kubespray/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-challenge.yml.j2

1467 lines
94 KiB
Plaintext
Raw Normal View History

# Copyright YEAR The Jetstack cert-manager contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: challenges.acme.cert-manager.io
annotations:
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/managed-by: Helm
helm.sh/chart: cert-manager-{{ cert_manager_version }}
spec:
additionalPrinterColumns:
- JSONPath: .status.state
name: State
type: string
- JSONPath: .spec.dnsName
name: Domain
type: string
- JSONPath: .status.reason
name: Reason
priority: 1
type: string
- JSONPath: .metadata.creationTimestamp
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: acme.cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names:
kind: Challenge
listKind: ChallengeList
plural: challenges
singular: challenge
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
- name: v1alpha3
served: true
storage: false
"validation":
"openAPIV3Schema":
description: Challenge is a type to represent a Challenge request with an ACME
server
type: object
required:
- metadata
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
required:
- authzURL
- dnsName
- issuerRef
- key
- solver
- token
- type
- url
properties:
authzURL:
description: AuthzURL is the URL to the ACME Authorization resource
that this challenge is a part of.
type: string
dnsName:
description: DNSName is the identifier that this challenge is for, e.g.
example.com. If the requested DNSName is a 'wildcard', this field
MUST be set to the non-wildcard domain, e.g. for `*.example.com`,
it must be `example.com`.
type: string
issuerRef:
description: IssuerRef references a properly configured ACME-type Issuer
which should be used to create this Challenge. If the Issuer does
not exist, processing will be retried. If the Issuer is not an 'ACME'
Issuer, an error will be returned and the Challenge will be marked
as failed.
type: object
required:
- name
properties:
group:
type: string
kind:
type: string
name:
type: string
key:
description: 'Key is the ACME challenge key for this challenge For HTTP01
challenges, this is the value that must be responded with to complete
the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key
from acme server for challenge>`. For DNS01 challenges, this is the
base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key
from acme server for challenge>` text that must be set as the TXT
record content.'
type: string
solver:
description: Solver contains the domain solving configuration that should
be used to solve this challenge resource.
type: object
properties:
dns01:
type: object
properties:
acmedns:
description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing
the configuration for ACME-DNS servers
type: object
required:
- accountSecretRef
- host
properties:
accountSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
host:
type: string
akamai:
description: ACMEIssuerDNS01ProviderAkamai is a structure containing
the DNS configuration for Akamai DNS—Zone Record Management
API
type: object
required:
- accessTokenSecretRef
- clientSecretSecretRef
- clientTokenSecretRef
- serviceConsumerDomain
properties:
accessTokenSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
clientSecretSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
clientTokenSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
serviceConsumerDomain:
type: string
azuredns:
description: ACMEIssuerDNS01ProviderAzureDNS is a structure
containing the configuration for Azure DNS
type: object
required:
- resourceGroupName
- subscriptionID
properties:
clientID:
description: if both this and ClientSecret are left unset
MSI will be used
type: string
clientSecretSecretRef:
description: if both this and ClientID are left unset MSI
will be used
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
environment:
type: string
enum:
- AzurePublicCloud
- AzureChinaCloud
- AzureGermanCloud
- AzureUSGovernmentCloud
hostedZoneName:
type: string
resourceGroupName:
type: string
subscriptionID:
type: string
tenantID:
description: when specifying ClientID and ClientSecret then
this field is also needed
type: string
clouddns:
description: ACMEIssuerDNS01ProviderCloudDNS is a structure
containing the DNS configuration for Google Cloud DNS
type: object
required:
- project
properties:
project:
type: string
serviceAccountSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
cloudflare:
description: ACMEIssuerDNS01ProviderCloudflare is a structure
containing the DNS configuration for Cloudflare
type: object
required:
- email
properties:
apiKeySecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
apiTokenSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
email:
type: string
cnameStrategy:
description: CNAMEStrategy configures how the DNS01 provider
should handle CNAME records when found in DNS zones.
type: string
enum:
- None
- Follow
digitalocean:
description: ACMEIssuerDNS01ProviderDigitalOcean is a structure
containing the DNS configuration for DigitalOcean Domains
type: object
required:
- tokenSecretRef
properties:
tokenSecretRef:
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
rfc2136:
description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing
the configuration for RFC2136 DNS
type: object
required:
- nameserver
properties:
nameserver:
description: The IP address or hostname of an authoritative
DNS server supporting RFC2136 in the form host:port. If
the host is an IPv6 address it must be enclosed in square
brackets (e.g [2001:db8::1]) ; port is optional. This
field is required.
type: string
tsigAlgorithm:
description: 'The TSIG Algorithm configured in the DNS supporting
RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName``
are defined. Supported values are (case-insensitive):
``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or
``HMACSHA512``.'
type: string
tsigKeyName:
description: The TSIG Key name configured in the DNS. If
``tsigSecretSecretRef`` is defined, this field is required.
type: string
tsigSecretSecretRef:
description: The name of the secret containing the TSIG
value. If ``tsigKeyName`` is defined, this field is required.
