diff --git a/Makefile b/Makefile
index d7a560671c0..c85256b1d21 100644
--- a/Makefile
+++ b/Makefile
@@ -532,10 +532,10 @@ update-examples:
update-examples:
$(call update-scylla-helm-versions,./examples/helm/values.cluster.yaml)
$(call update-scylla-manager-helm-versions,./examples/helm/values.manager.yaml)
- $(call replace-scyllacluster-versions,./examples/eks/cluster.yaml,1)
- $(call replace-scyllacluster-versions,./examples/generic/cluster.yaml,1)
- $(call replace-scyllacluster-versions,./examples/gke/cluster.yaml,1)
- $(call replace-scyllacluster-versions,./examples/gke/cluster.yaml,1)
+ $(call replace-scyllacluster-versions,./examples/eks/scyllacluster.yaml,1)
+ $(call replace-scyllacluster-versions,./examples/generic/scyllacluster.yaml,1)
+ $(call replace-scyllacluster-versions,./examples/gke/scyllacluster.yaml,1)
+ $(call replace-scyllacluster-versions,./examples/gke/scyllacluster.yaml,1)
$(call replace-scyllacluster-versions,./examples/scylladb/scylla.scyllacluster.yaml,0)
$(call concat-manifests,$(sort $(wildcard ./examples/third-party/haproxy-ingress/*.yaml)),./examples/third-party/haproxy-ingress.yaml)
@@ -548,9 +548,9 @@ verify-examples:
$(call update-scylla-helm-versions,$(tmp_dir)/helm/values.cluster.yaml)
$(call update-scylla-manager-helm-versions,$(tmp_dir)/helm/values.manager.yaml)
- $(call replace-scyllacluster-versions,$(tmp_dir)/eks/cluster.yaml,1)
- $(call replace-scyllacluster-versions,$(tmp_dir)/generic/cluster.yaml,1)
- $(call replace-scyllacluster-versions,$(tmp_dir)/gke/cluster.yaml,1)
+ $(call replace-scyllacluster-versions,$(tmp_dir)/eks/scyllacluster.yaml,1)
+ $(call replace-scyllacluster-versions,$(tmp_dir)/generic/scyllacluster.yaml,1)
+ $(call replace-scyllacluster-versions,$(tmp_dir)/gke/scyllacluster.yaml,1)
$(call replace-scyllacluster-versions,$(tmp_dir)/scylladb/scylla.scyllacluster.yaml,0)
$(call concat-manifests,$(sort $(wildcard ./examples/third-party/haproxy-ingress/*.yaml)),$(tmp_dir)/third-party/haproxy-ingress.yaml)
diff --git a/deploy/manager-dev.yaml b/deploy/manager-dev.yaml
index 49c7dfe3795..bb78a9e9e5f 100644
--- a/deploy/manager-dev.yaml
+++ b/deploy/manager-dev.yaml
@@ -303,5 +303,11 @@ spec:
requests:
cpu: 10m
memory: 100Mi
+ placement:
+ tolerations:
+ - effect: NoSchedule
+ key: scylla-operator.scylladb.com/dedicated
+ operator: Equal
+ value: scyllaclusters
---
diff --git a/deploy/manager-prod.yaml b/deploy/manager-prod.yaml
index e8666074096..af20a24dbf3 100644
--- a/deploy/manager-prod.yaml
+++ b/deploy/manager-prod.yaml
@@ -303,5 +303,11 @@ spec:
requests:
cpu: 1
memory: 200Mi
+ placement:
+ tolerations:
+ - effect: NoSchedule
+ key: scylla-operator.scylladb.com/dedicated
+ operator: Equal
+ value: scyllaclusters
---
diff --git a/deploy/manager/dev/50_scyllacluster.yaml b/deploy/manager/dev/50_scyllacluster.yaml
index 6920aa62f34..44ca97066af 100644
--- a/deploy/manager/dev/50_scyllacluster.yaml
+++ b/deploy/manager/dev/50_scyllacluster.yaml
@@ -25,3 +25,9 @@ spec:
requests:
cpu: 10m
memory: 100Mi
+ placement:
+ tolerations:
+ - effect: NoSchedule
+ key: scylla-operator.scylladb.com/dedicated
+ operator: Equal
+ value: scyllaclusters
diff --git a/deploy/manager/prod/50_scyllacluster.yaml b/deploy/manager/prod/50_scyllacluster.yaml
index 86010c62ff8..38ae660cd7c 100644
--- a/deploy/manager/prod/50_scyllacluster.yaml
+++ b/deploy/manager/prod/50_scyllacluster.yaml
@@ -25,3 +25,9 @@ spec:
requests:
cpu: 1
memory: 200Mi
+ placement:
+ tolerations:
+ - effect: NoSchedule
+ key: scylla-operator.scylladb.com/dedicated
+ operator: Equal
+ value: scyllaclusters
diff --git a/docs/README-dev.md b/docs/README-dev.md
index 8cc8c826c64..00351027a0a 100644
--- a/docs/README-dev.md
+++ b/docs/README-dev.md
@@ -14,7 +14,7 @@ Here is an example how you can start quickly using containers, similarly to how
(This assumes you are located at the repository root.)
