsa",
+ "size": 2048
+ },
+ "names": [
+ {
+ "C": "US",
+ "L": "Portland",
+ "O": "Kubernetes",
+ "OU": "CA",
+ "ST": "Oregon"
+ }
+ ]
+}
+EOF
+```
+
+#### Create TLS Root CA Certificate and Key
+
+```shell
+$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+ca.pem
+ca-key.pem
+```
+
+Check the TLS Root CA certificate has the correct `Not Before` and `Not After` dates, and ensure it is indeed a valid Certificate Authority with the X509v3 extension `CA:TRUE`.
+
+```shell
+$ openssl x509 -text -noout -in ca.pem
+
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 6a:d4:d8:48:7f:98:4f:54:68:9a:e1:73:02:fa:d0:41:79:25:08:49
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
+ Validity
+ Not Before: Jul 10 15:21:00 2020 GMT
+ Not After : Jul 9 15:21:00 2025 GMT
+ Subject: C = US, ST = Oregon, L = Portland, O = Kubernetes, OU = CA, CN = Kubernetes
+ Subject Public Key Info:
+ ...
+ X509v3 extensions:
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
+ ...
+```
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
index d8ca7ad1735f4643d7f9f01fa652a198812f2d06..5029cb1df6a58176cb3579f9fdca957c780cc6e2 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
@@ -28,19 +28,30 @@
when:
- inventory_hostname == groups['kube-master'][0]
+- name: Cert Manager | Templates list
+ set_fact:
+ cert_manager_templates:
+ - { name: 00-namespace, file: 00-namespace.yml, type: ns }
+ - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
+ - { name: crd-certificate, file: crd-certificate.yml, type: crd }
+ - { name: crd-challenge, file: crd-challenge.yml, type: crd }
+ - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
+ - { name: crd-issuer, file: crd-issuer.yml, type: crd }
+ - { name: crd-order, file: crd-order.yml, type: crd }
+ - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
+ - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
+ - { name: role-cert-manager, file: role-cert-manager.yml, type: role }
+ - { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
+ - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
+ - { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
+ - { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
+ - { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }
+
- name: Cert Manager | Create manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
- with_items:
- - { name: 00-namespace, file: 00-namespace.yml, type: ns }
- - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
- - { name: crd-certificate, file: crd-certificate.yml, type: crd }
- - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
- - { name: crd-issuer, file: crd-issuer.yml, type: crd }
- - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
- - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
- - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
+ with_items: "{{ cert_manager_templates }}"
register: cert_manager_manifests
when:
- inventory_hostname == groups['kube-master'][0]
@@ -48,7 +59,6 @@
- name: Cert Manager | Apply manifests
kube:
name: "{{ item.item.name }}"
- namespace: "{{ cert_manager_namespace }}"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
@@ -56,3 +66,24 @@
with_items: "{{ cert_manager_manifests.results }}"
when:
- inventory_hostname == groups['kube-master'][0]
+
+- name: Cert Manager | Wait for Webhook pods become ready
+ shell: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
+ register: cert_manager_webhook_pods_ready
+ when: inventory_hostname == groups['kube-master'][0]
+
+- name: Cert Manager | Create ClusterIssuer manifest
+ template:
+ src: "clusterissuer-cert-manager.yml.j2"
+ dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
+ register: cert_manager_clusterissuer_manifest
+ when:
+ - inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_ready is succeeded
+
+- name: Cert Manager | Apply ClusterIssuer manifest
+ kube:
+ name: "clusterissuer-cert-manager"
+ kubectl: "{{ bin_dir }}/kubectl"
+ filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
+ state: "latest"
+ when: inventory_hostname == groups['kube-master'][0] and cert_manager_clusterissuer_manifest is succeeded
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
index fef90aed6cf9aff4560ec3da228f80e919947485..5db14efb72f59b8cdcb3c6c3787ce7d28f1513d7 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/00-namespace.yml.j2
@@ -1,3 +1,17 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
---
apiVersion: v1
kind: Namespace
@@ -5,4 +19,3 @@ metadata:
name: {{ cert_manager_namespace }}
labels:
name: {{ cert_manager_namespace }}
- certmanager.k8s.io/disable-validation: "true"
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..f016ad053320ec01bb0e40031a93793c625d7814
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterissuer-cert-manager.yml.j2
@@ -0,0 +1,23 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+ name: ca-issuer
+ namespace: {{ cert_manager_namespace }}
+spec:
+ ca:
+ secretName: ca-key-pair
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
index 6ab011195bebb3b5e8cafc826f970a28bd115149..1ad7a874253f5af8b1e5e56085aceb167bb1ef88 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrole-cert-manager.yml.j2
@@ -1,20 +1,293 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-cainjector
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["get", "create", "update", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["apiregistration.k8s.io"]
+ resources: ["apiservices"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["auditregistration.k8s.io"]
+ resources: ["auditsinks"]
+ verbs: ["get", "list", "watch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-orders
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders", "orders/status"]
+ verbs: ["update"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders", "challenges"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers", "issuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges"]
+ verbs: ["create", "delete"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders/finalizers"]
+ verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-ingress-shim
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests"]
+ verbs: ["create", "update", "delete"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["extensions"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["extensions"]
+ resources: ["ingresses/finalizers"]
+ verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: cert-manager
+ name: cert-manager-view
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- - apiGroups: ["certmanager.k8s.io"]
- resources: ["certificates", "issuers", "clusterissuers"]
- verbs: ["*"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-challenges
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ # Use to update challenge resource status
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges", "challenges/status"]
+ verbs: ["update"]
+ # Used to watch challenge resources
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges"]
+ verbs: ["get", "list", "watch"]
+ # Used to watch challenges, issuer and clusterissuer resources
+ - apiGroups: ["cert-manager.io"]
+ resources: ["issuers", "clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ # Need to be able to retrieve ACME account private key to complete challenges
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ # Used to create events
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+ # HTTP01 rules
- apiGroups: [""]
- resources: ["configmaps", "secrets", "events", "services", "pods"]
- verbs: ["*"]
+ resources: ["pods", "services"]
+ verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
- verbs: ["*"]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
+ # We require the ability to specify a custom hostname when we are creating
+ # new ingress resources.
+ # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
+ - apiGroups: ["route.openshift.io"]
+ resources: ["routes/custom-host"]
+ verbs: ["create"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges/finalizers"]
+ verbs: ["update"]
+ # DNS01 rules (duplicated above)
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-issuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["issuers", "issuers/status"]
+ verbs: ["update"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["issuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-clusterissuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers", "clusterissuers/status"]
+ verbs: ["update"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-edit
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers"]
+ verbs: ["create", "delete", "deletecollection", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-certificates
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+ verbs: ["update"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+ verbs: ["get", "list", "watch"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+ verbs: ["update"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders"]
+ verbs: ["create", "delete", "get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
index 926762ec5921e8810dae53c8b5a4a86860c88b21..3811695363f9bcf6d14ea379cdd32c517eaa414f 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/clusterrolebinding-cert-manager.yml.j2
@@ -1,17 +1,153 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
- name: cert-manager
+ name: cert-manager-cainjector
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-cainjector
+subjects:
+ - name: cert-manager-cainjector
+ namespace: {{ cert_manager_namespace }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-certificates
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-certificates
+subjects:
+ - name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-clusterissuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-clusterissuers
+subjects:
+ - name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-challenges
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-challenges
+subjects:
+ - name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-ingress-shim
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-ingress-shim
+subjects:
+ - name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-orders
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-orders
+subjects:
+ - name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-issuers
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: cert-manager
+ name: cert-manager-controller-issuers
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
index 40f6ebd044bcc95dccb1560cb182edf19d02a7ef..1b90c7a8bded4828afe5e122e35c225094c4671e 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2
@@ -1,25 +1,291 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
- name: certificates.certmanager.k8s.io
+ name: certificaterequests.cert-manager.io
annotations:
- "helm.sh/hook": crd-install
- "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
- group: certmanager.k8s.io
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before order
+ across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: cert-manager.io
+ preserveUnknownFields: false
+ conversion:
+ # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+ strategy: Webhook
+ # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+ webhookClientConfig:
+ service:
+ namespace: '{{ cert_manager_namespace }}'
+ name: 'cert-manager-webhook'
+ path: /convert
+ names:
+ kind: CertificateRequest
+ listKind: CertificateRequestList
+ plural: certificaterequests
+ shortNames:
+ - cr
+ - crs
+ singular: certificaterequest
scope: Namespaced
+ subresources:
+ status: {}
versions:
- - name: v1alpha1
+ - name: v1alpha2
served: true
storage: true
- schema:
- openAPIV3Schema:
+ - name: v1alpha3
+ served: true
+ storage: false
+ "validation":
+ "openAPIV3Schema":
+ description: CertificateRequest is a type to represent a Certificate Signing
+ Request
+ type: object
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CertificateRequestSpec defines the desired state of CertificateRequest
+ type: object
+ required:
+ - csr
+ - issuerRef
+ properties:
+ csr:
+ description: Byte slice containing the PEM encoded CertificateSigningRequest
+ type: string
+ format: byte
+ duration:
+ description: Requested certificate default Duration
+ type: string
+ isCA:
+ description: IsCA will mark the resulting certificate as valid for signing.
+ This implies that the 'cert sign' usage is set
+ type: boolean
+ issuerRef:
+ description: IssuerRef is a reference to the issuer for this CertificateRequest. If
+ the 'kind' field is not set, or set to 'Issuer', an Issuer resource
+ with the given name in the same namespace as the CertificateRequest
+ will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
+ with the provided name will be used. The 'name' field in this stanza
+ is required at all times. The group field refers to the API group
+ of the issuer which defaults to 'cert-manager.io' if empty.
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ usages:
+ description: Usages is the set of x509 actions that are enabled for
+ a given key. Defaults are ('digital signature', 'key encipherment')
+ if empty
+ type: array
+ items:
+ description: 'KeyUsage specifies valid usage contexts for keys. See:
+ https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+ Valid KeyUsage values are as follows: "signing", "digital signature",
+ "content commitment", "key encipherment", "key agreement", "data
+ encipherment", "cert sign", "crl sign", "encipher only", "decipher
+ only", "any", "server auth", "client auth", "code signing", "email
+ protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
+ user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
+ sgc"'
+ type: string
+ enum:
+ - signing
+ - digital signature
+ - content commitment
+ - key encipherment
+ - key agreement
+ - data encipherment
+ - cert sign
+ - crl sign
+ - encipher only
+ - decipher only
+ - any
+ - server auth
+ - client auth
+ - code signing
+ - email protection
+ - s/mime
+ - ipsec end system
+ - ipsec tunnel
+ - ipsec user
+ - timestamping
+ - ocsp signing
+ - microsoft sgc
+ - netscape sgc
+ status:
+ description: CertificateStatus defines the observed state of CertificateRequest
+ and resulting signed certificate.
+ type: object
+ properties:
+ ca:
+ description: Byte slice containing the PEM encoded certificate authority
+ of the signed certificate.
+ type: string
+ format: byte
+ certificate:
+ description: Byte slice containing a PEM encoded signed certificate
+ resulting from the given certificate signing request.
+ type: string
+ format: byte
+ conditions:
+ type: array
+ items:
+ description: CertificateRequestCondition contains condition information
+ for a CertificateRequest.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding
+ to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True', 'False',
+ 'Unknown').
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, currently ('Ready', 'InvalidRequest').
+ type: string
+ failureTime:
+ description: FailureTime stores the time that this CertificateRequest
+ failed. This is used to influence garbage collection and back-off.
+ type: string
+ format: date-time
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: certificates.cert-manager.io
+ annotations:
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .spec.secretName
+ name: Secret
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before order
+ across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: cert-manager.io
+ preserveUnknownFields: false
+ conversion:
+ # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+ strategy: Webhook
+ # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+ webhookClientConfig:
+ service:
+ namespace: '{{ cert_manager_namespace }}'
+ name: 'cert-manager-webhook'
+ path: /convert
+ names:
+ kind: Certificate
+ listKind: CertificateList
+ plural: certificates
+ shortNames:
+ - cert
+ - certs
+ singular: certificate
+ scope: Namespaced
+ subresources:
+ status: {}
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ "schema":
+ "openAPIV3Schema":
description: Certificate is a type to represent a Certificate from ACME
type: object
properties:
@@ -711,10 +977,3 @@ spec:
issuance by checking if the revision value in the annotation is
greater than this field."
type: integer
- names:
- kind: Certificate
- plural: certificates
- shortNames:
- - cert
- - certs
-
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..63e0f56d8d5a69598282fa6e693db257109cc860
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2
@@ -0,0 +1,1466 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: challenges.acme.cert-manager.io
+ annotations:
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.dnsName
+ name: Domain
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before order
+ across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: acme.cert-manager.io
+ preserveUnknownFields: false
+ conversion:
+ # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+ strategy: Webhook
+ # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+ webhookClientConfig:
+ service:
+ namespace: '{{ cert_manager_namespace }}'
+ name: 'cert-manager-webhook'
+ path: /convert
+ names:
+ kind: Challenge
+ listKind: ChallengeList
+ plural: challenges
+ singular: challenge
+ scope: Namespaced
+ subresources:
+ status: {}
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ - name: v1alpha3
+ served: true
+ storage: false
+ "validation":
+ "openAPIV3Schema":
+ description: Challenge is a type to represent a Challenge request with an ACME
+ server
+ type: object
+ required:
+ - metadata
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ type: object
+ required:
+ - authzURL
+ - dnsName
+ - issuerRef
+ - key
+ - solver
+ - token
+ - type
+ - url
+ properties:
+ authzURL:
+ description: AuthzURL is the URL to the ACME Authorization resource
+ that this challenge is a part of.
+ type: string
+ dnsName:
+ description: DNSName is the identifier that this challenge is for, e.g.
+ example.com. If the requested DNSName is a 'wildcard', this field
+ MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
+ it must be `example.com`.
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type Issuer
+ which should be used to create this Challenge. If the Issuer does
+ not exist, processing will be retried. If the Issuer is not an 'ACME'
+ Issuer, an error will be returned and the Challenge will be marked
+ as failed.
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ key:
+ description: 'Key is the ACME challenge key for this challenge For HTTP01
+ challenges, this is the value that must be responded with to complete
+ the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
+ from acme server for challenge>`. For DNS01 challenges, this is the
+ base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
+ from acme server for challenge>` text that must be set as the TXT
+ record content.'
+ type: string
+ solver:
+ description: Solver contains the domain solving configuration that should
+ be used to solve this challenge resource.
+ type: object
+ properties:
+ dns01:
+ type: object
+ properties:
+ acmedns:
+ description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
+ the configuration for ACME-DNS servers
+ type: object
+ required:
+ - accountSecretRef
+ - host
+ properties:
+ accountSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ host:
+ type: string
+ akamai:
+ description: ACMEIssuerDNS01ProviderAkamai is a structure containing
+ the DNS configuration for Akamai DNS—Zone Record Management
+ API
+ type: object
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ properties:
+ accessTokenSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ clientSecretSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ clientTokenSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ serviceConsumerDomain:
+ type: string
+ azuredns:
+ description: ACMEIssuerDNS01ProviderAzureDNS is a structure
+ containing the configuration for Azure DNS
+ type: object
+ required:
+ - resourceGroupName
+ - subscriptionID
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left unset
+ MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset MSI
+ will be used
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ environment:
+ type: string
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret then
+ this field is also needed
+ type: string
+ clouddns:
+ description: ACMEIssuerDNS01ProviderCloudDNS is a structure
+ containing the DNS configuration for Google Cloud DNS
+ type: object
+ required:
+ - project
+ properties:
+ project:
+ type: string
+ serviceAccountSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ cloudflare:
+ description: ACMEIssuerDNS01ProviderCloudflare is a structure
+ containing the DNS configuration for Cloudflare
+ type: object
+ required:
+ - email
+ properties:
+ apiKeySecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ apiTokenSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ email:
+ type: string
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ type: string
+ enum:
+ - None
+ - Follow
+ digitalocean:
+ description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
+ containing the DNS configuration for DigitalOcean Domains
+ type: object
+ required:
+ - tokenSecretRef
+ properties:
+ tokenSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ rfc2136:
+ description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
+ the configuration for RFC2136 DNS
+ type: object
+ required:
+ - nameserver
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port. If
+ the host is an IPv6 address it must be enclosed in square
+ brackets (e.g [2001:db8::1]) ; port is optional. This
+ field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS supporting
+ RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``
+ are defined. Supported values are (case-insensitive):
+ ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or
+ ``HMACSHA512``.'
+ type: string
+ tsigKeyName:
+ description: The TSIG Key name configured in the DNS. If
+ ``tsigSecretSecretRef`` is defined, this field is required.
+ type: string
+ tsigSecretSecretRef:
+ description: The name of the secret containing the TSIG
+ value. If ``tsigKeyName`` is defined, this field is required.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ route53:
+ description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
+ the Route 53 configuration for AWS
+ type: object
+ required:
+ - region
+ properties:
+ accessKeyID:
+ description: 'The AccessKeyID is used for authentication.
+ If not set we fall-back to using env vars, shared credentials
+ file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: string
+ hostedZoneID:
+ description: If set, the provider will manage only this
+ zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName
+ api call.
+ type: string
+ region:
+ description: Always set the region when using AccessKeyID
+ and SecretAccessKey
+ type: string
+ role:
+ description: Role is a Role ARN which the Route53 provider
+ will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+ or the inferred credentials from environment variables,
+ shared credentials file or AWS Instance metadata
+ type: string
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication.
+ If not set we fall-back to using env vars, shared credentials
+ file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ webhook:
+ description: ACMEIssuerDNS01ProviderWebhook specifies configuration
+ for a webhook DNS01 provider, including where to POST ChallengePayload
+ resources.