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
route53:
description: ACMEIssuerDNS01ProviderRoute53 is a structure containing
the Route 53 configuration for AWS
type: object
required:
- region
properties:
accessKeyID:
description: 'The AccessKeyID is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
type: string
hostedZoneID:
description: If set, the provider will manage only this
zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName
api call.
type: string
region:
description: Always set the region when using AccessKeyID
and SecretAccessKey
type: string
role:
description: Role is a Role ARN which the Route53 provider
will assume using either the explicit credentials AccessKeyID/SecretAccessKey
or the inferred credentials from environment variables,
shared credentials file or AWS Instance metadata
type: string
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication.
If not set we fall-back to using env vars, shared credentials
file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
type: object
required:
- name
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
webhook:
description: ACMEIssuerDNS01ProviderWebhook specifies configuration
for a webhook DNS01 provider, including where to POST ChallengePayload
resources.
type: object
required:
- groupName
- solverName
properties:
config:
description: Additional configuration that should be passed
to the webhook apiserver when challenges are processed.
This can contain arbitrary JSON data. Secret values should
not be specified in this stanza. If secret values are
needed (e.g. credentials for a DNS service), you should
use a SecretKeySelector to reference a Secret resource.
For details on the schema of this field, consult the webhook
provider implementation's documentation.
x-kubernetes-preserve-unknown-fields: true
groupName:
description: The API group name that should be used when
POSTing ChallengePayload resources to the webhook apiserver.
This should be the same as the GroupName specified in
the webhook provider implementation.
type: string
solverName:
description: The name of the solver to use, as defined in
the webhook provider implementation. This will typically
be the name of the provider, e.g. 'cloudflare'.
type: string
http01:
description: ACMEChallengeSolverHTTP01 contains configuration detailing
how to solve HTTP01 challenges within a Kubernetes cluster. Typically
this is accomplished through creating 'routes' of some description
that configure ingress controllers to direct traffic to 'solver
pods', which are responsible for responding to the ACME server's
HTTP requests.
type: object
properties:
ingress:
description: The ingress based HTTP01 challenge solver will
solve challenges by creating or modifying Ingress resources
in order to route requests for '/.well-known/acme-challenge/XYZ'
to 'challenge solver' pods that are provisioned by cert-manager
for each Challenge to be completed.
type: object
properties:
class:
description: The ingress class to use when creating Ingress
resources to solve ACME challenges that use this challenge
solver. Only one of 'class' or 'name' may be specified.
type: string
ingressTemplate:
description: Optional ingress template used to configure
the ACME challenge solver ingress used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the ingress used
to solve HTTP01 challenges. Only the 'labels' and
'annotations' fields may be set. If labels or annotations
overlap with in-built values, the values here will
override the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added to
the created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver ingress.
type: object
additionalProperties:
type: string
name:
description: The name of the ingress resource that should
have ACME challenge solving routes inserted into it in
order to solve HTTP01 challenges. This is typically used
in conjunction with ingress controllers like ingress-gce,
which maintains a 1:1 mapping between external IPs and
ingress resources.
type: string
podTemplate:
description: Optional pod template used to configure the
ACME challenge solver pods used for HTTP01 challenges
type: object
properties:
metadata:
description: ObjectMeta overrides for the pod used to
solve HTTP01 challenges. Only the 'labels' and 'annotations'
fields may be set. If labels or annotations overlap
with in-built values, the values here will override
the in-built values.
type: object
properties:
annotations:
description: Annotations that should be added to
the create ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
labels:
description: Labels that should be added to the
created ACME HTTP01 solver pods.
type: object
additionalProperties:
type: string
spec:
description: PodSpec defines overrides for the HTTP01
challenge solver pod. Only the 'nodeSelector', 'affinity'
and 'tolerations' fields are supported currently.
All other fields will be ignored.
type: object
properties:
affinity:
description: If specified, the pod's scheduling
constraints
type: object
properties:
nodeAffinity:
description: Describes node affinity scheduling
rules for the pod.