```bash
-podman run -it --pull=Always --rm -v="$( pwd )/docs:/go/$( go list -m )/docs:Z" --workdir="/go/$( go list -m )/docs" -p 5500:5500 quay.io/scylladb/scylla-operator-images:poetry-1.8 bash -euExo pipefail -O inherit_errexit -c 'poetry install && make preview'
+podman run -it --pull=Always --rm -v="$( pwd )/:/go/$( go list -m )/:Z" --workdir="/go/$( go list -m )/docs" -p 5500:5500 quay.io/scylladb/scylla-operator-images:poetry-1.8 bash -euExo pipefail -O inherit_errexit -c 'poetry install && make preview'
```
Docs will be available at http://localhost:5500/
@@ -22,5 +22,5 @@ Docs will be available at http://localhost:5500/
## Update dependencies
```bash
-podman run -it --pull=Always --rm -v="$( pwd )/docs:/go/$( go list -m )/docs:Z" --workdir="/go/$( go list -m )/docs" quay.io/scylladb/scylla-operator-images:poetry-1.8 bash -euExo pipefail -O inherit_errexit -c 'poetry update'
+podman run -it --pull=Always --rm -v="$( pwd )/:/go/$( go list -m )/:Z" --workdir="/go/$( go list -m )/docs" -p 5500:5500 quay.io/scylladb/scylla-operator-images:poetry-1.8 bash -euExo pipefail -O inherit_errexit -c 'poetry update'
```
diff --git a/docs/poetry.lock b/docs/poetry.lock
index 2249f818d02..b118d012b30 100644
--- a/docs/poetry.lock
+++ b/docs/poetry.lock
@@ -2,13 +2,13 @@
[[package]]
name = "alabaster"
-version = "0.7.16"
+version = "1.0.0"
description = "A light, configurable Sphinx theme"
optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.10"
files = [
- {file = "alabaster-0.7.16-py3-none-any.whl", hash = "sha256:b46733c07dce03ae4e150330b975c75737fa60f0a7c591b6c8bf4928a28e2c92"},
- {file = "alabaster-0.7.16.tar.gz", hash = "sha256:75a8b99c28a5dad50dd7f8ccdd447a121ddb3892da9e53d1ca5cca3106d58d65"},
+ {file = "alabaster-1.0.0-py3-none-any.whl", hash = "sha256:fc6786402dc3fcb2de3cabd5fe455a2db534b371124f1f21de8731783dec828b"},
+ {file = "alabaster-1.0.0.tar.gz", hash = "sha256:c00dca57bca26fa62a6d7d0a9fcce65f3e026e9bfe33e9c538fd3fbb2144fd9e"},
]
[[package]]
@@ -47,6 +47,24 @@ files = [
[package.extras]
dev = ["freezegun (>=1.0,<2.0)", "pytest (>=6.0)", "pytest-cov"]
+[[package]]
+name = "beartype"
+version = "0.19.0"
+description = "Unbearably fast near-real-time hybrid runtime-static type-checking in pure Python."