+ type: object
+ required:
+ - groupName
+ - solverName
+ properties:
+ config:
+ description: Additional configuration that should be passed
+ to the webhook apiserver when challenges are processed.
+ This can contain arbitrary JSON data. Secret values should
+ not be specified in this stanza. If secret values are
+ needed (e.g. credentials for a DNS service), you should
+ use a SecretKeySelector to reference a Secret resource.
+ For details on the schema of this field, consult the webhook
+ provider implementation's documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ groupName:
+ description: The API group name that should be used when
+ POSTing ChallengePayload resources to the webhook apiserver.
+ This should be the same as the GroupName specified in
+ the webhook provider implementation.
+ type: string
+ solverName:
+ description: The name of the solver to use, as defined in
+ the webhook provider implementation. This will typically
+ be the name of the provider, e.g. 'cloudflare'.
+ type: string
+ http01:
+ description: ACMEChallengeSolverHTTP01 contains configuration detailing
+ how to solve HTTP01 challenges within a Kubernetes cluster. Typically
+ this is accomplished through creating 'routes' of some description
+ that configure ingress controllers to direct traffic to 'solver
+ pods', which are responsible for responding to the ACME server's
+ HTTP requests.
+ type: object
+ properties:
+ ingress:
+ description: The ingress based HTTP01 challenge solver will
+ solve challenges by creating or modifying Ingress resources
+ in order to route requests for '/.well-known/acme-challenge/XYZ'
+ to 'challenge solver' pods that are provisioned by cert-manager
+ for each Challenge to be completed.
+ type: object
+ properties:
+ class:
+ description: The ingress class to use when creating Ingress
+ resources to solve ACME challenges that use this challenge
+ solver. Only one of 'class' or 'name' may be specified.
+ type: string
+ ingressTemplate:
+ description: Optional ingress template used to configure
+ the ACME challenge solver ingress used for HTTP01 challenges
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the ingress used
+ to solve HTTP01 challenges. Only the 'labels' and
+ 'annotations' fields may be set. If labels or annotations
+ overlap with in-built values, the values here will
+ override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to
+ the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the
+ created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ name:
+ description: The name of the ingress resource that should
+ have ACME challenge solving routes inserted into it in
+ order to solve HTTP01 challenges. This is typically used
+ in conjunction with ingress controllers like ingress-gce,
+ which maintains a 1:1 mapping between external IPs and
+ ingress resources.
+ type: string
+ podTemplate:
+ description: Optional pod template used to configure the
+ ACME challenge solver pods used for HTTP01 challenges
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the pod used to
+ solve HTTP01 challenges. Only the 'labels' and 'annotations'
+ fields may be set. If labels or annotations overlap
+ with in-built values, the values here will override
+ the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to
+ the create ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the
+ created ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: PodSpec defines overrides for the HTTP01
+ challenge solver pod. Only the 'nodeSelector', 'affinity'
+ and 'tolerations' fields are supported currently.
+ All other fields will be ignored.
+ type: object
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling
+ constraints
+ type: object
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to
+ schedule pods to nodes that satisfy the
+ affinity expressions specified by this
+ field, but it may choose a node that violates
+ one or more of the expressions. The node
+ that is most preferred is the one with
+ the greatest sum of weights, i.e. for
+ each node that meets all of the scheduling
+ requirements (resource request, requiredDuringScheduling
+ affinity expressions, etc.), compute a
+ sum by iterating through the elements
+ of this field and adding "weight" to the
+ sum if the node matches the corresponding
+ matchExpressions; the node(s) with the
+ highest sum are the most preferred.
+ type: array
+ items:
+ description: An empty preferred scheduling
+ term matches all objects with implicit
+ weight 0 (i.e. it's a no-op). A null
+ preferred scheduling term matches no
+ objects (i.e. is also a no-op).
+ type: object
+ required:
+ - preference
+ - weight
+ properties:
+ preference:
+ description: A node selector term,
+ associated with the corresponding
+ weight.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values, a key,
+ and an operator that relates
+ the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship to
+ a set of values. Valid
+ operators are In, NotIn,
+ Exists, DoesNotExist.
+ Gt, and Lt.
+ type: string
+ values:
+ description: An array of
+ string values. If the
+ operator is In or NotIn,
+ the values array must
+ be non-empty. If the operator
+ is Exists or DoesNotExist,
+ the values array must
+ be empty. If the operator
+ is Gt or Lt, the values
+ array must have a single
+ element, which will be
+ interpreted as an integer.
+ This array is replaced
+ during a strategic merge
+ patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values, a key,
+ and an operator that relates
+ the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship to
+ a set of values. Valid
+ operators are In, NotIn,
+ Exists, DoesNotExist.
+ Gt, and Lt.
+ type: string
+ values:
+ description: An array of
+ string values. If the
+ operator is In or NotIn,
+ the values array must
+ be non-empty. If the operator
+ is Exists or DoesNotExist,
+ the values array must
+ be empty. If the operator
+ is Gt or Lt, the values
+ array must have a single
+ element, which will be
+ interpreted as an integer.
+ This array is replaced
+ during a strategic merge
+ patch.
+ type: array
+ items:
+ type: string
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements
+ specified by this field are not met at
+ scheduling time, the pod will not be scheduled
+ onto the node. If the affinity requirements
+ specified by this field cease to be met
+ at some point during pod execution (e.g.
+ due to an update), the system may or may
+ not try to eventually evict the pod from
+ its node.
+ type: object
+ required:
+ - nodeSelectorTerms
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ type: array
+ items:
+ description: A null or empty node
+ selector term matches no objects.
+ The requirements of them are ANDed.
+ The TopologySelectorTerm type implements
+ a subset of the NodeSelectorTerm.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values, a key,
+ and an operator that relates
+ the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship to
+ a set of values. Valid
+ operators are In, NotIn,
+ Exists, DoesNotExist.
+ Gt, and Lt.
+ type: string
+ values:
+ description: An array of
+ string values. If the
+ operator is In or NotIn,
+ the values array must
+ be non-empty. If the operator
+ is Exists or DoesNotExist,
+ the values array must
+ be empty. If the operator
+ is Gt or Lt, the values
+ array must have a single
+ element, which will be
+ interpreted as an integer.
+ This array is replaced
+ during a strategic merge
+ patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values, a key,
+ and an operator that relates
+ the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship to
+ a set of values. Valid
+ operators are In, NotIn,
+ Exists, DoesNotExist.
+ Gt, and Lt.
+ type: string
+ values:
+ description: An array of
+ string values. If the
+ operator is In or NotIn,
+ the values array must
+ be non-empty. If the operator
+ is Exists or DoesNotExist,
+ the values array must
+ be empty. If the operator
+ is Gt or Lt, the values
+ array must have a single
+ element, which will be
+ interpreted as an integer.
+ This array is replaced
+ during a strategic merge
+ patch.
+ type: array
+ items:
+ type: string
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same
+ node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to
+ schedule pods to nodes that satisfy the
+ affinity expressions specified by this
+ field, but it may choose a node that violates
+ one or more of the expressions. The node
+ that is most preferred is the one with
+ the greatest sum of weights, i.e. for
+ each node that meets all of the scheduling
+ requirements (resource request, requiredDuringScheduling
+ affinity expressions, etc.), compute a
+ sum by iterating through the elements
+ of this field and adding "weight" to the
+ sum if the node has pods which matches
+ the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most
+ preferred.
+ type: array
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this
+ case pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key and
+ values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: operator
+ represents a key's
+ relationship to a
+ set of values. Valid
+ operators are In,
+ NotIn, Exists and
+ DoesNotExist.
+ type: string
+ values:
+ description: values
+ is an array of string
+ values. If the operator
+ is In or NotIn, the
+ values array must
+ be non-empty. If the
+ operator is Exists
+ or DoesNotExist, the
+ values array must
+ be empty. This array
+ is replaced during
+ a strategic merge
+ patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is
+ a map of {key,value} pairs.
+ A single {key,value} in
+ the matchLabels map is equivalent
+ to an element of matchExpressions,
+ whose key field is "key",
+ the operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be
+ co-located (affinity) or not
+ co-located (anti-affinity) with
+ the pods matching the labelSelector
+ in the specified namespaces,
+ where co-located is defined
+ as running on a node whose value
+ of the label with key topologyKey
+ matches that of any node on
+ which any of the selected pods
+ is running. Empty topologyKey
+ is not allowed.
+ type: string
+ weight:
+ description: weight associated with
+ matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements
+ specified by this field are not met at
+ scheduling time, the pod will not be scheduled
+ onto the node. If the affinity requirements
+ specified by this field cease to be met
+ at some point during pod execution (e.g.
+ due to a pod label update), the system
+ may or may not try to eventually evict
+ the pod from its node. When there are
+ multiple elements, the lists of nodes
+ corresponding to each podAffinityTerm
+ are intersected, i.e. all terms must be
+ satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely
+ those matching the labelSelector relative
+ to the given namespace(s)) that this
+ pod should be co-located (affinity)
+ or not co-located (anti-affinity) with,
+ where co-located is defined as running
+ on a node whose value of the label with
+ key <topologyKey> matches that of any
+ node on which a pod of the set of pods
+ is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a
+ set of resources, in this case pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values, a key,
+ and an operator that relates
+ the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator represents
+ a key's relationship to
+ a set of values. Valid
+ operators are In, NotIn,
+ Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an
+ array of string values.
+ If the operator is In
+ or NotIn, the values array
+ must be non-empty. If
+ the operator is Exists
+ or DoesNotExist, the values
+ array must be empty. This
+ array is replaced during
+ a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a
+ map of {key,value} pairs. A
+ single {key,value} in the matchLabels
+ map is equivalent to an element
+ of matchExpressions, whose key
+ field is "key", the operator
+ is "In", and the values array
+ contains only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against); null
+ or empty list means "this pod's
+ namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located
+ (affinity) or not co-located (anti-affinity)
+ with the pods matching the labelSelector
+ in the specified namespaces, where
+ co-located is defined as running
+ on a node whose value of the label
+ with key topologyKey matches that
+ of any node on which any of the
+ selected pods is running. Empty
+ topologyKey is not allowed.
+ type: string
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the
+ same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to
+ schedule pods to nodes that satisfy the
+ anti-affinity expressions specified by
+ this field, but it may choose a node that
+ violates one or more of the expressions.
+ The node that is most preferred is the
+ one with the greatest sum of weights,
+ i.e. for each node that meets all of the
+ scheduling requirements (resource request,
+ requiredDuringScheduling anti-affinity
+ expressions, etc.), compute a sum by iterating
+ through the elements of this field and
+ adding "weight" to the sum if the node
+ has pods which matches the corresponding
+ podAffinityTerm; the node(s) with the
+ highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the
+ matched WeightedPodAffinityTerm fields
+ are added per-node to find the most
+ preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this
+ case pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key and
+ values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: operator
+ represents a key's
+ relationship to a
+ set of values. Valid
+ operators are In,
+ NotIn, Exists and
+ DoesNotExist.
+ type: string
+ values:
+ description: values
+ is an array of string
+ values. If the operator
+ is In or NotIn, the
+ values array must
+ be non-empty. If the
+ operator is Exists
+ or DoesNotExist, the
+ values array must
+ be empty. This array
+ is replaced during
+ a strategic merge
+ patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is
+ a map of {key,value} pairs.
+ A single {key,value} in
+ the matchLabels map is equivalent
+ to an element of matchExpressions,
+ whose key field is "key",
+ the operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be
+ co-located (affinity) or not
+ co-located (anti-affinity) with
+ the pods matching the labelSelector
+ in the specified namespaces,
+ where co-located is defined
+ as running on a node whose value
+ of the label with key topologyKey
+ matches that of any node on
+ which any of the selected pods
+ is running. Empty topologyKey
+ is not allowed.
+ type: string
+ weight:
+ description: weight associated with
+ matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the anti-affinity requirements
+ specified by this field are not met at
+ scheduling time, the pod will not be scheduled
+ onto the node. If the anti-affinity requirements
+ specified by this field cease to be met
+ at some point during pod execution (e.g.
+ due to a pod label update), the system
+ may or may not try to eventually evict
+ the pod from its node. When there are
+ multiple elements, the lists of nodes
+ corresponding to each podAffinityTerm
+ are intersected, i.e. all terms must be
+ satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely
+ those matching the labelSelector relative
+ to the given namespace(s)) that this
+ pod should be co-located (affinity)
+ or not co-located (anti-affinity) with,
+ where co-located is defined as running
+ on a node whose value of the label with
+ key <topologyKey> matches that of any
+ node on which a pod of the set of pods
+ is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a
+ set of resources, in this case pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values, a key,
+ and an operator that relates
+ the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: operator represents
+ a key's relationship to
+ a set of values. Valid
+ operators are In, NotIn,
+ Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an
+ array of string values.
+ If the operator is In
+ or NotIn, the values array
+ must be non-empty. If
+ the operator is Exists
+ or DoesNotExist, the values
+ array must be empty. This
+ array is replaced during
+ a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a
+ map of {key,value} pairs. A
+ single {key,value} in the matchLabels
+ map is equivalent to an element
+ of matchExpressions, whose key
+ field is "key", the operator
+ is "In", and the values array
+ contains only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against); null
+ or empty list means "this pod's
+ namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located
+ (affinity) or not co-located (anti-affinity)
+ with the pods matching the labelSelector
+ in the specified namespaces, where
+ co-located is defined as running
+ on a node whose value of the label
+ with key topologyKey matches that
+ of any node on which any of the
+ selected pods is running. Empty
+ topologyKey is not allowed.
+ type: string
+ nodeSelector:
+ description: 'NodeSelector is a selector which must
+ be true for the pod to fit on a node. Selector
+ which must match a node''s labels for the pod
+ to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ additionalProperties:
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: The pod this Toleration is attached
+ to tolerates any taint that matches the triple
+ <key,value,effect> using the matching operator
+ <operator>.
+ type: object
+ properties:
+ effect:
+ description: Effect indicates the taint effect
+ to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule,
+ PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the
+ toleration applies to. Empty means match
+ all taint keys. If the key is empty, operator
+ must be Exists; this combination means to
+ match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's relationship
+ to the value. Valid operators are Exists
+ and Equal. Defaults to Equal. Exists is
+ equivalent to wildcard for value, so that
+ a pod can tolerate all taints of a particular
+ category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents
+ the period of time the toleration (which
+ must be of effect NoExecute, otherwise this
+ field is ignored) tolerates the taint. By
+ default, it is not set, which means tolerate
+ the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict
+ immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: Value is the taint value the
+ toleration matches to. If the operator is
+ Exists, the value should be empty, otherwise
+ just a regular string.
+ type: string
+ serviceType:
+ description: Optional service type for Kubernetes solver
+ service
+ type: string
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate
+ resource that should be solved using this challenge solver.
+ type: object
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used
+ to solve. If specified and a match is found, a dnsNames selector
+ will take precedence over a dnsZones selector. If multiple
+ solvers match with the same dnsNames value, the solver with
+ the most matching labels in matchLabels will be selected.
+ If neither has more matches, the solver defined earlier in
+ the list will be selected.
+ type: array
+ items:
+ type: string
+ dnsZones:
+ description: List of DNSZones that this solver will be used
+ to solve. The most specific DNS zone match specified here
+ will take precedence over other DNS zone matches, so a solver
+ specifying sys.example.com will be selected over one specifying
+ example.com for the domain www.sys.example.com. If multiple
+ solvers match with the same dnsZones value, the solver with
+ the most matching labels in matchLabels will be selected.
+ If neither has more matches, the solver defined earlier in
+ the list will be selected.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: A label selector that is used to refine the set
+ of certificate's that this challenge solver will apply to.
+ type: object
+ additionalProperties:
+ type: string
+ token:
+ description: Token is the ACME challenge token for this challenge. This
+ is the raw value returned from the ACME server.
+ type: string
+ type:
+ description: Type is the type of ACME challenge this resource represents,
+ e.g. "dns01" or "http01".
+ type: string
+ url:
+ description: URL is the URL of the ACME Challenge resource for this
+ challenge. This can be used to lookup details about the status of
+ this challenge.
+ type: string
+ wildcard:
+ description: Wildcard will be true if this challenge is for a wildcard
+ identifier, for example '*.example.com'.
+ type: boolean
+ status:
+ type: object
+ properties:
+ presented:
+ description: Presented will be set to true if the challenge values for
+ this challenge are currently 'presented'. This *does not* imply the
+ self check is passing. Only that the values have been 'submitted'
+ for the appropriate challenge mechanism (i.e. the DNS01 TXT record
+ has been presented, or the HTTP01 configuration has been configured).
+ type: boolean
+ processing:
+ description: Processing is used to denote whether this challenge should
+ be processed or not. This field will only be set to true by the 'scheduling'
+ component. It will only be set to false by the 'challenges' controller,
+ after the challenge has reached a final state or timed out. If this
+ field is set to false, the challenge controller will not take any
+ more action.
+ type: boolean
+ reason:
+ description: Reason contains human readable information on why the Challenge
+ is in the current state.
+ type: string
+ state:
+ description: State contains the current 'state' of the challenge. If
+ not set, the state of the challenge is unknown.