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
schedule pods to nodes that satisfy the
affinity expressions specified by this
field, but it may choose a node that violates
one or more of the expressions. The node
that is most preferred is the one with
the greatest sum of weights, i.e. for
each node that meets all of the scheduling
requirements (resource request, requiredDuringScheduling
affinity expressions, etc.), compute a
sum by iterating through the elements
of this field and adding "weight" to the
sum if the node matches the corresponding
matchExpressions; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: An empty preferred scheduling
term matches all objects with implicit
weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches no
objects (i.e. is also a no-op).
type: object
required:
- preference
- weight
properties:
preference:
description: A node selector term,
associated with the corresponding
weight.
type: object
properties:
matchExpressions:
description: A list of node selector
requirements by node's labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key
that the selector applies
to.
type: string
operator:
description: Represents
a key's relationship to
a set of values. Valid
operators are In, NotIn,
Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of
string values. If the
operator is In or NotIn,
the values array must
be non-empty. If the operator
is Exists or DoesNotExist,
the values array must
be empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will be
interpreted as an integer.
This array is replaced
during a strategic merge
patch.
type: array
items:
type: string
matchFields:
description: A list of node selector
requirements by node's fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key
that the selector applies
to.
type: string
operator:
description: Represents
a key's relationship to
a set of values. Valid
operators are In, NotIn,
Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of
string values. If the
operator is In or NotIn,
the values array must
be non-empty. If the operator
is Exists or DoesNotExist,
the values array must
be empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will be
interpreted as an integer.
This array is replaced
during a strategic merge
patch.
type: array
items:
type: string
weight:
description: Weight associated with
matching the corresponding nodeSelectorTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met at
scheduling time, the pod will not be scheduled
onto the node. If the affinity requirements
specified by this field cease to be met
at some point during pod execution (e.g.
due to an update), the system may or may
not try to eventually evict the pod from
its node.
type: object
required:
- nodeSelectorTerms
properties:
nodeSelectorTerms:
description: Required. A list of node
selector terms. The terms are ORed.
type: array
items:
description: A null or empty node
selector term matches no objects.
The requirements of them are ANDed.
The TopologySelectorTerm type implements
a subset of the NodeSelectorTerm.
type: object
properties:
matchExpressions:
description: A list of node selector
requirements by node's labels.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key
that the selector applies
to.
type: string
operator:
description: Represents
a key's relationship to
a set of values. Valid
operators are In, NotIn,
Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of
string values. If the
operator is In or NotIn,
the values array must
be non-empty. If the operator
is Exists or DoesNotExist,
the values array must
be empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will be
interpreted as an integer.
This array is replaced
during a strategic merge
patch.
type: array
items:
type: string
matchFields:
description: A list of node selector
requirements by node's fields.
type: array
items:
description: A node selector
requirement is a selector
that contains values, a key,
and an operator that relates
the key and values.
type: object
required:
- key
- operator
properties:
key:
description: The label key
that the selector applies
to.
type: string
operator:
description: Represents
a key's relationship to
a set of values. Valid
operators are In, NotIn,
Exists, DoesNotExist.
Gt, and Lt.
type: string
values:
description: An array of
string values. If the
operator is In or NotIn,
the values array must
be non-empty. If the operator
is Exists or DoesNotExist,
the values array must
be empty. If the operator
is Gt or Lt, the values
array must have a single
element, which will be
interpreted as an integer.
This array is replaced
during a strategic merge
patch.
type: array
items:
type: string
podAffinity:
description: Describes pod affinity scheduling
rules (e.g. co-locate this pod in the same
node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
schedule pods to nodes that satisfy the
affinity expressions specified by this
field, but it may choose a node that violates
one or more of the expressions. The node
that is most preferred is the one with
the greatest sum of weights, i.e. for
each node that meets all of the scheduling
requirements (resource request, requiredDuringScheduling
affinity expressions, etc.), compute a
sum by iterating through the elements
of this field and adding "weight" to the
sum if the node has pods which matches
the corresponding podAffinityTerm; the
node(s) with the highest sum are the most
preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key and
values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to a
set of values. Valid
operators are In,
NotIn, Exists and
DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn, the
values array must
be non-empty. If the
operator is Exists
or DoesNotExist, the
values array must
be empty. This array
is replaced during
a strategic merge
patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in
the matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not
co-located (anti-affinity) with
the pods matching the labelSelector
in the specified namespaces,
where co-located is defined
as running on a node whose value
of the label with key topologyKey
matches that of any node on
which any of the selected pods
is running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements
specified by this field are not met at
scheduling time, the pod will not be scheduled
onto the node. If the affinity requirements
specified by this field cease to be met
at some point during pod execution (e.g.
due to a pod label update), the system
may or may not try to eventually evict
the pod from its node. When there are
multiple elements, the lists of nodes
corresponding to each podAffinityTerm
are intersected, i.e. all terms must be
satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity) with,
where co-located is defined as running
on a node whose value of the label with
key <topologyKey> matches that of any
node on which a pod of the set of pods
is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a
set of resources, in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a key,
and an operator that relates
the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator represents
a key's relationship to
a set of values. Valid
operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an
array of string values.