+optional = false
+python-versions = ">=3.8"
+files = [
+ {file = "beartype-0.19.0-py3-none-any.whl", hash = "sha256:33b2694eda0daf052eb2aff623ed9a8a586703bbf0a90bbc475a83bbf427f699"},
+ {file = "beartype-0.19.0.tar.gz", hash = "sha256:de42dfc1ba5c3710fde6c3002e3bd2cad236ed4d2aabe876345ab0b4234a6573"},
+]
+
+[package.extras]
+dev = ["autoapi (>=0.9.0)", "coverage (>=5.5)", "equinox", "jax[cpu]", "jaxtyping", "mypy (>=0.800)", "numba", "numpy", "pandera", "pydata-sphinx-theme (<=0.7.2)", "pygments", "pyright (>=1.1.370)", "pytest (>=4.0.0)", "sphinx", "sphinx (>=4.2.0,<6.0.0)", "sphinxext-opengraph (>=0.7.5)", "tox (>=3.20.1)", "typing-extensions (>=3.10.0.0)"]
+doc-rtd = ["autoapi (>=0.9.0)", "pydata-sphinx-theme (<=0.7.2)", "sphinx (>=4.2.0,<6.0.0)", "sphinxext-opengraph (>=0.7.5)"]
+test = ["coverage (>=5.5)", "equinox", "jax[cpu]", "jaxtyping", "mypy (>=0.800)", "numba", "numpy", "pandera", "pygments", "pyright (>=1.1.370)", "pytest (>=4.0.0)", "sphinx", "tox (>=3.20.1)", "typing-extensions (>=3.10.0.0)"]
+test-tox = ["equinox", "jax[cpu]", "jaxtyping", "mypy (>=0.800)", "numba", "numpy", "pandera", "pygments", "pyright (>=1.1.370)", "pytest (>=4.0.0)", "sphinx", "typing-extensions (>=3.10.0.0)"]
+test-tox-coverage = ["coverage (>=5.5)"]
+
[[package]]
name = "beautifulsoup4"
version = "4.12.3"
@@ -422,22 +440,22 @@ files = [
[[package]]
name = "myst-parser"
-version = "3.0.1"
+version = "4.0.0"
description = "An extended [CommonMark](https://spec.commonmark.org/) compliant parser,"
optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.10"
files = [
- {file = "myst_parser-3.0.1-py3-none-any.whl", hash = "sha256:6457aaa33a5d474aca678b8ead9b3dc298e89c68e67012e73146ea6fd54babf1"},
- {file = "myst_parser-3.0.1.tar.gz", hash = "sha256:88f0cb406cb363b077d176b51c476f62d60604d68a8dcdf4832e080441301a87"},
+ {file = "myst_parser-4.0.0-py3-none-any.whl", hash = "sha256:b9317997552424448c6096c2558872fdb6f81d3ecb3a40ce84a7518798f3f28d"},
+ {file = "myst_parser-4.0.0.tar.gz", hash = "sha256:851c9dfb44e36e56d15d05e72f02b80da21a9e0d07cba96baf5e2d476bb91531"},
]
[package.dependencies]
-docutils = ">=0.18,<0.22"
+docutils = ">=0.19,<0.22"
jinja2 = "*"
markdown-it-py = ">=3.0,<4.0"
-mdit-py-plugins = ">=0.4,<1.0"
+mdit-py-plugins = ">=0.4.1,<1.0"
pyyaml = "*"
-sphinx = ">=6,<8"
+sphinx = ">=7,<9"
[package.extras]
code-style = ["pre-commit (>=3.0,<4.0)"]
@@ -448,13 +466,13 @@ testing-docutils = ["pygments", "pytest (>=8,<9)", "pytest-param-files (>=0.6.0,
[[package]]
name = "packaging"
-version = "24.1"
+version = "24.2"
description = "Core utilities for Python packages"
optional = false
python-versions = ">=3.8"
files = [
- {file = "packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124"},
- {file = "packaging-24.1.tar.gz", hash = "sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002"},
+ {file = "packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759"},
+ {file = "packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f"},
]
[[package]]
@@ -574,13 +592,13 @@ use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
[[package]]
name = "rich"
-version = "13.9.3"
+version = "13.9.4"
description = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
optional = false
python-versions = ">=3.8.0"
files = [
- {file = "rich-13.9.3-py3-none-any.whl", hash = "sha256:9836f5096eb2172c9e77df411c1b009bace4193d6a481d534fea75ebba758283"},