+ type: string
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
index ca1fabaf626bb3f627e99f93238fadc6fdb4874e..20e3b51bc98d279629fba0195ac27d0b88720c61 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2
@@ -1,1102 +1,1012 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
- name: clusterissuers.certmanager.k8s.io
+ name: clusterissuers.cert-manager.io
annotations:
- "helm.sh/hook": crd-install
- "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
- group: certmanager.k8s.io
- scope: Cluster
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before order
+ across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: cert-manager.io
+ preserveUnknownFields: false
+ conversion:
+ # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+ strategy: Webhook
+ # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+ webhookClientConfig:
+ service:
+ namespace: '{{ cert_manager_namespace }}'
+ name: 'cert-manager-webhook'
+ path: /convert
names:
kind: ClusterIssuer
+ listKind: ClusterIssuerList
plural: clusterissuers
+ singular: clusterissuer
+ scope: Cluster
+ subresources:
+ status: {}
versions:
- - name: v1alpha1
+ - name: v1alpha2
served: true
storage: true
- schema:
- openAPIV3Schema:
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IssuerSpec is the specification of an Issuer. This includes
- any configuration required for the issuer.
+ - name: v1alpha3
+ served: true
+ storage: false
+ "validation":
+ "openAPIV3Schema":
+ type: object
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IssuerSpec is the specification of an Issuer. This includes
+ any configuration required for the issuer.
+ type: object
+ properties:
+ acme:
+ description: ACMEIssuer contains the specification for an ACME issuer
type: object
+ required:
+ - privateKeySecretRef
+ - server
properties:
- acme:
- description: ACMEIssuer contains the specification for an ACME issuer
+ email:
+ description: Email is the email for this account
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server.
type: object
required:
- - privateKeySecretRef
- - server
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
properties:
- email:
- description: Email is the email for this account
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or indeed
- with the External Account Binding keyID above. The secret
- key stored in the Secret **must** be un-padded, base64 URL
- encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a secret containing the private
- key for this user account.
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or indeed
+ with the External Account Binding keyID above. The secret
+ key stored in the Secret **must** be un-padded, base64 URL
+ encoded data.
type: object
required:
- name
properties:
key:
- description: The key of the secret to select from. Must be a
- valid secret key.
+ description: The key of the secret to select from. Must
+ be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- server:
- description: Server is the ACME server URL
+ privateKeySecretRef:
+ description: PrivateKey is the name of a secret containing the private
+ key for this user account.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a
+ valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- skipTLSVerify:
- description: If true, skip verifying the ACME server TLS certificate
- type: boolean
- solvers:
- description: Solvers is a list of challenge solvers that will be
- used to solve ACME challenges for the matching domains.
- type: array
- items:
+ server:
+ description: Server is the ACME server URL
+ type: string
+ skipTLSVerify:
+ description: If true, skip verifying the ACME server TLS certificate
+ type: boolean
+ solvers:
+ description: Solvers is a list of challenge solvers that will be
+ used to solve ACME challenges for the matching domains.
+ type: array
+ items:
+ type: object
+ properties:
+ dns01:
type: object
properties:
- dns01:
+ acmedns:
+ description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
+ containing the configuration for ACME-DNS servers
type: object
+ required:
+ - accountSecretRef
+ - host
properties:
- acmedns:
- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
- containing the configuration for ACME-DNS servers
+ accountSecretRef:
type: object
required:
- - accountSecretRef
- - host
+ - name
properties:
- accountSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- host:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- akamai:
- description: ACMEIssuerDNS01ProviderAkamai is a structure
- containing the DNS configuration for Akamai DNS—Zone
- Record Management API
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ host:
+ type: string
+ akamai:
+ description: ACMEIssuerDNS01ProviderAkamai is a structure
+ containing the DNS configuration for Akamai DNS—Zone
+ Record Management API
+ type: object
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ properties:
+ accessTokenSecretRef:
type: object
required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
+ - name
properties:
- accessTokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- clientSecretSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- clientTokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- serviceConsumerDomain:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- azuredns:
- description: ACMEIssuerDNS01ProviderAzureDNS is a structure
- containing the configuration for Azure DNS
+ clientSecretSecretRef:
type: object
required:
- - resourceGroupName
- - subscriptionID
+ - name
properties:
- clientID:
- description: if both this and ClientSecret are left
- unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset
- MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
- type: string
- subscriptionID:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- clouddns:
- description: ACMEIssuerDNS01ProviderCloudDNS is a structure
- containing the DNS configuration for Google Cloud DNS
+ clientTokenSecretRef:
type: object
required:
- - project
+ - name
properties:
- project:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- serviceAccountSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- cloudflare:
- description: ACMEIssuerDNS01ProviderCloudflare is a structure
- containing the DNS configuration for Cloudflare
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ serviceConsumerDomain:
+ type: string
+ azuredns:
+ description: ACMEIssuerDNS01ProviderAzureDNS is a structure
+ containing the configuration for Azure DNS
+ type: object
+ required:
+ - resourceGroupName
+ - subscriptionID
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left
+ unset MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset
+ MSI will be used
type: object
required:
- - email
+ - name
properties:
- apiKeySecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- apiTokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- email:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ environment:
type: string
enum:
- - None
- - Follow
- digitalocean:
- description: ACMEIssuerDNS01ProviderDigitalOcean is a
- structure containing the DNS configuration for DigitalOcean
- Domains
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret
+ then this field is also needed
+ type: string
+ clouddns:
+ description: ACMEIssuerDNS01ProviderCloudDNS is a structure
+ containing the DNS configuration for Google Cloud DNS
+ type: object
+ required:
+ - project
+ properties:
+ project:
+ type: string
+ serviceAccountSecretRef:
type: object
required:
- - tokenSecretRef
+ - name
properties:
- tokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- rfc2136:
- description: ACMEIssuerDNS01ProviderRFC2136 is a structure
- containing the configuration for RFC2136 DNS
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ cloudflare:
+ description: ACMEIssuerDNS01ProviderCloudflare is a structure
+ containing the DNS configuration for Cloudflare
+ type: object
+ required:
+ - email
+ properties:
+ apiKeySecretRef:
type: object
required:
- - nameserver
+ - name
properties:
- nameserver:
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed
- in square brackets (e.g [2001:db8::1]) ; port is
- optional. This field is required.
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the
- DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values
- are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
- ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS.
- If ``tsigSecretSecretRef`` is defined, this field
- is required.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the
- TSIG value. If ``tsigKeyName`` is defined, this
- field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- route53:
- description: ACMEIssuerDNS01ProviderRoute53 is a structure
- containing the Route 53 configuration for AWS
+ apiTokenSecretRef:
type: object
required:
- - region
+ - name
properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- hostedZoneID:
- description: If set, the provider will manage only
- this zone in Route53 and will not do an lookup using
- the route53:ListHostedZonesByName api call.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- region:
- description: Always set the region when using AccessKeyID
- and SecretAccessKey
+ email:
+ type: string
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ type: string
+ enum:
+ - None
+ - Follow
+ digitalocean:
+ description: ACMEIssuerDNS01ProviderDigitalOcean is a
+ structure containing the DNS configuration for DigitalOcean
+ Domains
+ type: object
+ required:
+ - tokenSecretRef
+ properties:
+ tokenSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- role:
- description: Role is a Role ARN which the Route53
- provider will assume using either the explicit credentials
- AccessKeyID/SecretAccessKey or the inferred credentials
- from environment variables, shared credentials file
- or AWS Instance metadata
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- webhook:
- description: ACMEIssuerDNS01ProviderWebhook specifies
- configuration for a webhook DNS01 provider, including
- where to POST ChallengePayload resources.
+ rfc2136:
+ description: ACMEIssuerDNS01ProviderRFC2136 is a structure
+ containing the configuration for RFC2136 DNS
+ type: object
+ required:
+ - nameserver
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port.
+ If the host is an IPv6 address it must be enclosed
+ in square brackets (e.g [2001:db8::1]) ; port is
+ optional. This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the
+ DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+ and ``tsigKeyName`` are defined. Supported values
+ are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+ ``HMACSHA256`` or ``HMACSHA512``.'
+ type: string
+ tsigKeyName:
+ description: The TSIG Key name configured in the DNS.
+ If ``tsigSecretSecretRef`` is defined, this field
+ is required.
+ type: string
+ tsigSecretSecretRef:
+ description: The name of the secret containing the
+ TSIG value. If ``tsigKeyName`` is defined, this
+ field is required.
type: object
required:
- - groupName
- - solverName
+ - name
properties:
- config:
- description: Additional configuration that should
- be passed to the webhook apiserver when challenges
- are processed. This can contain arbitrary JSON data.
- Secret values should not be specified in this stanza.
- If secret values are needed (e.g. credentials for
- a DNS service), you should use a SecretKeySelector
- to reference a Secret resource. For details on the
- schema of this field, consult the webhook provider
- implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used
- when POSTing ChallengePayload resources to the webhook
- apiserver. This should be the same as the GroupName
- specified in the webhook provider implementation.
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- solverName:
- description: The name of the solver to use, as defined
- in the webhook provider implementation. This will
- typically be the name of the provider, e.g. 'cloudflare'.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- http01:
- description: ACMEChallengeSolverHTTP01 contains configuration
- detailing how to solve HTTP01 challenges within a Kubernetes
- cluster. Typically this is accomplished through creating
- 'routes' of some description that configure ingress controllers
- to direct traffic to 'solver pods', which are responsible
- for responding to the ACME server's HTTP requests.
+ route53:
+ description: ACMEIssuerDNS01ProviderRoute53 is a structure
+ containing the Route 53 configuration for AWS
type: object
+ required:
+ - region
properties:
- ingress:
- description: The ingress based HTTP01 challenge solver
- will solve challenges by creating or modifying Ingress
- resources in order to route requests for '/.well-known/acme-challenge/XYZ'
- to 'challenge solver' pods that are provisioned by cert-manager
- for each Challenge to be completed.
+ accessKeyID:
+ description: 'The AccessKeyID is used for authentication.
+ If not set we fall-back to using env vars, shared
+ credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: string
+ hostedZoneID:
+ description: If set, the provider will manage only
+ this zone in Route53 and will not do an lookup using
+ the route53:ListHostedZonesByName api call.
+ type: string
+ region:
+ description: Always set the region when using AccessKeyID
+ and SecretAccessKey
+ type: string
+ role:
+ description: Role is a Role ARN which the Route53
+ provider will assume using either the explicit credentials
+ AccessKeyID/SecretAccessKey or the inferred credentials
+ from environment variables, shared credentials file
+ or AWS Instance metadata
+ type: string
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication.
+ If not set we fall-back to using env vars, shared
+ credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
type: object
+ required:
+ - name
properties:
- class:
- description: The ingress class to use when creating
- Ingress resources to solve ACME challenges that
- use this challenge solver. Only one of 'class' or
- 'name' may be specified.
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- ingressTemplate:
- description: Optional ingress template used to configure
- the ACME challenge solver ingress used for HTTP01
- challenges
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ webhook:
+ description: ACMEIssuerDNS01ProviderWebhook specifies
+ configuration for a webhook DNS01 provider, including
+ where to POST ChallengePayload resources.
+ type: object
+ required:
+ - groupName
+ - solverName
+ properties:
+ config:
+ description: Additional configuration that should
+ be passed to the webhook apiserver when challenges
+ are processed. This can contain arbitrary JSON data.
+ Secret values should not be specified in this stanza.
+ If secret values are needed (e.g. credentials for
+ a DNS service), you should use a SecretKeySelector
+ to reference a Secret resource. For details on the
+ schema of this field, consult the webhook provider
+ implementation's documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ groupName:
+ description: The API group name that should be used
+ when POSTing ChallengePayload resources to the webhook
+ apiserver. This should be the same as the GroupName
+ specified in the webhook provider implementation.
+ type: string
+ solverName:
+ description: The name of the solver to use, as defined
+ in the webhook provider implementation. This will
+ typically be the name of the provider, e.g. 'cloudflare'.
+ type: string
+ http01:
+ description: ACMEChallengeSolverHTTP01 contains configuration
+ detailing how to solve HTTP01 challenges within a Kubernetes
+ cluster. Typically this is accomplished through creating
+ 'routes' of some description that configure ingress controllers
+ to direct traffic to 'solver pods', which are responsible
+ for responding to the ACME server's HTTP requests.
+ type: object
+ properties:
+ ingress:
+ description: The ingress based HTTP01 challenge solver
+ will solve challenges by creating or modifying Ingress
+ resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+ to 'challenge solver' pods that are provisioned by cert-manager
+ for each Challenge to be completed.
+ type: object
+ properties:
+ class:
+ description: The ingress class to use when creating
+ Ingress resources to solve ACME challenges that
+ use this challenge solver. Only one of 'class' or
+ 'name' may be specified.
+ type: string
+ ingressTemplate:
+ description: Optional ingress template used to configure
+ the ACME challenge solver ingress used for HTTP01
+ challenges
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the ingress
+ used to solve HTTP01 challenges. Only the 'labels'
+ and 'annotations' fields may be set. If labels
+ or annotations overlap with in-built values,
+ the values here will override the in-built values.
type: object
properties:
- metadata:
- description: ObjectMeta overrides for the ingress
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
+ annotations:
+ description: Annotations that should be added
+ to the created ACME HTTP01 solver ingress.
type: object
- properties:
- annotations:
- description: Annotations that should be added
- to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to
- the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that
- should have ACME challenge solving routes inserted
- into it in order to solve HTTP01 challenges. This
- is typically used in conjunction with ingress controllers
- like ingress-gce, which maintains a 1:1 mapping
- between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure
- the ACME challenge solver pods used for HTTP01 challenges
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to
+ the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ name:
+ description: The name of the ingress resource that
+ should have ACME challenge solving routes inserted
+ into it in order to solve HTTP01 challenges. This
+ is typically used in conjunction with ingress controllers
+ like ingress-gce, which maintains a 1:1 mapping
+ between external IPs and ingress resources.
+ type: string
+ podTemplate:
+ description: Optional pod template used to configure
+ the ACME challenge solver pods used for HTTP01 challenges
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the pod
+ used to solve HTTP01 challenges. Only the 'labels'
+ and 'annotations' fields may be set. If labels
+ or annotations overlap with in-built values,
+ the values here will override the in-built values.
type: object
properties:
- metadata:
- description: ObjectMeta overrides for the pod
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
+ annotations:
+ description: Annotations that should be added
+ to the create ACME HTTP01 solver pods.
type: object
- properties:
- annotations:
- description: Annotations that should be added
- to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to
- the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the
- HTTP01 challenge solver pod. Only the 'nodeSelector',
- 'affinity' and 'tolerations' fields are supported
- currently. All other fields will be ignored.
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to
+ the created ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: PodSpec defines overrides for the
+ HTTP01 challenge solver pod. Only the 'nodeSelector',
+ 'affinity' and 'tolerations' fields are supported
+ currently. All other fields will be ignored.
+ type: object
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling
+ constraints
type: object
properties:
- affinity:
- description: If specified, the pod's scheduling
- constraints
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
type: object
properties:
- nodeAffinity:
- description: Describes node affinity scheduling
- rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node matches the
- corresponding matchExpressions;
- the node(s) with the highest sum
- are the most preferred.
- type: array
- items:
- description: An empty preferred
- scheduling term matches all objects
- with implicit weight 0 (i.e. it's
- a no-op). A null preferred scheduling
- term matches no objects (i.e.
- is also a no-op).
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer
+ to schedule pods to nodes that satisfy
+ the affinity expressions specified
+ by this field, but it may choose
+ a node that violates one or more
+ of the expressions. The node that
+ is most preferred is the one with
+ the greatest sum of weights, i.e.
+ for each node that meets all of
+ the scheduling requirements (resource
+ request, requiredDuringScheduling
+ affinity expressions, etc.), compute
+ a sum by iterating through the elements
+ of this field and adding "weight"
+ to the sum if the node matches the
+ corresponding matchExpressions;
+ the node(s) with the highest sum
+ are the most preferred.
+ type: array
+ items:
+ description: An empty preferred
+ scheduling term matches all objects
+ with implicit weight 0 (i.e. it's
+ a no-op). A null preferred scheduling
+ term matches no objects (i.e.
+ is also a no-op).
+ type: object
+ required:
+ - preference
+ - weight
+ properties:
+ preference:
+ description: A node selector
+ term, associated with the
+ corresponding weight.
type: object
- required:
- - preference
- - weight
properties:
- preference:
- description: A node selector
- term, associated with the
- corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node
- selector requirements
- by node's labels.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node
- selector requirements
- by node's fields.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated
- with matching the corresponding
- nodeSelectorTerm, in the range
- 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to an update), the system
- may or may not try to eventually
- evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list
- of node selector terms. The
- terms are ORed.
- type: array
- items:
- description: A null or empty
- node selector term matches
- no objects. The requirements
- of them are ANDed. The TopologySelectorTerm
- type implements a subset of
- the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node
- selector requirements
- by node's labels.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node
- selector requirements
- by node's fields.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling
- rules (e.g. co-locate this pod in the
- same node, zone, etc. as some other
- pod(s)).
+ matchExpressions:
+ description: A list of node
+ selector requirements
+ by node's labels.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node
+ selector requirements
+ by node's fields.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ weight:
+ description: Weight associated
+ with matching the corresponding
+ nodeSelectorTerm, in the range
+ 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements
+ specified by this field are not
+ met at scheduling time, the pod
+ will not be scheduled onto the node.
+ If the affinity requirements specified
+ by this field cease to be met at
+ some point during pod execution
+ (e.g. due to an update), the system
+ may or may not try to eventually
+ evict the pod from its node.
type: object
+ required:
+ - nodeSelectorTerms
properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node has pods
- which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
+ nodeSelectorTerms:
+ description: Required. A list
+ of node selector terms. The
+ terms are ORed.
type: array
items:
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ description: A null or empty
+ node selector term matches
+ no objects. The requirements
+ of them are ANDed. The TopologySelectorTerm
+ type implements a subset of
+ the NodeSelectorTerm.
type: object
- required:
- - podAffinityTerm
- - weight
properties:
- podAffinityTerm:
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query
- over a set of resources,
- in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions
- is a list of label
- selector requirements.