If the operator is In
or NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the values
array must be empty. This
array is replaced during
a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a
map of {key,value} pairs. A
single {key,value} in the matchLabels
map is equivalent to an element
of matchExpressions, whose key
field is "key", the operator
is "In", and the values array
contains only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against); null
or empty list means "this pod's
namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located
(affinity) or not co-located (anti-affinity)
with the pods matching the labelSelector
in the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
podAntiAffinity:
description: Describes pod anti-affinity scheduling
rules (e.g. avoid putting this pod in the
same node, zone, etc. as some other pod(s)).
type: object
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to
schedule pods to nodes that satisfy the
anti-affinity expressions specified by
this field, but it may choose a node that
violates one or more of the expressions.
The node that is most preferred is the
one with the greatest sum of weights,
i.e. for each node that meets all of the
scheduling requirements (resource request,
requiredDuringScheduling anti-affinity
expressions, etc.), compute a sum by iterating
through the elements of this field and
adding "weight" to the sum if the node
has pods which matches the corresponding
podAffinityTerm; the node(s) with the
highest sum are the most preferred.
type: array
items:
description: The weights of all of the
matched WeightedPodAffinityTerm fields
are added per-node to find the most
preferred node(s)
type: object
required:
- podAffinityTerm
- weight
properties:
podAffinityTerm:
description: Required. A pod affinity
term, associated with the corresponding
weight.
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over
a set of resources, in this
case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values,
a key, and an operator
that relates the key and
values.
type: object
required:
- key
- operator
properties:
key:
description: key is
the label key that
the selector applies
to.
type: string
operator:
description: operator
represents a key's
relationship to a
set of values. Valid
operators are In,
NotIn, Exists and
DoesNotExist.
type: string
values:
description: values
is an array of string
values. If the operator
is In or NotIn, the
values array must
be non-empty. If the
operator is Exists
or DoesNotExist, the
values array must
be empty. This array
is replaced during
a strategic merge
patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is
a map of {key,value} pairs.
A single {key,value} in
the matchLabels map is equivalent
to an element of matchExpressions,
whose key field is "key",
the operator is "In", and
the values array contains
only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against);
null or empty list means "this
pod's namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be
co-located (affinity) or not
co-located (anti-affinity) with
the pods matching the labelSelector
in the specified namespaces,
where co-located is defined
as running on a node whose value
of the label with key topologyKey
matches that of any node on
which any of the selected pods
is running. Empty topologyKey
is not allowed.
type: string
weight:
description: weight associated with
matching the corresponding podAffinityTerm,
in the range 1-100.
type: integer
format: int32
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements
specified by this field are not met at
scheduling time, the pod will not be scheduled
onto the node. If the anti-affinity requirements
specified by this field cease to be met
at some point during pod execution (e.g.
due to a pod label update), the system
may or may not try to eventually evict
the pod from its node. When there are
multiple elements, the lists of nodes
corresponding to each podAffinityTerm
are intersected, i.e. all terms must be
satisfied.
type: array
items:
description: Defines a set of pods (namely
those matching the labelSelector relative
to the given namespace(s)) that this
pod should be co-located (affinity)
or not co-located (anti-affinity) with,
where co-located is defined as running
on a node whose value of the label with
key <topologyKey> matches that of any
node on which a pod of the set of pods
is running
type: object
required:
- topologyKey
properties:
labelSelector:
description: A label query over a
set of resources, in this case pods.
type: object
properties:
matchExpressions:
description: matchExpressions
is a list of label selector
requirements. The requirements
are ANDed.
type: array
items:
description: A label selector
requirement is a selector
that contains values, a key,
and an operator that relates
the key and values.
type: object
required:
- key
- operator
properties:
key:
description: key is the
label key that the selector
applies to.
type: string
operator:
description: operator represents
a key's relationship to
a set of values. Valid
operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an
array of string values.