- {file = "rich-13.9.3.tar.gz", hash = "sha256:bc1e01b899537598cf02579d2b9f4a415104d3fc439313a7a2c165d76557a08e"},
+ {file = "rich-13.9.4-py3-none-any.whl", hash = "sha256:6049d5e6ec054bf2779ab3358186963bac2ea89175919d699e378b99738c2a90"},
+ {file = "rich-13.9.4.tar.gz", hash = "sha256:439594978a49a09530cff7ebc4b5c7103ef57baf48d5ea3184f21d9a2befa098"},
]
[package.dependencies]
@@ -593,23 +611,23 @@ jupyter = ["ipywidgets (>=7.5.1,<9)"]
[[package]]
name = "setuptools"
-version = "75.2.0"
+version = "75.4.0"
description = "Easily download, build, install, upgrade, and uninstall Python packages"
optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
files = [
- {file = "setuptools-75.2.0-py3-none-any.whl", hash = "sha256:a7fcb66f68b4d9e8e66b42f9876150a3371558f98fa32222ffaa5bced76406f8"},
- {file = "setuptools-75.2.0.tar.gz", hash = "sha256:753bb6ebf1f465a1912e19ed1d41f403a79173a9acf66a42e7e6aec45c3c16ec"},
+ {file = "setuptools-75.4.0-py3-none-any.whl", hash = "sha256:b3c5d862f98500b06ffdf7cc4499b48c46c317d8d56cb30b5c8bce4d88f5c216"},
+ {file = "setuptools-75.4.0.tar.gz", hash = "sha256:1dc484f5cf56fd3fe7216d7b8df820802e7246cfb534a1db2aa64f14fcb9cdcb"},
]
[package.extras]
-check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1)", "ruff (>=0.5.2)"]
-core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.collections", "jaraco.functools", "jaraco.text (>=3.7)", "more-itertools", "more-itertools (>=8.8)", "packaging", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
+check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1)", "ruff (>=0.7.0)"]
+core = ["importlib-metadata (>=6)", "jaraco.collections", "jaraco.functools (>=4)", "jaraco.text (>=3.7)", "more-itertools", "more-itertools (>=8.8)", "packaging", "packaging (>=24.2)", "platformdirs (>=4.2.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
cover = ["pytest-cov"]
doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier", "towncrier (<24.7)"]
enabler = ["pytest-enabler (>=2.2)"]
-test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"]
-type = ["importlib-metadata (>=7.0.2)", "jaraco.develop (>=7.21)", "mypy (==1.11.*)", "pytest-mypy"]
+test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test (>=5.5)", "packaging (>=24.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"]
+type = ["importlib-metadata (>=7.0.2)", "jaraco.develop (>=7.21)", "mypy (>=1.12,<1.14)", "pytest-mypy"]
[[package]]
name = "shellingham"
@@ -657,17 +675,17 @@ files = [
[[package]]
name = "sphinx"
-version = "7.4.7"
+version = "8.1.3"
description = "Python documentation generator"
optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.10"
files = [
- {file = "sphinx-7.4.7-py3-none-any.whl", hash = "sha256:c2419e2135d11f1951cd994d6eb18a1835bd8fdd8429f9ca375dc1f3281bd239"},
- {file = "sphinx-7.4.7.tar.gz", hash = "sha256:242f92a7ea7e6c5b406fdc2615413890ba9f699114a9c09192d7dfead2ee9cfe"},
+ {file = "sphinx-8.1.3-py3-none-any.whl", hash = "sha256:09719015511837b76bf6e03e42eb7595ac8c2e41eeb9c29c5b755c6b677992a2"},
+ {file = "sphinx-8.1.3.tar.gz", hash = "sha256:43c1911eecb0d3e161ad78611bc905d1ad0e523e4ddc202a58a821773dc4c927"},
]
[package.dependencies]
-alabaster = ">=0.7.14,<0.8.0"
+alabaster = ">=0.7.14"
babel = ">=2.13"
colorama = {version = ">=0.4.6", markers = "sys_platform == \"win32\""}