- The requirements are
- ANDed.
- type: array
- items:
- description: A label
- selector requirement
- is a selector that
- contains values,
- a key, and an operator
- that relates the
- key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key
- is the label
- key that the
- selector applies
- to.
- type: string
- operator:
- description: operator
- represents a
- key's relationship
- to a set of
- values. Valid
- operators are
- In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values
- is an array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or
- DoesNotExist,
- the values array
- must be empty.
- This array is
- replaced during
- a strategic
- merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- in the matchLabels
- map is equivalent
- to an element of matchExpressions,
- whose key field is
- "key", the operator
- is "In", and the values
- array contains only
- "value". The requirements
- are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- to (matches against);
- null or empty list means
- "this pod's namespace"
- type: array
- items:
+ matchExpressions:
+ description: A list of node
+ selector requirements
+ by node's labels.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
type: string
- topologyKey:
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- with the pods matching
- the labelSelector in the
- specified namespaces,
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
- is not allowed.
- type: string
- weight:
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to a pod label update),
- the system may or may not try to
- eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node
+ selector requirements
+ by node's fields.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the
+ same node, zone, etc. as some other
+ pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer
+ to schedule pods to nodes that satisfy
+ the affinity expressions specified
+ by this field, but it may choose
+ a node that violates one or more
+ of the expressions. The node that
+ is most preferred is the one with
+ the greatest sum of weights, i.e.
+ for each node that meets all of
+ the scheduling requirements (resource
+ request, requiredDuringScheduling
+ affinity expressions, etc.), compute
+ a sum by iterating through the elements
+ of this field and adding "weight"
+ to the sum if the node has pods
+ which matches the corresponding
+ podAffinityTerm; the node(s) with
+ the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all
+ of the matched WeightedPodAffinityTerm
+ fields are added per-node to find
+ the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod
+ affinity term, associated
+ with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
- description: A label query over
- a set of resources, in this
- case pods.
+ description: A label query
+ over a set of resources,
+ in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
- is a list of label selector
- requirements. The requirements
- are ANDed.
+ is a list of label
+ selector requirements.
+ The requirements are
+ ANDed.
type: array
items:
- description: A label selector
- requirement is a selector
- that contains values,
+ description: A label
+ selector requirement
+ is a selector that
+ contains values,
a key, and an operator
- that relates the key
- and values.
+ that relates the
+ key and values.
type: object
required:
- key
- operator
properties:
key:
- description: key is
- the label key that
- the selector applies
+ description: key
+ is the label
+ key that the
+ selector applies
to.
type: string
operator:
description: operator
- represents a key's
- relationship to
- a set of values.
- Valid operators
- are In, NotIn, Exists
+ represents a
+ key's relationship
+ to a set of
+ values. Valid
+ operators are
+ In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
- is an array of string
- values. If the operator
+ is an array
+ of string values.
+ If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
- is Exists or DoesNotExist,
+ is Exists or
+ DoesNotExist,
the values array
- must be empty. This
- array is replaced
- during a strategic
+ must be empty.
+ This array is
+ replaced during
+ a strategic
merge patch.
type: array
items:
@@ -1105,281 +1015,281 @@ spec:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
- in the matchLabels map
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- operator is "In", and
- the values array contains
- only "value". The requirements
+ in the matchLabels
+ map is equivalent
+ to an element of matchExpressions,
+ whose key field is
+ "key", the operator
+ is "In", and the values
+ array contains only
+ "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- pod's namespace"
+ description: namespaces
+ specifies which namespaces
+ the labelSelector applies
+ to (matches against);
+ null or empty list means
+ "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
+ be co-located (affinity)
+ or not co-located (anti-affinity)
+ with the pods matching
+ the labelSelector in the
+ specified namespaces,
+ where co-located is defined
+ as running on a node whose
+ value of the label with
+ key topologyKey matches
that of any node on which
- any of the selected pods is
- running. Empty topologyKey
+ any of the selected pods
+ is running. Empty topologyKey
is not allowed.
type: string
- podAntiAffinity:
- description: Describes pod anti-affinity
- scheduling rules (e.g. avoid putting
- this pod in the same node, zone, etc.
- as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the anti-affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- anti-affinity expressions, etc.),
- compute a sum by iterating through
- the elements of this field and adding
- "weight" to the sum if the node
- has pods which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ weight:
+ description: weight associated
+ with matching the corresponding
+ podAffinityTerm, in the range
+ 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements
+ specified by this field are not
+ met at scheduling time, the pod
+ will not be scheduled onto the node.
+ If the affinity requirements specified
+ by this field cease to be met at
+ some point during pod execution
+ (e.g. due to a pod label update),
+ the system may or may not try to
+ eventually evict the pod from its
+ node. When there are multiple elements,
+ the lists of nodes corresponding
+ to each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods
+ (namely those matching the labelSelector
+ relative to the given namespace(s))
+ that this pod should be co-located
+ (affinity) or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value
+ of the label with key <topologyKey>
+ matches that of any node on which
+ a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this
+ case pods.
type: object
- required:
- - podAffinityTerm
- - weight
properties:
- podAffinityTerm:
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query
- over a set of resources,
- in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions
- is a list of label
- selector requirements.
- The requirements are
- ANDed.
- type: array
- items:
- description: A label
- selector requirement
- is a selector that
- contains values,
- a key, and an operator
- that relates the
- key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key
- is the label
- key that the
- selector applies
- to.
- type: string
- operator:
- description: operator
- represents a
- key's relationship
- to a set of
- values. Valid
- operators are
- In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values
- is an array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or
- DoesNotExist,
- the values array
- must be empty.
- This array is
- replaced during
- a strategic
- merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- in the matchLabels
- map is equivalent
- to an element of matchExpressions,
- whose key field is
- "key", the operator
- is "In", and the values
- array contains only
- "value". The requirements
- are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- to (matches against);
- null or empty list means
- "this pod's namespace"
- type: array
- items:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
type: string
- topologyKey:
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- with the pods matching
- the labelSelector in the
- specified namespaces,
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
- is not allowed.
- type: string
- weight:
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity
- requirements specified by this field
- are not met at scheduling time,
- the pod will not be scheduled onto
- the node. If the anti-affinity requirements
- specified by this field cease to
- be met at some point during pod
- execution (e.g. due to a pod label
- update), the system may or may not
- try to eventually evict the pod
- from its node. When there are multiple
- elements, the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
+ operator:
+ description: operator
+ represents a key's
+ relationship to
+ a set of values.
+ Valid operators
+ are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values
+ is an array of string
+ values. If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels
+ is a map of {key,value}
+ pairs. A single {key,value}
+ in the matchLabels map
+ is equivalent to an element
+ of matchExpressions, whose
+ key field is "key", the
+ operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should
+ be co-located (affinity) or
+ not co-located (anti-affinity)
+ with the pods matching the
+ labelSelector in the specified
+ namespaces, where co-located
+ is defined as running on a
+ node whose value of the label
+ with key topologyKey matches
+ that of any node on which
+ any of the selected pods is
+ running. Empty topologyKey
+ is not allowed.
+ type: string
+ podAntiAffinity:
+ description: Describes pod anti-affinity
+ scheduling rules (e.g. avoid putting
+ this pod in the same node, zone, etc.
+ as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer
+ to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified
+ by this field, but it may choose
+ a node that violates one or more
+ of the expressions. The node that
+ is most preferred is the one with
+ the greatest sum of weights, i.e.
+ for each node that meets all of
+ the scheduling requirements (resource
+ request, requiredDuringScheduling
+ anti-affinity expressions, etc.),
+ compute a sum by iterating through
+ the elements of this field and adding
+ "weight" to the sum if the node
+ has pods which matches the corresponding
+ podAffinityTerm; the node(s) with
+ the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all
+ of the matched WeightedPodAffinityTerm
+ fields are added per-node to find
+ the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod
+ affinity term, associated
+ with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
- description: A label query over
- a set of resources, in this
- case pods.
+ description: A label query
+ over a set of resources,
+ in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
- is a list of label selector
- requirements. The requirements
- are ANDed.
+ is a list of label
+ selector requirements.
+ The requirements are
+ ANDed.
type: array
items:
- description: A label selector
- requirement is a selector
- that contains values,
+ description: A label
+ selector requirement
+ is a selector that
+ contains values,
a key, and an operator
- that relates the key
- and values.
+ that relates the
+ key and values.
type: object
required:
- key
- operator
properties:
key:
- description: key is
- the label key that
- the selector applies
+ description: key
+ is the label
+ key that the
+ selector applies
to.
type: string
operator:
description: operator
- represents a key's
- relationship to
- a set of values.
- Valid operators
- are In, NotIn, Exists
+ represents a
+ key's relationship
+ to a set of
+ values. Valid
+ operators are
+ In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
- is an array of string
- values. If the operator
+ is an array
+ of string values.
+ If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
- is Exists or DoesNotExist,
+ is Exists or
+ DoesNotExist,
the values array
- must be empty. This
- array is replaced
- during a strategic
+ must be empty.
+ This array is
+ replaced during
+ a strategic
merge patch.
type: array
items:
@@ -1388,246 +1298,332 @@ spec:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
- in the matchLabels map
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- operator is "In", and
- the values array contains
- only "value". The requirements
+ in the matchLabels
+ map is equivalent
+ to an element of matchExpressions,
+ whose key field is
+ "key", the operator
+ is "In", and the values
+ array contains only
+ "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- pod's namespace"
+ description: namespaces
+ specifies which namespaces
+ the labelSelector applies
+ to (matches against);
+ null or empty list means
+ "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
+ be co-located (affinity)
+ or not co-located (anti-affinity)
+ with the pods matching
+ the labelSelector in the
+ specified namespaces,
+ where co-located is defined
+ as running on a node whose
+ value of the label with
+ key topologyKey matches
that of any node on which
- any of the selected pods is
- running. Empty topologyKey
+ any of the selected pods
+ is running. Empty topologyKey
is not allowed.
type: string
- nodeSelector:
- description: 'NodeSelector is a selector which
- must be true for the pod to fit on a node.
- Selector which must match a node''s labels
- for the pod to be scheduled on that node.
- More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
+ weight:
+ description: weight associated
+ with matching the corresponding
+ podAffinityTerm, in the range
+ 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the anti-affinity
+ requirements specified by this field
+ are not met at scheduling time,
+ the pod will not be scheduled onto
+ the node. If the anti-affinity requirements
+ specified by this field cease to
+ be met at some point during pod
+ execution (e.g. due to a pod label
+ update), the system may or may not
+ try to eventually evict the pod
+ from its node. When there are multiple
+ elements, the lists of nodes corresponding
+ to each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods
+ (namely those matching the labelSelector
+ relative to the given namespace(s))
+ that this pod should be co-located
+ (affinity) or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value
+ of the label with key <topologyKey>
+ matches that of any node on which
+ a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this
+ case pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: operator
+ represents a key's
+ relationship to
+ a set of values.
+ Valid operators
+ are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values
+ is an array of string
+ values. If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels
+ is a map of {key,value}
+ pairs. A single {key,value}
+ in the matchLabels map
+ is equivalent to an element
+ of matchExpressions, whose
+ key field is "key", the
+ operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should
+ be co-located (affinity) or
+ not co-located (anti-affinity)
+ with the pods matching the
+ labelSelector in the specified
+ namespaces, where co-located
+ is defined as running on a
+ node whose value of the label
+ with key topologyKey matches
+ that of any node on which
+ any of the selected pods is
+ running. Empty topologyKey
+ is not allowed.
+ type: string
+ nodeSelector:
+ description: 'NodeSelector is a selector which
+ must be true for the pod to fit on a node.
+ Selector which must match a node''s labels
+ for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ additionalProperties:
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: The pod this Toleration is
+ attached to tolerates any taint that matches
+ the triple <key,value,effect> using the
+ matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: Effect indicates the taint
+ effect to match. Empty means match
+ all taint effects. When specified,
+ allowed values are NoSchedule, PreferNoSchedule
+ and NoExecute.
type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is
- attached to tolerates any taint that matches
- the triple <key,value,effect> using the
- matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint
- effect to match. Empty means match
- all taint effects. When specified,
- allowed values are NoSchedule, PreferNoSchedule
- and NoExecute.
- type: string
- key:
- description: Key is the taint key that
- the toleration applies to. Empty means
- match all taint keys. If the key is
- empty, operator must be Exists; this
- combination means to match all values
- and all keys.
- type: string
- operator:
- description: Operator represents a key's
- relationship to the value. Valid operators
- are Exists and Equal. Defaults to
- Equal. Exists is equivalent to wildcard
- for value, so that a pod can tolerate
- all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents
- the period of time the toleration
- (which must be of effect NoExecute,
- otherwise this field is ignored) tolerates
- the taint. By default, it is not set,
- which means tolerate the taint forever
- (do not evict). Zero and negative
- values will be treated as 0 (evict
- immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value
- the toleration matches to. If the
- operator is Exists, the value should
- be empty, otherwise just a regular
- string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes
- solver service
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
+ key:
+ description: Key is the taint key that
+ the toleration applies to. Empty means
+ match all taint keys. If the key is
+ empty, operator must be Exists; this
+ combination means to match all values
+ and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's
+ relationship to the value. Valid operators
+ are Exists and Equal. Defaults to
+ Equal. Exists is equivalent to wildcard
+ for value, so that a pod can tolerate
+ all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents
+ the period of time the toleration
+ (which must be of effect NoExecute,
+ otherwise this field is ignored) tolerates
+ the taint. By default, it is not set,
+ which means tolerate the taint forever
+ (do not evict). Zero and negative
+ values will be treated as 0 (evict
+ immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: Value is the taint value
+ the toleration matches to. If the
+ operator is Exists, the value should
+ be empty, otherwise just a regular
+ string.
+ type: string
+ serviceType:
+ description: Optional service type for Kubernetes
+ solver service
+ type: string
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate
+ resource that should be solved using this challenge solver.
+ type: object
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be
+ used to solve. If specified and a match is found, a
+ dnsNames selector will take precedence over a dnsZones
+ selector. If multiple solvers match with the same dnsNames
+ value, the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ dnsZones:
+ description: List of DNSZones that this solver will be
+ used to solve. The most specific DNS zone match specified
+ here will take precedence over other DNS zone matches,
+ so a solver specifying sys.example.com will be selected
+ over one specifying example.com for the domain www.sys.example.com.
+ If multiple solvers match with the same dnsZones value,
+ the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: A label selector that is used to refine the
+ set of certificate's that this challenge solver will
+ apply to.
type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be
- used to solve. If specified and a match is found, a
- dnsNames selector will take precedence over a dnsZones
- selector. If multiple solvers match with the same dnsNames
- value, the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be
- used to solve. The most specific DNS zone match specified
- here will take precedence over other DNS zone matches,
- so a solver specifying sys.example.com will be selected
- over one specifying example.com for the domain www.sys.example.com.
- If multiple solvers match with the same dnsZones value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the
- set of certificate's that this challenge solver will
- apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates
- issued by this Issuer.
- type: string
- selfSigned:
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
+ additionalProperties:
+ type: string
+ ca:
+ type: object
+ required:
+ - secretName
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate
+ extension which identifies the location of the CRL from which
+ the revocation of this certificate can be checked. If not set
+ certificate will be issued without CDP. Values are strings.
+ type: array
+ items:
+ type: string
+ secretName:
+ description: SecretName is the name of the secret used to sign Certificates
+ issued by this Issuer.
+ type: string
+ selfSigned:
+ type: object
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate
+ extension which identifies the location of the CRL from which
+ the revocation of this certificate can be checked. If not set
+ certificate will be issued without CDP. Values are strings.
+ type: array
+ items:
+ type: string
+ vault:
+ type: object
+ required:
+ - auth
+ - path
+ - server
+ properties:
+ auth:
+ description: Vault authentication
type: object
- required:
- - auth
- - path
- - server
properties:
- auth:
- description: Vault authentication
+ appRole:
+ description: This Secret contains a AppRole and Secret
type: object
+ required:
+ - path
+ - roleId
+ - secretRef
properties:
- appRole:
- description: This Secret contains a AppRole and Secret
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: Where the authentication path is mounted in
- Vault.
- type: string
- roleId:
- type: string
- secretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- kubernetes:
- description: This contains a Role and Secret with a ServiceAccount
- token to authenticate with vault.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path
- to use when authenticating with Vault. For example, setting
- a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
- to authenticate with Vault. If unspecified, the default
- value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role
- to assume. A Role binds a Kubernetes ServiceAccount with
- a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes
- ServiceAccount JWT used for authenticating with Vault.
- Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- tokenSecretRef:
- description: This Secret contains the Vault token key
+ path:
+ description: Where the authentication path is mounted in
+ Vault.
+ type: string
+ roleId:
+ type: string
+ secretRef:
type: object
required:
- name
@@ -1640,36 +1636,30 @@ spec:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- caBundle:
- description: Base64 encoded CA bundle to validate Vault server certificate.
- Only used if the Server URL is using HTTPS protocol. This parameter
- is ignored for plain HTTP protocol connection. If not set the
- system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- path:
- description: Vault URL path to the certificate role
- type: string
- server:
- description: Server is the vault connection address
- type: string
- venafi:
- description: VenafiIssuer describes issuer configuration details for
- Venafi Cloud.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings.
- Only one of TPP or Cloud may be specified.
+ kubernetes:
+ description: This contains a Role and Secret with a ServiceAccount
+ token to authenticate with vault.
type: object
required:
- - apiTokenSecretRef
+ - role
+ - secretRef
properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for
- the Venafi Cloud API token.