If the operator is In
or NotIn, the values array
must be non-empty. If
the operator is Exists
or DoesNotExist, the values
array must be empty. This
array is replaced during
a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a
map of {key,value} pairs. A
single {key,value} in the matchLabels
map is equivalent to an element
of matchExpressions, whose key
field is "key", the operator
is "In", and the values array
contains only "value". The requirements
are ANDed.
type: object
additionalProperties:
type: string
namespaces:
description: namespaces specifies
which namespaces the labelSelector
applies to (matches against); null
or empty list means "this pod's
namespace"
type: array
items:
type: string
topologyKey:
description: This pod should be co-located
(affinity) or not co-located (anti-affinity)
with the pods matching the labelSelector
in the specified namespaces, where
co-located is defined as running
on a node whose value of the label
with key topologyKey matches that
of any node on which any of the
selected pods is running. Empty
topologyKey is not allowed.
type: string
nodeSelector:
description: 'NodeSelector is a selector which must
be true for the pod to fit on a node. Selector
which must match a node''s labels for the pod
to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
additionalProperties:
type: string
tolerations:
description: If specified, the pod's tolerations.
type: array
items:
description: The pod this Toleration is attached
to tolerates any taint that matches the triple
<key,value,effect> using the matching operator
<operator>.
type: object
properties:
effect:
description: Effect indicates the taint effect
to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule,
PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the
toleration applies to. Empty means match
all taint keys. If the key is empty, operator
must be Exists; this combination means to
match all values and all keys.
type: string
operator:
description: Operator represents a key's relationship
to the value. Valid operators are Exists
and Equal. Defaults to Equal. Exists is
equivalent to wildcard for value, so that
a pod can tolerate all taints of a particular
category.
type: string
tolerationSeconds:
description: TolerationSeconds represents
the period of time the toleration (which
must be of effect NoExecute, otherwise this
field is ignored) tolerates the taint. By
default, it is not set, which means tolerate
the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict
immediately) by the system.
type: integer
format: int64
value:
description: Value is the taint value the
toleration matches to. If the operator is
Exists, the value should be empty, otherwise
just a regular string.
type: string
serviceType:
description: Optional service type for Kubernetes solver
service
type: string
selector:
description: Selector selects a set of DNSNames on the Certificate
resource that should be solved using this challenge solver.
type: object
properties:
dnsNames:
description: List of DNSNames that this solver will be used
to solve. If specified and a match is found, a dnsNames selector
will take precedence over a dnsZones selector. If multiple
solvers match with the same dnsNames value, the solver with
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier in
the list will be selected.
type: array
items:
type: string
dnsZones:
description: List of DNSZones that this solver will be used
to solve. The most specific DNS zone match specified here
will take precedence over other DNS zone matches, so a solver
specifying sys.example.com will be selected over one specifying
example.com for the domain www.sys.example.com. If multiple
solvers match with the same dnsZones value, the solver with
the most matching labels in matchLabels will be selected.
If neither has more matches, the solver defined earlier in
the list will be selected.
type: array
items:
type: string
matchLabels:
description: A label selector that is used to refine the set
of certificate's that this challenge solver will apply to.
type: object
additionalProperties:
type: string
token:
description: Token is the ACME challenge token for this challenge. This
is the raw value returned from the ACME server.
type: string
type:
description: Type is the type of ACME challenge this resource represents,
e.g. "dns01" or "http01".
type: string
url:
description: URL is the URL of the ACME Challenge resource for this
challenge. This can be used to lookup details about the status of
this challenge.
type: string
wildcard:
description: Wildcard will be true if this challenge is for a wildcard
identifier, for example '*.example.com'.
type: boolean
status:
type: object
properties:
presented:
description: Presented will be set to true if the challenge values for
this challenge are currently 'presented'. This *does not* imply the
self check is passing. Only that the values have been 'submitted'
for the appropriate challenge mechanism (i.e. the DNS01 TXT record
has been presented, or the HTTP01 configuration has been configured).
type: boolean
processing:
description: Processing is used to denote whether this challenge should
be processed or not. This field will only be set to true by the 'scheduling'
component. It will only be set to false by the 'challenges' controller,
after the challenge has reached a final state or timed out. If this
field is set to false, the challenge controller will not take any
more action.
type: boolean
reason:
description: Reason contains human readable information on why the Challenge
is in the current state.
type: string
state:
description: State contains the current 'state' of the challenge. If
not set, the state of the challenge is unknown.
type: string
enum:
- valid
- ready
- pending
- processing
- invalid
- expired
- errored