+ mountPath:
+ description: The Vault mountPath here is the mount path
+ to use when authenticating with Vault. For example, setting
+ a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+ to authenticate with Vault. If unspecified, the default
+ value "/v1/auth/kubernetes" will be used.
+ type: string
+ role:
+ description: A required field containing the Vault Role
+ to assume. A Role binds a Kubernetes ServiceAccount with
+ a set of Vault policies.
+ type: string
+ secretRef:
+ description: The required Secret field containing a Kubernetes
+ ServiceAccount JWT used for authenticating with Vault.
+ Use of 'ambient credentials' is not supported.
type: object
required:
- name
@@ -1682,93 +1672,149 @@ spec:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- url:
- description: URL is the base URL for Venafi Cloud
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration
- settings. Only one of TPP or Cloud may be specified.
+ tokenSecretRef:
+ description: This Secret contains the Vault token key
type: object
required:
- - credentialsRef
- - url
+ - name
properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use
- to verify connections to the TPP instance. If specified, system
- roots will not be used and the issuing CA for the TPP instance
- must be verifiable using the provided root. If not specified,
- the connection will be verified using the cert-manager system
- root certificates.
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret must
- contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- url:
- description: URL is the base URL for the Venafi TPP instance
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted by
- the named zone policy. This field is required.
- type: string
- status:
- description: IssuerStatus contains status information about an Issuer
+ caBundle:
+ description: Base64 encoded CA bundle to validate Vault server certificate.
+ Only used if the Server URL is using HTTPS protocol. This parameter
+ is ignored for plain HTTP protocol connection. If not set the
+ system root certificates are used to validate the TLS connection.
+ type: string
+ format: byte
+ path:
+ description: Vault URL path to the certificate role
+ type: string
+ server:
+ description: Server is the vault connection address
+ type: string
+ venafi:
+ description: VenafiIssuer describes issuer configuration details for
+ Venafi Cloud.
type: object
+ required:
+ - zone
properties:
- acme:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration settings.
+ Only one of TPP or Cloud may be specified.
+ type: object
+ required:
+ - apiTokenSecretRef
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector for
+ the Venafi Cloud API token.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ url:
+ description: URL is the base URL for Venafi Cloud
+ type: string
+ tpp:
+ description: TPP specifies Trust Protection Platform configuration
+ settings. Only one of TPP or Cloud may be specified.
type: object
+ required:
+ - credentialsRef
+ - url
properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the
- latest registered ACME account, in order to track changes made
- to registered account associated with the Issuer
+ caBundle:
+ description: CABundle is a PEM encoded TLS certificate to use
+ to verify connections to the TPP instance. If specified, system
+ roots will not be used and the issuing CA for the TPP instance
+ must be verifiable using the provided root. If not specified,
+ the connection will be verified using the cert-manager system
+ root certificates.
type: string
- uri:
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
+ format: byte
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret containing
+ the username and password for the TPP server. The secret must
+ contain two keys, 'username' and 'password'.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ url:
+ description: URL is the base URL for the Venafi TPP instance
type: string
- conditions:
- type: array
- items:
- description: IssuerCondition contains condition information for an
- Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, currently ('Ready').
- type: string
\ No newline at end of file
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this issuer.
+ All requests made to the Venafi platform will be restricted by
+ the named zone policy. This field is required.
+ type: string
+ status:
+ description: IssuerStatus contains status information about an Issuer
+ type: object
+ properties:
+ acme:
+ type: object
+ properties:
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated with the
+ latest registered ACME account, in order to track changes made
+ to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can also
+ be used to retrieve account details from the CA
+ type: string
+ conditions:
+ type: array
+ items:
+ description: IssuerCondition contains condition information for an
+ Issuer.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding
+ to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True', 'False',
+ 'Unknown').
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
index f393168ff1d575ff3f28d160c5468901184637f0..f7f5b58230697372e355c70cf8a99d242bfa8058 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2
@@ -1,1102 +1,1012 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
---
-apiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
- name: issuers.certmanager.k8s.io
+ name: issuers.cert-manager.io
annotations:
- "helm.sh/hook": crd-install
- "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update"
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
- group: certmanager.k8s.io
- scope: Namespaced
+ additionalPrinterColumns:
+ - JSONPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - JSONPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before order
+ across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: cert-manager.io
+ preserveUnknownFields: false
+ conversion:
+ # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+ strategy: Webhook
+ # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+ webhookClientConfig:
+ service:
+ namespace: '{{ cert_manager_namespace }}'
+ name: 'cert-manager-webhook'
+ path: /convert
names:
kind: Issuer
+ listKind: IssuerList
plural: issuers
+ singular: issuer
+ scope: Namespaced
+ subresources:
+ status: {}
versions:
- - name: v1alpha1
+ - name: v1alpha2
served: true
storage: true
- schema:
- openAPIV3Schema:
+ - name: v1alpha3
+ served: true
+ storage: false
+ "validation":
+ "openAPIV3Schema":
+ type: object
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IssuerSpec is the specification of an Issuer. This includes
+ any configuration required for the issuer.
type: object
properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IssuerSpec is the specification of an Issuer. This includes
- any configuration required for the issuer.
+ acme:
+ description: ACMEIssuer contains the specification for an ACME issuer
type: object
+ required:
+ - privateKeySecretRef
+ - server
properties:
- acme:
- description: ACMEIssuer contains the specification for an ACME issuer
+ email:
+ description: Email is the email for this account
+ type: string
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external
+ account of the ACME server.
type: object
required:
- - privateKeySecretRef
- - server
+ - keyAlgorithm
+ - keyID
+ - keySecretRef
properties:
- email:
- description: Email is the email for this account
+ keyAlgorithm:
+ description: keyAlgorithm is the MAC key algorithm that the
+ key is used for. Valid values are "HS256", "HS384" and "HS512".
type: string
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external
- account of the ACME server.
- type: object
- required:
- - keyAlgorithm
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: keyAlgorithm is the MAC key algorithm that the
- key is used for. Valid values are "HS256", "HS384" and "HS512".
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External
- Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing
- a data item in a Kubernetes Secret which holds the symmetric
- MAC key of the External Account Binding. The `key` is the
- index string that is paired with the key data in the Secret
- and should not be confused with the key data itself, or indeed
- with the External Account Binding keyID above. The secret
- key stored in the Secret **must** be un-padded, base64 URL
- encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- privateKeySecretRef:
- description: PrivateKey is the name of a secret containing the private
- key for this user account.
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ keyID:
+ description: keyID is the ID of the CA key that the External
+ Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing
+ a data item in a Kubernetes Secret which holds the symmetric
+ MAC key of the External Account Binding. The `key` is the
+ index string that is paired with the key data in the Secret
+ and should not be confused with the key data itself, or indeed
+ with the External Account Binding keyID above. The secret
+ key stored in the Secret **must** be un-padded, base64 URL
+ encoded data.
type: object
required:
- name
properties:
key:
- description: The key of the secret to select from. Must be a
- valid secret key.
+ description: The key of the secret to select from. Must
+ be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- server:
- description: Server is the ACME server URL
+ privateKeySecretRef:
+ description: PrivateKey is the name of a secret containing the private
+ key for this user account.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must be a
+ valid secret key.
type: string
- skipTLSVerify:
- description: If true, skip verifying the ACME server TLS certificate
- type: boolean
- solvers:
- description: Solvers is a list of challenge solvers that will be
- used to solve ACME challenges for the matching domains.
- type: array
- items:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ server:
+ description: Server is the ACME server URL
+ type: string
+ skipTLSVerify:
+ description: If true, skip verifying the ACME server TLS certificate
+ type: boolean
+ solvers:
+ description: Solvers is a list of challenge solvers that will be
+ used to solve ACME challenges for the matching domains.
+ type: array
+ items:
+ type: object
+ properties:
+ dns01:
type: object
properties:
- dns01:
+ acmedns:
+ description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
+ containing the configuration for ACME-DNS servers
type: object
+ required:
+ - accountSecretRef
+ - host
properties:
- acmedns:
- description: ACMEIssuerDNS01ProviderAcmeDNS is a structure
- containing the configuration for ACME-DNS servers
+ accountSecretRef:
type: object
required:
- - accountSecretRef
- - host
+ - name
properties:
- accountSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- host:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- akamai:
- description: ACMEIssuerDNS01ProviderAkamai is a structure
- containing the DNS configuration for Akamai DNS—Zone
- Record Management API
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ host:
+ type: string
+ akamai:
+ description: ACMEIssuerDNS01ProviderAkamai is a structure
+ containing the DNS configuration for Akamai DNS—Zone
+ Record Management API
+ type: object
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ properties:
+ accessTokenSecretRef:
type: object
required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
+ - name
properties:
- accessTokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- clientSecretSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- clientTokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- serviceConsumerDomain:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- azuredns:
- description: ACMEIssuerDNS01ProviderAzureDNS is a structure
- containing the configuration for Azure DNS
+ clientSecretSecretRef:
type: object
required:
- - resourceGroupName
- - subscriptionID
+ - name
properties:
- clientID:
- description: if both this and ClientSecret are left
- unset MSI will be used
- type: string
- clientSecretSecretRef:
- description: if both this and ClientID are left unset
- MSI will be used
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- environment:
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- type: string
- resourceGroupName:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- subscriptionID:
- type: string
- tenantID:
- description: when specifying ClientID and ClientSecret
- then this field is also needed
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- clouddns:
- description: ACMEIssuerDNS01ProviderCloudDNS is a structure
- containing the DNS configuration for Google Cloud DNS
+ clientTokenSecretRef:
type: object
required:
- - project
+ - name
properties:
- project:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- serviceAccountSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- cloudflare:
- description: ACMEIssuerDNS01ProviderCloudflare is a structure
- containing the DNS configuration for Cloudflare
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ serviceConsumerDomain:
+ type: string
+ azuredns:
+ description: ACMEIssuerDNS01ProviderAzureDNS is a structure
+ containing the configuration for Azure DNS
+ type: object
+ required:
+ - resourceGroupName
+ - subscriptionID
+ properties:
+ clientID:
+ description: if both this and ClientSecret are left
+ unset MSI will be used
+ type: string
+ clientSecretSecretRef:
+ description: if both this and ClientID are left unset
+ MSI will be used
type: object
required:
- - email
+ - name
properties:
- apiKeySecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- apiTokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- email:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider
- should handle CNAME records when found in DNS zones.
+ environment:
type: string
enum:
- - None
- - Follow
- digitalocean:
- description: ACMEIssuerDNS01ProviderDigitalOcean is a
- structure containing the DNS configuration for DigitalOcean
- Domains
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ hostedZoneName:
+ type: string
+ resourceGroupName:
+ type: string
+ subscriptionID:
+ type: string
+ tenantID:
+ description: when specifying ClientID and ClientSecret
+ then this field is also needed
+ type: string
+ clouddns:
+ description: ACMEIssuerDNS01ProviderCloudDNS is a structure
+ containing the DNS configuration for Google Cloud DNS
+ type: object
+ required:
+ - project
+ properties:
+ project:
+ type: string
+ serviceAccountSecretRef:
type: object
required:
- - tokenSecretRef
+ - name
properties:
- tokenSecretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- rfc2136:
- description: ACMEIssuerDNS01ProviderRFC2136 is a structure
- containing the configuration for RFC2136 DNS
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ cloudflare:
+ description: ACMEIssuerDNS01ProviderCloudflare is a structure
+ containing the DNS configuration for Cloudflare
+ type: object
+ required:
+ - email
+ properties:
+ apiKeySecretRef:
type: object
required:
- - nameserver
+ - name
properties:
- nameserver:
- description: The IP address or hostname of an authoritative
- DNS server supporting RFC2136 in the form host:port.
- If the host is an IPv6 address it must be enclosed
- in square brackets (e.g [2001:db8::1]) ; port is
- optional. This field is required.
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the
- DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
- and ``tsigKeyName`` are defined. Supported values
- are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
- ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS.
- If ``tsigSecretSecretRef`` is defined, this field
- is required.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the
- TSIG value. If ``tsigKeyName`` is defined, this
- field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- route53:
- description: ACMEIssuerDNS01ProviderRoute53 is a structure
- containing the Route 53 configuration for AWS
+ apiTokenSecretRef:
type: object
required:
- - region
+ - name
properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- hostedZoneID:
- description: If set, the provider will manage only
- this zone in Route53 and will not do an lookup using
- the route53:ListHostedZonesByName api call.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- region:
- description: Always set the region when using AccessKeyID
- and SecretAccessKey
+ email:
+ type: string
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider
+ should handle CNAME records when found in DNS zones.
+ type: string
+ enum:
+ - None
+ - Follow
+ digitalocean:
+ description: ACMEIssuerDNS01ProviderDigitalOcean is a
+ structure containing the DNS configuration for DigitalOcean
+ Domains
+ type: object
+ required:
+ - tokenSecretRef
+ properties:
+ tokenSecretRef:
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- role:
- description: Role is a Role ARN which the Route53
- provider will assume using either the explicit credentials
- AccessKeyID/SecretAccessKey or the inferred credentials
- from environment variables, shared credentials file
- or AWS Instance metadata
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication.
- If not set we fall-back to using env vars, shared
- credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from.
- Must be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind,
- uid?'
- type: string
- webhook:
- description: ACMEIssuerDNS01ProviderWebhook specifies
- configuration for a webhook DNS01 provider, including
- where to POST ChallengePayload resources.
+ rfc2136:
+ description: ACMEIssuerDNS01ProviderRFC2136 is a structure
+ containing the configuration for RFC2136 DNS
+ type: object
+ required:
+ - nameserver
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative
+ DNS server supporting RFC2136 in the form host:port.
+ If the host is an IPv6 address it must be enclosed
+ in square brackets (e.g [2001:db8::1]) ; port is
+ optional. This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the
+ DNS supporting RFC2136. Used only when ``tsigSecretSecretRef``
+ and ``tsigKeyName`` are defined. Supported values
+ are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``,
+ ``HMACSHA256`` or ``HMACSHA512``.'
+ type: string
+ tsigKeyName:
+ description: The TSIG Key name configured in the DNS.
+ If ``tsigSecretSecretRef`` is defined, this field
+ is required.
+ type: string
+ tsigSecretSecretRef:
+ description: The name of the secret containing the
+ TSIG value. If ``tsigKeyName`` is defined, this
+ field is required.
type: object
required:
- - groupName
- - solverName
+ - name
properties:
- config:
- description: Additional configuration that should
- be passed to the webhook apiserver when challenges
- are processed. This can contain arbitrary JSON data.
- Secret values should not be specified in this stanza.
- If secret values are needed (e.g. credentials for
- a DNS service), you should use a SecretKeySelector
- to reference a Secret resource. For details on the
- schema of this field, consult the webhook provider
- implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used
- when POSTing ChallengePayload resources to the webhook
- apiserver. This should be the same as the GroupName
- specified in the webhook provider implementation.
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- solverName:
- description: The name of the solver to use, as defined
- in the webhook provider implementation. This will
- typically be the name of the provider, e.g. 'cloudflare'.
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
type: string
- http01:
- description: ACMEChallengeSolverHTTP01 contains configuration
- detailing how to solve HTTP01 challenges within a Kubernetes
- cluster. Typically this is accomplished through creating
- 'routes' of some description that configure ingress controllers
- to direct traffic to 'solver pods', which are responsible
- for responding to the ACME server's HTTP requests.
+ route53:
+ description: ACMEIssuerDNS01ProviderRoute53 is a structure
+ containing the Route 53 configuration for AWS
type: object
+ required:
+ - region
properties:
- ingress:
- description: The ingress based HTTP01 challenge solver
- will solve challenges by creating or modifying Ingress
- resources in order to route requests for '/.well-known/acme-challenge/XYZ'
- to 'challenge solver' pods that are provisioned by cert-manager
- for each Challenge to be completed.
+ accessKeyID:
+ description: 'The AccessKeyID is used for authentication.
+ If not set we fall-back to using env vars, shared
+ credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: string
+ hostedZoneID:
+ description: If set, the provider will manage only
+ this zone in Route53 and will not do an lookup using
+ the route53:ListHostedZonesByName api call.
+ type: string
+ region:
+ description: Always set the region when using AccessKeyID
+ and SecretAccessKey
+ type: string
+ role:
+ description: Role is a Role ARN which the Route53
+ provider will assume using either the explicit credentials
+ AccessKeyID/SecretAccessKey or the inferred credentials
+ from environment variables, shared credentials file
+ or AWS Instance metadata
+ type: string
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication.
+ If not set we fall-back to using env vars, shared
+ credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
type: object
+ required:
+ - name
properties:
- class:
- description: The ingress class to use when creating
- Ingress resources to solve ACME challenges that
- use this challenge solver. Only one of 'class' or
- 'name' may be specified.
+ key:
+ description: The key of the secret to select from.
+ Must be a valid secret key.
type: string
- ingressTemplate:
- description: Optional ingress template used to configure
- the ACME challenge solver ingress used for HTTP01
- challenges
+ name:
+ description: 'Name of the referent. More info:
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind,
+ uid?'
+ type: string
+ webhook:
+ description: ACMEIssuerDNS01ProviderWebhook specifies
+ configuration for a webhook DNS01 provider, including
+ where to POST ChallengePayload resources.
+ type: object
+ required:
+ - groupName
+ - solverName
+ properties:
+ config:
+ description: Additional configuration that should
+ be passed to the webhook apiserver when challenges
+ are processed. This can contain arbitrary JSON data.
+ Secret values should not be specified in this stanza.
+ If secret values are needed (e.g. credentials for
+ a DNS service), you should use a SecretKeySelector
+ to reference a Secret resource. For details on the
+ schema of this field, consult the webhook provider
+ implementation's documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ groupName:
+ description: The API group name that should be used
+ when POSTing ChallengePayload resources to the webhook
+ apiserver. This should be the same as the GroupName
+ specified in the webhook provider implementation.
+ type: string
+ solverName:
+ description: The name of the solver to use, as defined
+ in the webhook provider implementation. This will
+ typically be the name of the provider, e.g. 'cloudflare'.
+ type: string
+ http01:
+ description: ACMEChallengeSolverHTTP01 contains configuration
+ detailing how to solve HTTP01 challenges within a Kubernetes
+ cluster. Typically this is accomplished through creating
+ 'routes' of some description that configure ingress controllers
+ to direct traffic to 'solver pods', which are responsible
+ for responding to the ACME server's HTTP requests.
+ type: object
+ properties:
+ ingress:
+ description: The ingress based HTTP01 challenge solver
+ will solve challenges by creating or modifying Ingress
+ resources in order to route requests for '/.well-known/acme-challenge/XYZ'
+ to 'challenge solver' pods that are provisioned by cert-manager
+ for each Challenge to be completed.
+ type: object
+ properties:
+ class:
+ description: The ingress class to use when creating
+ Ingress resources to solve ACME challenges that
+ use this challenge solver. Only one of 'class' or
+ 'name' may be specified.
+ type: string
+ ingressTemplate:
+ description: Optional ingress template used to configure
+ the ACME challenge solver ingress used for HTTP01
+ challenges
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the ingress
+ used to solve HTTP01 challenges. Only the 'labels'
+ and 'annotations' fields may be set. If labels
+ or annotations overlap with in-built values,
+ the values here will override the in-built values.
type: object
properties:
- metadata:
- description: ObjectMeta overrides for the ingress
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
+ annotations:
+ description: Annotations that should be added
+ to the created ACME HTTP01 solver ingress.
type: object
- properties:
- annotations:
- description: Annotations that should be added
- to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to
- the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that
- should have ACME challenge solving routes inserted
- into it in order to solve HTTP01 challenges. This
- is typically used in conjunction with ingress controllers
- like ingress-gce, which maintains a 1:1 mapping
- between external IPs and ingress resources.
- type: string
- podTemplate:
- description: Optional pod template used to configure
- the ACME challenge solver pods used for HTTP01 challenges
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to
+ the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ name:
+ description: The name of the ingress resource that
+ should have ACME challenge solving routes inserted
+ into it in order to solve HTTP01 challenges. This
+ is typically used in conjunction with ingress controllers
+ like ingress-gce, which maintains a 1:1 mapping
+ between external IPs and ingress resources.
+ type: string
+ podTemplate:
+ description: Optional pod template used to configure
+ the ACME challenge solver pods used for HTTP01 challenges
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the pod
+ used to solve HTTP01 challenges. Only the 'labels'
+ and 'annotations' fields may be set. If labels
+ or annotations overlap with in-built values,
+ the values here will override the in-built values.
type: object
properties:
- metadata:
- description: ObjectMeta overrides for the pod
- used to solve HTTP01 challenges. Only the 'labels'
- and 'annotations' fields may be set. If labels
- or annotations overlap with in-built values,
- the values here will override the in-built values.
+ annotations:
+ description: Annotations that should be added
+ to the create ACME HTTP01 solver pods.
type: object
- properties:
- annotations:
- description: Annotations that should be added
- to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to
- the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the
- HTTP01 challenge solver pod. Only the 'nodeSelector',
- 'affinity' and 'tolerations' fields are supported
- currently. All other fields will be ignored.
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to
+ the created ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: PodSpec defines overrides for the
+ HTTP01 challenge solver pod. Only the 'nodeSelector',
+ 'affinity' and 'tolerations' fields are supported
+ currently. All other fields will be ignored.
+ type: object
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling
+ constraints
type: object
properties:
- affinity:
- description: If specified, the pod's scheduling
- constraints
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
type: object
properties:
- nodeAffinity:
- description: Describes node affinity scheduling
- rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node matches the
- corresponding matchExpressions;
- the node(s) with the highest sum
- are the most preferred.
- type: array
- items:
- description: An empty preferred
- scheduling term matches all objects
- with implicit weight 0 (i.e. it's
- a no-op). A null preferred scheduling
- term matches no objects (i.e.
- is also a no-op).
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer
+ to schedule pods to nodes that satisfy
+ the affinity expressions specified
+ by this field, but it may choose
+ a node that violates one or more
+ of the expressions. The node that
+ is most preferred is the one with
+ the greatest sum of weights, i.e.
+ for each node that meets all of
+ the scheduling requirements (resource
+ request, requiredDuringScheduling
+ affinity expressions, etc.), compute
+ a sum by iterating through the elements
+ of this field and adding "weight"
+ to the sum if the node matches the
+ corresponding matchExpressions;
+ the node(s) with the highest sum
+ are the most preferred.
+ type: array
+ items:
+ description: An empty preferred
+ scheduling term matches all objects
+ with implicit weight 0 (i.e. it's
+ a no-op). A null preferred scheduling
+ term matches no objects (i.e.
+ is also a no-op).
+ type: object
+ required:
+ - preference
+ - weight
+ properties:
+ preference:
+ description: A node selector
+ term, associated with the
+ corresponding weight.
type: object
- required:
- - preference
- - weight
properties:
- preference:
- description: A node selector
- term, associated with the
- corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node
- selector requirements
- by node's labels.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node
- selector requirements
- by node's fields.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- weight:
- description: Weight associated
- with matching the corresponding
- nodeSelectorTerm, in the range
- 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to an update), the system
- may or may not try to eventually
- evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list
- of node selector terms. The
- terms are ORed.
- type: array
- items:
- description: A null or empty
- node selector term matches
- no objects. The requirements
- of them are ANDed. The TopologySelectorTerm
- type implements a subset of
- the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node
- selector requirements
- by node's labels.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node
- selector requirements
- by node's fields.
- type: array
- items:
- description: A node selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key
- and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label
- key that the selector
- applies to.
- type: string
- operator:
- description: Represents
- a key's relationship
- to a set of values.
- Valid operators
- are In, NotIn, Exists,
- DoesNotExist. Gt,
- and Lt.
- type: string
- values:
- description: An array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or DoesNotExist,
- the values array
- must be empty. If
- the operator is
- Gt or Lt, the values
- array must have
- a single element,
- which will be interpreted
- as an integer. This
- array is replaced
- during a strategic
- merge patch.
- type: array
- items:
- type: string
- podAffinity:
- description: Describes pod affinity scheduling
- rules (e.g. co-locate this pod in the
- same node, zone, etc. as some other
- pod(s)).
+ matchExpressions:
+ description: A list of node
+ selector requirements
+ by node's labels.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node
+ selector requirements
+ by node's fields.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ weight:
+ description: Weight associated
+ with matching the corresponding
+ nodeSelectorTerm, in the range
+ 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements
+ specified by this field are not
+ met at scheduling time, the pod
+ will not be scheduled onto the node.
+ If the affinity requirements specified
+ by this field cease to be met at
+ some point during pod execution
+ (e.g. due to an update), the system
+ may or may not try to eventually
+ evict the pod from its node.
type: object
+ required:
+ - nodeSelectorTerms
properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight"
- to the sum if the node has pods
- which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
+ nodeSelectorTerms:
+ description: Required. A list
+ of node selector terms. The
+ terms are ORed.
type: array
items:
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ description: A null or empty
+ node selector term matches
+ no objects. The requirements
+ of them are ANDed. The TopologySelectorTerm
+ type implements a subset of
+ the NodeSelectorTerm.
type: object
- required:
- - podAffinityTerm
- - weight
properties:
- podAffinityTerm:
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query
- over a set of resources,
- in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions
- is a list of label
- selector requirements.
- The requirements are
- ANDed.
- type: array
- items:
- description: A label
- selector requirement
- is a selector that
- contains values,
- a key, and an operator
- that relates the
- key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key
- is the label
- key that the
- selector applies
- to.
- type: string
- operator:
- description: operator
- represents a
- key's relationship
- to a set of
- values. Valid
- operators are
- In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values
- is an array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or
- DoesNotExist,
- the values array
- must be empty.
- This array is
- replaced during
- a strategic
- merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- in the matchLabels
- map is equivalent
- to an element of matchExpressions,
- whose key field is
- "key", the operator
- is "In", and the values
- array contains only
- "value". The requirements
- are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- to (matches against);
- null or empty list means
- "this pod's namespace"
- type: array
- items:
+ matchExpressions:
+ description: A list of node
+ selector requirements
+ by node's labels.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
type: string
- topologyKey:
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- with the pods matching
- the labelSelector in the
- specified namespaces,
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
- is not allowed.
- type: string
- weight:
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not
- met at scheduling time, the pod
- will not be scheduled onto the node.
- If the affinity requirements specified
- by this field cease to be met at
- some point during pod execution
- (e.g. due to a pod label update),
- the system may or may not try to
- eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node
+ selector requirements
+ by node's fields.
+ type: array
+ items:
+ description: A node selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label
+ key that the selector
+ applies to.
+ type: string
+ operator:
+ description: Represents
+ a key's relationship
+ to a set of values.
+ Valid operators
+ are In, NotIn, Exists,
+ DoesNotExist. Gt,
+ and Lt.
+ type: string
+ values:
+ description: An array
+ of string values.
+ If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. If
+ the operator is
+ Gt or Lt, the values
+ array must have
+ a single element,
+ which will be interpreted
+ as an integer. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the
+ same node, zone, etc. as some other
+ pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer
+ to schedule pods to nodes that satisfy
+ the affinity expressions specified
+ by this field, but it may choose
+ a node that violates one or more
+ of the expressions. The node that
+ is most preferred is the one with
+ the greatest sum of weights, i.e.
+ for each node that meets all of
+ the scheduling requirements (resource
+ request, requiredDuringScheduling
+ affinity expressions, etc.), compute
+ a sum by iterating through the elements
+ of this field and adding "weight"
+ to the sum if the node has pods
+ which matches the corresponding
+ podAffinityTerm; the node(s) with
+ the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all
+ of the matched WeightedPodAffinityTerm
+ fields are added per-node to find
+ the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod
+ affinity term, associated
+ with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
- description: A label query over
- a set of resources, in this
- case pods.
+ description: A label query
+ over a set of resources,
+ in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
- is a list of label selector
- requirements. The requirements
- are ANDed.
+ is a list of label
+ selector requirements.
+ The requirements are
+ ANDed.
type: array
items:
- description: A label selector
- requirement is a selector
- that contains values,
+ description: A label
+ selector requirement
+ is a selector that
+ contains values,
a key, and an operator
- that relates the key
- and values.
+ that relates the
+ key and values.
type: object
required:
- key
- operator
properties:
key:
- description: key is
- the label key that
- the selector applies
+ description: key
+ is the label
+ key that the
+ selector applies
to.
type: string
operator:
description: operator
- represents a key's
- relationship to
- a set of values.
- Valid operators
- are In, NotIn, Exists
+ represents a
+ key's relationship
+ to a set of
+ values. Valid
+ operators are
+ In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
- is an array of string
- values. If the operator
+ is an array
+ of string values.
+ If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
- is Exists or DoesNotExist,
+ is Exists or
+ DoesNotExist,
the values array
- must be empty. This
- array is replaced
- during a strategic
+ must be empty.
+ This array is
+ replaced during
+ a strategic
merge patch.
type: array
items:
@@ -1105,281 +1015,281 @@ spec:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
- in the matchLabels map
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- operator is "In", and
- the values array contains
- only "value". The requirements
+ in the matchLabels
+ map is equivalent
+ to an element of matchExpressions,
+ whose key field is
+ "key", the operator
+ is "In", and the values
+ array contains only
+ "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- pod's namespace"
+ description: namespaces
+ specifies which namespaces
+ the labelSelector applies
+ to (matches against);
+ null or empty list means
+ "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
+ be co-located (affinity)
+ or not co-located (anti-affinity)
+ with the pods matching
+ the labelSelector in the
+ specified namespaces,
+ where co-located is defined
+ as running on a node whose
+ value of the label with
+ key topologyKey matches
that of any node on which
- any of the selected pods is
- running. Empty topologyKey
+ any of the selected pods
+ is running. Empty topologyKey
is not allowed.
type: string
- podAntiAffinity:
- description: Describes pod anti-affinity
- scheduling rules (e.g. avoid putting
- this pod in the same node, zone, etc.
- as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer
- to schedule pods to nodes that satisfy
- the anti-affinity expressions specified
- by this field, but it may choose
- a node that violates one or more
- of the expressions. The node that
- is most preferred is the one with
- the greatest sum of weights, i.e.
- for each node that meets all of
- the scheduling requirements (resource
- request, requiredDuringScheduling
- anti-affinity expressions, etc.),
- compute a sum by iterating through
- the elements of this field and adding
- "weight" to the sum if the node
- has pods which matches the corresponding
- podAffinityTerm; the node(s) with
- the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all
- of the matched WeightedPodAffinityTerm
- fields are added per-node to find
- the most preferred node(s)
+ weight:
+ description: weight associated
+ with matching the corresponding
+ podAffinityTerm, in the range
+ 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements
+ specified by this field are not
+ met at scheduling time, the pod
+ will not be scheduled onto the node.
+ If the affinity requirements specified
+ by this field cease to be met at
+ some point during pod execution
+ (e.g. due to a pod label update),
+ the system may or may not try to
+ eventually evict the pod from its
+ node. When there are multiple elements,
+ the lists of nodes corresponding
+ to each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods
+ (namely those matching the labelSelector
+ relative to the given namespace(s))
+ that this pod should be co-located
+ (affinity) or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value
+ of the label with key <topologyKey>
+ matches that of any node on which
+ a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this
+ case pods.
type: object
- required:
- - podAffinityTerm
- - weight
properties:
- podAffinityTerm:
- description: Required. A pod
- affinity term, associated
- with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query
- over a set of resources,
- in this case pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions
- is a list of label
- selector requirements.
- The requirements are
- ANDed.
- type: array
- items:
- description: A label
- selector requirement
- is a selector that
- contains values,
- a key, and an operator
- that relates the
- key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key
- is the label
- key that the
- selector applies
- to.
- type: string
- operator:
- description: operator
- represents a
- key's relationship
- to a set of
- values. Valid
- operators are
- In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values
- is an array
- of string values.
- If the operator
- is In or NotIn,
- the values array
- must be non-empty.
- If the operator
- is Exists or
- DoesNotExist,
- the values array
- must be empty.
- This array is
- replaced during
- a strategic
- merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels
- is a map of {key,value}
- pairs. A single {key,value}
- in the matchLabels
- map is equivalent
- to an element of matchExpressions,
- whose key field is
- "key", the operator
- is "In", and the values
- array contains only
- "value". The requirements
- are ANDed.
- type: object
- additionalProperties:
- type: string
- namespaces:
- description: namespaces
- specifies which namespaces
- the labelSelector applies
- to (matches against);
- null or empty list means
- "this pod's namespace"
- type: array
- items:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
type: string
- topologyKey:
- description: This pod should
- be co-located (affinity)
- or not co-located (anti-affinity)
- with the pods matching
- the labelSelector in the
- specified namespaces,
- where co-located is defined
- as running on a node whose
- value of the label with
- key topologyKey matches
- that of any node on which
- any of the selected pods
- is running. Empty topologyKey
- is not allowed.
- type: string
- weight:
- description: weight associated
- with matching the corresponding
- podAffinityTerm, in the range
- 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity
- requirements specified by this field
- are not met at scheduling time,
- the pod will not be scheduled onto
- the node. If the anti-affinity requirements
- specified by this field cease to
- be met at some point during pod
- execution (e.g. due to a pod label
- update), the system may or may not
- try to eventually evict the pod
- from its node. When there are multiple
- elements, the lists of nodes corresponding
- to each podAffinityTerm are intersected,
- i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods
- (namely those matching the labelSelector
- relative to the given namespace(s))
- that this pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with, where co-located is defined
- as running on a node whose value
- of the label with key <topologyKey>
- matches that of any node on which
- a pod of the set of pods is running
+ operator:
+ description: operator
+ represents a key's
+ relationship to
+ a set of values.
+ Valid operators
+ are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values
+ is an array of string
+ values. If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels
+ is a map of {key,value}
+ pairs. A single {key,value}
+ in the matchLabels map
+ is equivalent to an element
+ of matchExpressions, whose
+ key field is "key", the
+ operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should
+ be co-located (affinity) or
+ not co-located (anti-affinity)
+ with the pods matching the
+ labelSelector in the specified
+ namespaces, where co-located
+ is defined as running on a
+ node whose value of the label
+ with key topologyKey matches
+ that of any node on which
+ any of the selected pods is
+ running. Empty topologyKey
+ is not allowed.
+ type: string
+ podAntiAffinity:
+ description: Describes pod anti-affinity
+ scheduling rules (e.g. avoid putting
+ this pod in the same node, zone, etc.
+ as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer
+ to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified
+ by this field, but it may choose
+ a node that violates one or more
+ of the expressions. The node that
+ is most preferred is the one with
+ the greatest sum of weights, i.e.
+ for each node that meets all of
+ the scheduling requirements (resource
+ request, requiredDuringScheduling
+ anti-affinity expressions, etc.),
+ compute a sum by iterating through
+ the elements of this field and adding
+ "weight" to the sum if the node
+ has pods which matches the corresponding
+ podAffinityTerm; the node(s) with
+ the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all
+ of the matched WeightedPodAffinityTerm
+ fields are added per-node to find
+ the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod
+ affinity term, associated
+ with the corresponding weight.
type: object
required:
- topologyKey
properties:
labelSelector:
- description: A label query over
- a set of resources, in this
- case pods.
+ description: A label query
+ over a set of resources,
+ in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
- is a list of label selector
- requirements. The requirements
- are ANDed.
+ is a list of label
+ selector requirements.
+ The requirements are
+ ANDed.
type: array
items:
- description: A label selector
- requirement is a selector
- that contains values,
+ description: A label
+ selector requirement
+ is a selector that
+ contains values,
a key, and an operator
- that relates the key
- and values.
+ that relates the
+ key and values.
type: object
required:
- key
- operator
properties:
key:
- description: key is
- the label key that
- the selector applies
+ description: key
+ is the label
+ key that the
+ selector applies
to.
type: string
operator:
description: operator
- represents a key's
- relationship to
- a set of values.
- Valid operators
- are In, NotIn, Exists
+ represents a
+ key's relationship
+ to a set of
+ values. Valid
+ operators are
+ In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values
- is an array of string
- values. If the operator
+ is an array
+ of string values.
+ If the operator
is In or NotIn,
the values array
must be non-empty.
If the operator
- is Exists or DoesNotExist,
+ is Exists or
+ DoesNotExist,
the values array
- must be empty. This
- array is replaced
- during a strategic
+ must be empty.
+ This array is
+ replaced during
+ a strategic
merge patch.
type: array
items:
@@ -1388,246 +1298,332 @@ spec:
description: matchLabels
is a map of {key,value}
pairs. A single {key,value}
- in the matchLabels map
- is equivalent to an element
- of matchExpressions, whose
- key field is "key", the
- operator is "In", and
- the values array contains
- only "value". The requirements
+ in the matchLabels
+ map is equivalent
+ to an element of matchExpressions,
+ whose key field is
+ "key", the operator
+ is "In", and the values
+ array contains only
+ "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
- description: namespaces specifies
- which namespaces the labelSelector
- applies to (matches against);
- null or empty list means "this
- pod's namespace"
+ description: namespaces
+ specifies which namespaces
+ the labelSelector applies
+ to (matches against);
+ null or empty list means
+ "this pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should
- be co-located (affinity) or
- not co-located (anti-affinity)
- with the pods matching the
- labelSelector in the specified
- namespaces, where co-located
- is defined as running on a
- node whose value of the label
- with key topologyKey matches
+ be co-located (affinity)
+ or not co-located (anti-affinity)
+ with the pods matching
+ the labelSelector in the
+ specified namespaces,
+ where co-located is defined
+ as running on a node whose
+ value of the label with
+ key topologyKey matches
that of any node on which
- any of the selected pods is
- running. Empty topologyKey
+ any of the selected pods
+ is running. Empty topologyKey
is not allowed.
type: string
- nodeSelector:
- description: 'NodeSelector is a selector which
- must be true for the pod to fit on a node.
- Selector which must match a node''s labels
- for the pod to be scheduled on that node.
- More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
+ weight:
+ description: weight associated
+ with matching the corresponding
+ podAffinityTerm, in the range
+ 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the anti-affinity
+ requirements specified by this field
+ are not met at scheduling time,
+ the pod will not be scheduled onto
+ the node. If the anti-affinity requirements
+ specified by this field cease to
+ be met at some point during pod
+ execution (e.g. due to a pod label
+ update), the system may or may not
+ try to eventually evict the pod
+ from its node. When there are multiple
+ elements, the lists of nodes corresponding
+ to each podAffinityTerm are intersected,
+ i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods
+ (namely those matching the labelSelector
+ relative to the given namespace(s))
+ that this pod should be co-located
+ (affinity) or not co-located (anti-affinity)
+ with, where co-located is defined
+ as running on a node whose value
+ of the label with key <topologyKey>
+ matches that of any node on which
+ a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over
+ a set of resources, in this
+ case pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ type: array
+ items:
+ description: A label selector
+ requirement is a selector
+ that contains values,
+ a key, and an operator
+ that relates the key
+ and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: operator
+ represents a key's
+ relationship to
+ a set of values.
+ Valid operators
+ are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values
+ is an array of string
+ values. If the operator
+ is In or NotIn,
+ the values array
+ must be non-empty.
+ If the operator
+ is Exists or DoesNotExist,
+ the values array
+ must be empty. This
+ array is replaced
+ during a strategic
+ merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels
+ is a map of {key,value}
+ pairs. A single {key,value}
+ in the matchLabels map
+ is equivalent to an element
+ of matchExpressions, whose
+ key field is "key", the
+ operator is "In", and
+ the values array contains
+ only "value". The requirements
+ are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ namespaces:
+ description: namespaces specifies
+ which namespaces the labelSelector
+ applies to (matches against);
+ null or empty list means "this
+ pod's namespace"
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should
+ be co-located (affinity) or
+ not co-located (anti-affinity)
+ with the pods matching the
+ labelSelector in the specified
+ namespaces, where co-located
+ is defined as running on a
+ node whose value of the label
+ with key topologyKey matches
+ that of any node on which
+ any of the selected pods is
+ running. Empty topologyKey
+ is not allowed.
+ type: string
+ nodeSelector:
+ description: 'NodeSelector is a selector which
+ must be true for the pod to fit on a node.
+ Selector which must match a node''s labels
+ for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ additionalProperties:
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: The pod this Toleration is
+ attached to tolerates any taint that matches
+ the triple <key,value,effect> using the
+ matching operator <operator>.
+ type: object
+ properties:
+ effect:
+ description: Effect indicates the taint
+ effect to match. Empty means match
+ all taint effects. When specified,
+ allowed values are NoSchedule, PreferNoSchedule
+ and NoExecute.
type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is
- attached to tolerates any taint that matches
- the triple <key,value,effect> using the
- matching operator <operator>.
- type: object
- properties:
- effect:
- description: Effect indicates the taint
- effect to match. Empty means match
- all taint effects. When specified,
- allowed values are NoSchedule, PreferNoSchedule
- and NoExecute.
- type: string
- key:
- description: Key is the taint key that
- the toleration applies to. Empty means
- match all taint keys. If the key is
- empty, operator must be Exists; this
- combination means to match all values
- and all keys.
- type: string
- operator:
- description: Operator represents a key's
- relationship to the value. Valid operators
- are Exists and Equal. Defaults to
- Equal. Exists is equivalent to wildcard
- for value, so that a pod can tolerate
- all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents
- the period of time the toleration
- (which must be of effect NoExecute,
- otherwise this field is ignored) tolerates
- the taint. By default, it is not set,
- which means tolerate the taint forever
- (do not evict). Zero and negative
- values will be treated as 0 (evict
- immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value
- the toleration matches to. If the
- operator is Exists, the value should
- be empty, otherwise just a regular
- string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes
- solver service
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate
- resource that should be solved using this challenge solver.
+ key:
+ description: Key is the taint key that
+ the toleration applies to. Empty means
+ match all taint keys. If the key is
+ empty, operator must be Exists; this
+ combination means to match all values
+ and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's
+ relationship to the value. Valid operators
+ are Exists and Equal. Defaults to
+ Equal. Exists is equivalent to wildcard
+ for value, so that a pod can tolerate
+ all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents
+ the period of time the toleration
+ (which must be of effect NoExecute,
+ otherwise this field is ignored) tolerates
+ the taint. By default, it is not set,
+ which means tolerate the taint forever
+ (do not evict). Zero and negative
+ values will be treated as 0 (evict
+ immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: Value is the taint value
+ the toleration matches to. If the
+ operator is Exists, the value should
+ be empty, otherwise just a regular
+ string.
+ type: string
+ serviceType:
+ description: Optional service type for Kubernetes
+ solver service
+ type: string
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate
+ resource that should be solved using this challenge solver.
+ type: object
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be
+ used to solve. If specified and a match is found, a
+ dnsNames selector will take precedence over a dnsZones
+ selector. If multiple solvers match with the same dnsNames
+ value, the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ dnsZones:
+ description: List of DNSZones that this solver will be
+ used to solve. The most specific DNS zone match specified
+ here will take precedence over other DNS zone matches,
+ so a solver specifying sys.example.com will be selected
+ over one specifying example.com for the domain www.sys.example.com.
+ If multiple solvers match with the same dnsZones value,
+ the solver with the most matching labels in matchLabels
+ will be selected. If neither has more matches, the solver
+ defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: A label selector that is used to refine the
+ set of certificate's that this challenge solver will
+ apply to.
type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be
- used to solve. If specified and a match is found, a
- dnsNames selector will take precedence over a dnsZones
- selector. If multiple solvers match with the same dnsNames
- value, the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be
- used to solve. The most specific DNS zone match specified
- here will take precedence over other DNS zone matches,
- so a solver specifying sys.example.com will be selected
- over one specifying example.com for the domain www.sys.example.com.
- If multiple solvers match with the same dnsZones value,
- the solver with the most matching labels in matchLabels
- will be selected. If neither has more matches, the solver
- defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the
- set of certificate's that this challenge solver will
- apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates
- issued by this Issuer.
- type: string
- selfSigned:
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate
- extension which identifies the location of the CRL from which
- the revocation of this certificate can be checked. If not set
- certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
+ additionalProperties:
+ type: string
+ ca:
+ type: object
+ required:
+ - secretName
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate
+ extension which identifies the location of the CRL from which
+ the revocation of this certificate can be checked. If not set
+ certificate will be issued without CDP. Values are strings.
+ type: array
+ items:
+ type: string
+ secretName:
+ description: SecretName is the name of the secret used to sign Certificates
+ issued by this Issuer.
+ type: string
+ selfSigned:
+ type: object
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate
+ extension which identifies the location of the CRL from which
+ the revocation of this certificate can be checked. If not set
+ certificate will be issued without CDP. Values are strings.
+ type: array
+ items:
+ type: string
+ vault:
+ type: object
+ required:
+ - auth
+ - path
+ - server
+ properties:
+ auth:
+ description: Vault authentication
type: object
- required:
- - auth
- - path
- - server
properties:
- auth:
- description: Vault authentication
+ appRole:
+ description: This Secret contains a AppRole and Secret
type: object
+ required:
+ - path
+ - roleId
+ - secretRef
properties:
- appRole:
- description: This Secret contains a AppRole and Secret
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: Where the authentication path is mounted in
- Vault.
- type: string
- roleId:
- type: string
- secretRef:
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- kubernetes:
- description: This contains a Role and Secret with a ServiceAccount
- token to authenticate with vault.
- type: object
- required:
- - role
- - secretRef
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path
- to use when authenticating with Vault. For example, setting
- a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
- to authenticate with Vault. If unspecified, the default
- value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role
- to assume. A Role binds a Kubernetes ServiceAccount with
- a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes
- ServiceAccount JWT used for authenticating with Vault.
- Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the secret to select from. Must
- be a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- tokenSecretRef:
- description: This Secret contains the Vault token key
+ path:
+ description: Where the authentication path is mounted in
+ Vault.
+ type: string
+ roleId:
+ type: string
+ secretRef:
type: object
required:
- name
@@ -1640,36 +1636,30 @@ spec:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- caBundle:
- description: Base64 encoded CA bundle to validate Vault server certificate.
- Only used if the Server URL is using HTTPS protocol. This parameter
- is ignored for plain HTTP protocol connection. If not set the
- system root certificates are used to validate the TLS connection.
- type: string
- format: byte
- path:
- description: Vault URL path to the certificate role
- type: string
- server:
- description: Server is the vault connection address
- type: string
- venafi:
- description: VenafiIssuer describes issuer configuration details for
- Venafi Cloud.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings.
- Only one of TPP or Cloud may be specified.
+ kubernetes:
+ description: This contains a Role and Secret with a ServiceAccount
+ token to authenticate with vault.
type: object
required:
- - apiTokenSecretRef
+ - role
+ - secretRef
properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for
- the Venafi Cloud API token.
+ mountPath:
+ description: The Vault mountPath here is the mount path
+ to use when authenticating with Vault. For example, setting
+ a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+ to authenticate with Vault. If unspecified, the default
+ value "/v1/auth/kubernetes" will be used.
+ type: string
+ role:
+ description: A required field containing the Vault Role
+ to assume. A Role binds a Kubernetes ServiceAccount with
+ a set of Vault policies.
+ type: string
+ secretRef:
+ description: The required Secret field containing a Kubernetes
+ ServiceAccount JWT used for authenticating with Vault.
+ Use of 'ambient credentials' is not supported.
type: object
required:
- name
@@ -1682,93 +1672,149 @@ spec:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- url:
- description: URL is the base URL for Venafi Cloud
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration
- settings. Only one of TPP or Cloud may be specified.
+ tokenSecretRef:
+ description: This Secret contains the Vault token key
type: object
required:
- - credentialsRef
- - url
+ - name
properties:
- caBundle:
- description: CABundle is a PEM encoded TLS certificate to use
- to verify connections to the TPP instance. If specified, system
- roots will not be used and the issuing CA for the TPP instance
- must be verifiable using the provided root. If not specified,
- the connection will be verified using the cert-manager system
- root certificates.
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing
- the username and password for the TPP server. The secret must
- contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- url:
- description: URL is the base URL for the Venafi TPP instance
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer.
- All requests made to the Venafi platform will be restricted by
- the named zone policy. This field is required.
- type: string
- status:
- description: IssuerStatus contains status information about an Issuer
+ caBundle:
+ description: Base64 encoded CA bundle to validate Vault server certificate.
+ Only used if the Server URL is using HTTPS protocol. This parameter
+ is ignored for plain HTTP protocol connection. If not set the
+ system root certificates are used to validate the TLS connection.
+ type: string
+ format: byte
+ path:
+ description: Vault URL path to the certificate role
+ type: string
+ server:
+ description: Server is the vault connection address
+ type: string
+ venafi:
+ description: VenafiIssuer describes issuer configuration details for
+ Venafi Cloud.
type: object
+ required:
+ - zone
properties:
- acme:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration settings.
+ Only one of TPP or Cloud may be specified.
+ type: object
+ required:
+ - apiTokenSecretRef
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector for
+ the Venafi Cloud API token.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the secret to select from. Must
+ be a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ url:
+ description: URL is the base URL for Venafi Cloud
+ type: string
+ tpp:
+ description: TPP specifies Trust Protection Platform configuration
+ settings. Only one of TPP or Cloud may be specified.
type: object
+ required:
+ - credentialsRef
+ - url
properties:
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the
- latest registered ACME account, in order to track changes made
- to registered account associated with the Issuer
+ caBundle:
+ description: CABundle is a PEM encoded TLS certificate to use
+ to verify connections to the TPP instance. If specified, system
+ roots will not be used and the issuing CA for the TPP instance
+ must be verifiable using the provided root. If not specified,
+ the connection will be verified using the cert-manager system
+ root certificates.
type: string
- uri:
- description: URI is the unique account identifier, which can also
- be used to retrieve account details from the CA
+ format: byte
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret containing
+ the username and password for the TPP server. The secret must
+ contain two keys, 'username' and 'password'.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ url:
+ description: URL is the base URL for the Venafi TPP instance
type: string
- conditions:
- type: array
- items:
- description: IssuerCondition contains condition information for an
- Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding
- to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details
- of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for
- the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of ('True', 'False',
- 'Unknown').
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, currently ('Ready').
- type: string
\ No newline at end of file
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this issuer.
+ All requests made to the Venafi platform will be restricted by
+ the named zone policy. This field is required.
+ type: string
+ status:
+ description: IssuerStatus contains status information about an Issuer
+ type: object
+ properties:
+ acme:
+ type: object
+ properties:
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated with the
+ latest registered ACME account, in order to track changes made
+ to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can also
+ be used to retrieve account details from the CA
+ type: string
+ conditions:
+ type: array
+ items:
+ description: IssuerCondition contains condition information for an
+ Issuer.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding
+ to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable explanation for
+ the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of ('True', 'False',
+ 'Unknown').
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, currently ('Ready').
+ type: string
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c0dc137ac5c52c774d7a75acb81c57255d80997b
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-order.yml.j2
@@ -0,0 +1,253 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: orders.acme.cert-manager.io
+ annotations:
+ cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.state
+ name: State
+ type: string
+ - JSONPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - JSONPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when
+ this object was created. It is not guaranteed to be set in happens-before order
+ across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ group: acme.cert-manager.io
+ preserveUnknownFields: false
+ conversion:
+ # a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
+ strategy: Webhook
+ # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
+ webhookClientConfig:
+ service:
+ namespace: '{{ cert_manager_namespace }}'
+ name: 'cert-manager-webhook'
+ path: /convert
+ names:
+ kind: Order
+ listKind: OrderList
+ plural: orders
+ singular: order
+ scope: Namespaced
+ subresources:
+ status: {}
+ versions:
+ - name: v1alpha2
+ served: true
+ storage: true
+ - name: v1alpha3
+ served: true
+ storage: false
+ "validation":
+ "openAPIV3Schema":
+ description: Order is a type to represent an Order with an ACME server
+ type: object
+ required:
+ - metadata
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ type: object
+ required:
+ - csr
+ - issuerRef
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the DER encoded
+ CSR. If CommonName is not specified, the first DNSName specified will
+ be used as the CommonName. At least one of CommonName or a DNSNames
+ must be set. This field must match the corresponding field on the
+ DER encoded CSR.
+ type: string
+ csr:
+ description: Certificate signing request bytes in DER encoding. This
+ will be used when finalizing the order. This field must be set on
+ the order.
+ type: string
+ format: byte
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be included
+ as part of the Order validation process. If CommonName is not specified,
+ the first DNSName specified will be used as the CommonName. At least
+ one of CommonName or a DNSNames must be set. This field must match
+ the corresponding field on the DER encoded CSR.
+ type: array
+ items:
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type Issuer
+ which should be used to create this Order. If the Issuer does not
+ exist, processing will be retried. If the Issuer is not an 'ACME'
+ Issuer, an error will be returned and the Order will be marked as
+ failed.
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ status:
+ type: object
+ properties:
+ authorizations:
+ description: Authorizations contains data returned from the ACME server
+ on what authorizations must be completed in order to validate the
+ DNS names specified on the Order.
+ type: array
+ items:
+ description: ACMEAuthorization contains data returned from the ACME
+ server on an authorization that must be completed in order validate
+ a DNS name on an ACME Order resource.
+ type: object
+ required:
+ - url
+ properties:
+ challenges:
+ description: Challenges specifies the challenge types offered
+ by the ACME server. One of these challenge types will be selected
+ when validating the DNS name and an appropriate Challenge resource
+ will be created to perform the ACME challenge process.
+ type: array
+ items:
+ description: Challenge specifies a challenge offered by the
+ ACME server for an Order. An appropriate Challenge resource
+ can be created to perform the ACME challenge process.
+ type: object
+ required:
+ - token
+ - type
+ - url
+ properties:
+ token:
+ description: Token is the token that must be presented for
+ this challenge. This is used to compute the 'key' that
+ must also be presented.
+ type: string
+ type:
+ description: Type is the type of challenge being offered,
+ e.g. http-01, dns-01
+ type: string
+ url:
+ description: URL is the URL of this challenge. It can be
+ used to retrieve additional metadata about the Challenge
+ from the ACME server.
+ type: string
+ identifier:
+ description: Identifier is the DNS name to be validated as part
+ of this authorization
+ type: string
+ initialState:
+ description: InitialState is the initial state of the ACME authorization
+ when first fetched from the ACME server. If an Authorization
+ is already 'valid', the Order controller will not create a Challenge
+ resource for the authorization. This will occur when working
+ with an ACME server that enables 'authz reuse' (such as Let's
+ Encrypt's production endpoint). If not set and 'identifier'
+ is set, the state is assumed to be pending and a Challenge will
+ be created.
+ type: string
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ url:
+ description: URL is the URL of the Authorization that must be
+ completed
+ type: string
+ wildcard:
+ description: Wildcard will be true if this authorization is for
+ a wildcard DNS name. If this is true, the identifier will be
+ the *non-wildcard* version of the DNS name. For example, if
+ '*.example.com' is the DNS name being validated, this field
+ will be 'true' and the 'identifier' field will be 'example.com'.
+ type: boolean
+ certificate:
+ description: Certificate is a copy of the PEM encoded certificate for
+ this Order. This field will be populated after the order has been
+ successfully finalized with the ACME server, and the order has transitioned
+ to the 'valid' state.
+ type: string
+ format: byte
+ failureTime:
+ description: FailureTime stores the time that this order failed. This
+ is used to influence garbage collection and back-off.
+ type: string
+ format: date-time
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain certificates
+ for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a why
+ the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order resource.
+ States 'success' and 'expired' are 'final'
+ type: string
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ url:
+ description: URL of the Order. This will initially be empty when the
+ resource is first created. The Order controller will populate this
+ field when the Order is first processed. This field will be immutable
+ after it is initially set.
+ type: string
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
index 383dab5d3b76398cf09cc720767d7b7873705171..fcf1890fbccc1f1636d6cf9ffbd0ba977f45f11c 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/deploy-cert-manager.yml.j2
@@ -1,3 +1,62 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager-cainjector
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: cainjector
+ template:
+ metadata:
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+ spec:
+ serviceAccountName: cert-manager-cainjector
+ containers:
+ - name: cert-manager
+ image: "{{ cert_manager_cainjector_image_repo }}:{{ cert_manager_cainjector_image_tag }}"
+ imagePullPolicy: {{ k8s_image_pull_policy }}
+ args:
+ - --v=2
+ - --leader-election-namespace=kube-system
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+ {}
---
apiVersion: apps/v1
kind: Deployment
@@ -6,39 +65,113 @@ metadata:
namespace: {{ cert_manager_namespace }}
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
replicas: 1
selector:
matchLabels:
- app: cert-manager
- release: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: controller
template:
metadata:
labels:
app: cert-manager
- release: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/managed-by: Helm
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
annotations:
+ prometheus.io/path: "/metrics"
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9402'
spec:
- priorityClassName: {% if cert_manager_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
serviceAccountName: cert-manager
containers:
- name: cert-manager
- image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
+ image: "{{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}"
+ imagePullPolicy: {{ k8s_image_pull_policy }}
+ args:
+ - --v=2
+ - --cluster-resource-namespace=$(POD_NAMESPACE)
+ - --leader-election-namespace=kube-system
+ ports:
+ - containerPort: 9402
+ protocol: TCP
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+ {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager-webhook
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: webhook
+ template:
+ metadata:
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+ spec:
+ serviceAccountName: cert-manager-webhook
+ containers:
+ - name: cert-manager
+ image: "{{ cert_manager_webhook_image_repo }}:{{ cert_manager_webhook_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
args:
- - --cluster-resource-namespace=$(POD_NAMESPACE)
- - --leader-election-namespace=$(POD_NAMESPACE)
+ - --v=2
+ - --secure-port=10250
+ - --dynamic-serving-ca-secret-namespace={{ cert_manager_namespace }}
+ - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
+ - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+ ports:
+ - name: https
+ containerPort: 10250
+ livenessProbe:
+ httpGet:
+ path: /livez
+ port: 6080
+ scheme: HTTP
+ initialDelaySeconds: 60
+ periodSeconds: 10
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 6080
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 5
env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
resources:
- requests:
- cpu: 10m
- memory: 32Mi
- securityContext:
- runAsUser: {{ cert_manager_user }}
+ {}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0c9208c83b39383096fe2bfa47f8a8fa0d1cb08c
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/role-cert-manager.yml.j2
@@ -0,0 +1,85 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: cert-manager-cainjector:leaderelection
+ namespace: kube-system
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ # Used for leader election by the controller
+ # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
+ # see cmd/cainjector/start.go#L113
+ # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
+ # see cmd/cainjector/start.go#L137
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
+ verbs: ["get", "update", "patch"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: cert-manager:leaderelection
+ namespace: kube-system
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+ # Used for leader election by the controller
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["cert-manager-controller"]
+ verbs: ["get", "update", "patch"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: cert-manager-webhook:dynamic-serving
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ resourceNames:
+ - 'cert-manager-webhook-ca'
+ verbs: ["get", "list", "watch", "update"]
+# It's not possible to grant CREATE permission on a single resourceName.
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create"]
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cffb819039f7747b7d47b76a25f5952eb3ebd6bd
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/rolebinding-cert-manager.yml.j2
@@ -0,0 +1,79 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: cert-manager-cainjector:leaderelection
+ namespace: kube-system
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager-cainjector:leaderelection
+subjects:
+ - kind: ServiceAccount
+ name: cert-manager-cainjector
+ namespace: {{ cert_manager_namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: cert-manager:leaderelection
+ namespace: kube-system
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager:leaderelection
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: cert-manager-webhook:dynamic-serving
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager-webhook:dynamic-serving
+subjects:
+- apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager-webhook
+ namespace: {{ cert_manager_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
index 6380634a777426a9401859ced94c2d7f5367e410..126aa49b1c031f6781ca6096ddaf8cff218bb85a 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/sa-cert-manager.yml.j2
@@ -1,3 +1,30 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cert-manager-cainjector
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: cainjector
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
---
apiVersion: v1
kind: ServiceAccount
@@ -6,6 +33,21 @@ metadata:
namespace: {{ cert_manager_namespace }}
labels:
app: cert-manager
- chart: cert-manager-v0.5.2
- release: cert-manager
- heritage: Tiller
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cert-manager-webhook
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c9785f43ebb78bf9ce2d83d1e0100eb168583e3a
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/secret-cert-manager.yml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: ca-key-pair
+ namespace: {{ cert_manager_namespace }}
+data:
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvRENDQW9pZ0F3SUJBZ0lVYXRUWVNIK1lUMVJvbXVGekF2clFRWGtsQ0Vrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTVJNd0VRWURWUVFECkV3cExkV0psY201bGRHVnpNQjRYRFRJd01EY3hNREUxTWpFd01Gb1hEVEkxTURjd09URTFNakV3TUZvd2FERUwKTUFrR0ExVUVCaE1DVlZNeER6QU5CZ05WQkFnVEJrOXlaV2R2YmpFUk1BOEdBMVVFQnhNSVVHOXlkR3hoYm1ReApFekFSQmdOVkJBb1RDa3QxWW1WeWJtVjBaWE14Q3pBSkJnTlZCQXNUQWtOQk1STXdFUVlEVlFRREV3cExkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0MmZFNUhRSm8vNGIKRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZObzUrNTNqQ29SdFFWd1FyYU12QnozMGRJbzd6agpMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1ZOTkgzN05KVUVKV0NHTnVoUmVFNDRpcUtmSDV3Ck9iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZERsUk9jdzBSRmdieDkvWk5GS1lYR3BQcmdyR0wKWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjd3RCZkxOV0pWbGRET2dJNFpmWDBaNnNBN2lobgptQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlJnamJNblRxQ2hGa1ZROHhtaXMwckZmMVprN3ZwCjNOMWFtY2hBQVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIKL3pBZEJnTlZIUTRFRmdRVTFEaTE0aVpKWGczajNObHdjenZFR1dwRFN2SXdEUVlKS29aSWh2Y05BUUVMQlFBRApnZ0VCQURkR1FDSFcwNkFVZUo4alM3cURPM2F1TG4xTHE0c1JCWHBoVUZ6TGRyMi9rUUlZd1BtcTRmb09RMjBwCitLTVUyanpmR0VHd3ZOU0p2QnphNHRGS1NiZHRpeFI3RmsyREdPLzc5a3ZPZ2o3UVRrUUpkUzNwaWtSc09EMlUKaytpa09qL2wyTkRSRFVXZlh4RjRjeVZTZ0VubDExUUVDa0JrUHBIYlIrUHQxYWhnMGVRMElnL0MvZC8vN2Vtegp3ZWNUZjBsQkc1UmszaURHdkxhaHdTek9jQWhSY1BxVW9idCs1bTVycmp0R3BrTFNQOTBzVko2TTZ3ZE43dGR4CkNpTktWWGRZaHBZWmUrQ1hEQ2lRR0NLVHE5NHJPbGptVmh5Z0FKWjlBOERVOWVZRmVOci9oOW84c2JYNFlzcU0KV3YwREkyQldlQ3k3MmlXZXErNHkwTENKSzQ4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdDJmRTVIUUpvLzRiRjNqN1JPZzJ6REhNdEhLd0pjVEZZYkZZMGpIWGZTVWJTS1ZOCm81KzUzakNvUnRRVndRcmFNdkJ6MzBkSW83empMcE1VQU5aRStacXQrbkk5RWtzMVphS1NKNmYvNXpmZDEzZ1YKTk5IMzdOSlVFSldDR051aFJlRTQ0aXFLZkg1d09iZlJKL2ZCYVQ5cW9DQW9tWVcvV1JUS0t5ancreFBPeWdZZApEbFJPY3cwUkZnYng5L1pORktZWEdwUHJnckdMWW45VWZXZG92WHozbys3N1piNm9SRWdBVkNDUTBaN0VEYUpjCnd0QmZMTldKVmxkRE9nSTRaZlgwWjZzQTdpaG5tQ1hHenJGd25JaVhaajUrdjk0ejF0SThOazlvL1RFbG9EdlIKZ2piTW5UcUNoRmtWUTh4bWlzMHJGZjFaazd2cDNOMWFtY2hBQVFJREFRQUJBb0lCQUJZd2R0RFEvUzJiRzduKwpTQ0F4SEJnZVdrN21wVXNjZ0dqdVpQbWhVQm55K0ZjVXNNMEFFU1BCclVwTWRJbFRmOHl6N01EeHhlY1Jma2J2ClFuZExkVExodFBUZEIyaUVNdVNtQTVyS3A1cFkxdjB2cVJrbjRpQUQzbW5YUE5NM0YwNzJEY1RITXRRWEZBclgKbzNWN2N5b0JveXZXV0RNaXpHREJ0Q2YrbnhFeFFzS0lLUGFxRzlDVWZlSU95RVgzRXJ6QWo3b3lnSXFLZGozbgpFbVBzbThrWDVROW9iOUZwd3FKNkxMTzcxTklQZnpaOUNLSXpSYzBNU3grL3hPYmdKSlJCNmtZTXpjWkloQ1JBClNNclBsYXZLMEVzMHpoTnIyc05aZHBlSmRzWGk5YURwZjhMOTEvdFpJeEpSMEdSUXpEZXhBN2FWdk8vVUo0N0YKOXNXUVBUVUNnWUVBeXNvTm01VHdkNWZqRzk3NXVRa3pGQUgrRGVCNXBlNTBOMkpyN01neWZsVm8zZlJrSTFKKwpsZXlyUnRIempKSzlqeEVtdVJ0YnIvUWZ3MGRUNnhRSnVJSmk3Vmlld3NPNUgzeWtwdytkbm9jVUhVVDhFWEpVCnpLSzRmSGo1SjFrNHBmaHlnNFBJZ0YxMFF1anhJRlc3Q0R3UERJRStuZm5ZczBJZ1U3SkV0OU1DZ1lFQTU0ZWsKTUltWWMyeHhoYTM1U25qd0ZCeEVwSUF3ZGdvdXBROWVsMHhmVVRkdTJsUnA1NHVZaVFVWURhNjJ6RE1kL21QagppSTdqaGl6TEU4VmU4OWh6QXljeTNIRVJPSHNETkhQVG5WN0phcmp3T29aWWIvRnM2NkxtazZMY05BbGI3TER6Cm5FNGdkTEt0cWpQVnBMbmF1T3VOQitXQzY5bm9xRUZpZWxnUWVGc0NnWUIxZGk0RnBYTFlReEZZem9JbHJPOTYKTW1FL0ZueEFJZXdOUEtRNUJnbEJaaVdWRXYrQitrRzZnOWo5NzVTOEl5OUxsR3F5bytjcTl5UUN6K2tLN0pObwozWldCMTJnMmRucGZnNm8zM25LMUpaY0FFVHBVdkwzanZvbFFDQjZCclV1RHozSTlQWE5BNzJEdGROSmVvV254CnJpQWxaU09wQzlSNm1OM3l2UHJTNHdLQmdCQS9WWWRPY0pOUS9kcHFyZjdLNDlZVmNiKzFlekVkWDg2WGVJVFgKaUN6VDNnU1dQZVJReUlCOUNnWVR4NklteUNrTTYyK3V6MHFnSkJRY0dxQzBCTVlvM3duWEtXVTBSTEpPbW9BRgpvYzdLY1prNXlrVDR4VEwzK0lSTnZuUXNYL1lKS045RUlFVHdNUDJycTRkbXYzR1FuaEg2eWlndzM0SEhMTmozCkN4alhBb0dBSjBUNkN0c1c2dEVpYUI5bnc4enI3M2xkMDhraDZSL3B4VHF5c2diNERFTmptd2dndUFoMlJSZkwKYVg3eTNqSUNOTFBjWEFOYlB0QmYrQkRBTTl0UTEzMk5hYzg3N016RHRVSyswem9CWWtwWGM4Rkd4akVuTzc5RQp2MC9vT2wzR2RaWnNJSXhLblcvVlVmYjJydGY1RWgyQytOY1FpWkNXZm5kWkthMXR4WjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0ee3ff35245c5d3f0a8d374324b3ead32c63b6ba
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/svc-cert-manager.yml.j2
@@ -0,0 +1,60 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cert-manager
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: controller
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ type: ClusterIP
+ ports:
+ - protocol: TCP
+ port: 9402
+ targetPort: 9402
+ selector:
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cert-manager-webhook
+ namespace: {{ cert_manager_namespace }}
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+spec:
+ type: ClusterIP
+ ports:
+ - name: https
+ port: 443
+ targetPort: 10250
+ selector:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: webhook
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..843ac320a9badeca90cf1e3a43750ebb8ae0ebcb
--- /dev/null
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/webhook-cert-manager.yml.j2
@@ -0,0 +1,96 @@
+# Copyright YEAR The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: cert-manager-webhook
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+ annotations:
+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+ - name: webhook.cert-manager.io
+ rules:
+ - apiGroups:
+ - "cert-manager.io"
+ - "acme.cert-manager.io"
+ apiVersions:
+ - v1alpha2
+ - v1alpha3
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - "*/*"
+ failurePolicy: Fail
+ # Only include 'sideEffects' field in Kubernetes 1.12+
+ sideEffects: None
+ clientConfig:
+ service:
+ name: cert-manager-webhook
+ namespace: {{ cert_manager_namespace }}
+ path: /mutate
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: cert-manager-webhook
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/component: webhook
+ helm.sh/chart: cert-manager-{{ cert_manager_version }}
+ annotations:
+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+ - name: webhook.cert-manager.io
+ namespaceSelector:
+ matchExpressions:
+ - key: "cert-manager.io/disable-validation"
+ operator: "NotIn"
+ values:
+ - "true"
+ - key: "name"
+ operator: "NotIn"
+ values:
+ - cert-manager
+ rules:
+ - apiGroups:
+ - "cert-manager.io"
+ - "acme.cert-manager.io"
+ apiVersions:
+ - v1alpha2
+ - v1alpha3
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - "*/*"
+ failurePolicy: Fail
+ # Only include 'sideEffects' field in Kubernetes 1.12+
+ sideEffects: None
+ clientConfig:
+ service:
+ name: cert-manager-webhook
+ namespace: {{ cert_manager_namespace }}
+ path: /validate