docutils = ">=0.20,<0.22"
@@ -677,17 +695,17 @@ packaging = ">=23.0"
Pygments = ">=2.17"
requests = ">=2.30.0"
snowballstemmer = ">=2.2"
-sphinxcontrib-applehelp = "*"
-sphinxcontrib-devhelp = "*"
-sphinxcontrib-htmlhelp = ">=2.0.0"
-sphinxcontrib-jsmath = "*"
-sphinxcontrib-qthelp = "*"
+sphinxcontrib-applehelp = ">=1.0.7"
+sphinxcontrib-devhelp = ">=1.0.6"
+sphinxcontrib-htmlhelp = ">=2.0.6"
+sphinxcontrib-jsmath = ">=1.0.1"
+sphinxcontrib-qthelp = ">=1.0.6"
sphinxcontrib-serializinghtml = ">=1.1.9"
tomli = {version = ">=2", markers = "python_version < \"3.11\""}
[package.extras]
docs = ["sphinxcontrib-websupport"]
-lint = ["flake8 (>=6.0)", "importlib-metadata (>=6.0)", "mypy (==1.10.1)", "pytest (>=6.0)", "ruff (==0.5.2)", "sphinx-lint (>=0.9)", "tomli (>=2)", "types-docutils (==0.21.0.20240711)", "types-requests (>=2.30.0)"]
+lint = ["flake8 (>=6.0)", "mypy (==1.11.1)", "pyright (==1.1.384)", "pytest (>=6.0)", "ruff (==0.6.9)", "sphinx-lint (>=0.9)", "tomli (>=2)", "types-Pillow (==10.2.0.20240822)", "types-Pygments (==2.18.0.20240506)", "types-colorama (==0.4.15.20240311)", "types-defusedxml (==0.7.0.20240218)", "types-docutils (==0.21.0.20241005)", "types-requests (==2.32.0.20240914)", "types-urllib3 (==1.26.25.14)"]
test = ["cython (>=3.0)", "defusedxml (>=0.7.1)", "pytest (>=8.0)", "setuptools (>=70.0)", "typing_extensions (>=4.9)"]
[[package]]
@@ -750,26 +768,28 @@ rtd = ["ipython", "myst-nb", "sphinx", "sphinx-book-theme", "sphinx-examples"]
[[package]]
name = "sphinx-design"
-version = "0.5.0"
+version = "0.6.1"
description = "A sphinx extension for designing beautiful, view size responsive web components."
optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
files = [
- {file = "sphinx_design-0.5.0-py3-none-any.whl", hash = "sha256:1af1267b4cea2eedd6724614f19dcc88fe2e15aff65d06b2f6252cee9c4f4c1e"},
- {file = "sphinx_design-0.5.0.tar.gz", hash = "sha256:e8e513acea6f92d15c6de3b34e954458f245b8e761b45b63950f65373352ab00"},
+ {file = "sphinx_design-0.6.1-py3-none-any.whl", hash = "sha256:b11f37db1a802a183d61b159d9a202314d4d2fe29c163437001324fe2f19549c"},
+ {file = "sphinx_design-0.6.1.tar.gz", hash = "sha256:b44eea3719386d04d765c1a8257caca2b3e6f8421d7b3a5e742c0fd45f84e632"},
]
[package.dependencies]
-sphinx = ">=5,<8"
+sphinx = ">=6,<9"
[package.extras]
code-style = ["pre-commit (>=3,<4)"]
-rtd = ["myst-parser (>=1,<3)"]
-testing = ["myst-parser (>=1,<3)", "pytest (>=7.1,<8.0)", "pytest-cov", "pytest-regressions"]
-theme-furo = ["furo (>=2023.7.0,<2023.8.0)"]
-theme-pydata = ["pydata-sphinx-theme (>=0.13.0,<0.14.0)"]
-theme-rtd = ["sphinx-rtd-theme (>=1.0,<2.0)"]
-theme-sbt = ["sphinx-book-theme (>=1.0,<2.0)"]
+rtd = ["myst-parser (>=2,<4)"]
+testing = ["defusedxml", "myst-parser (>=2,<4)", "pytest (>=8.3,<9.0)", "pytest-cov", "pytest-regressions"]
+testing-no-myst = ["defusedxml", "pytest (>=8.3,<9.0)", "pytest-cov", "pytest-regressions"]
+theme-furo = ["furo (>=2024.7.18,<2024.8.0)"]
+theme-im = ["sphinx-immaterial (>=0.12.2,<0.13.0)"]
+theme-pydata = ["pydata-sphinx-theme (>=0.15.2,<0.16.0)"]
+theme-rtd = ["sphinx-rtd-theme (>=2.0,<3.0)"]
+theme-sbt = ["sphinx-book-theme (>=1.1,<2.0)"]
[[package]]
name = "sphinx-multiversion-scylla"
@@ -820,7 +840,7 @@ setuptools = ">=70.1.1,<76.0.0"
sphinx-collapse = ">=0.1.1,<0.2.0"
sphinx-copybutton = ">=0.5.2,<0.6.0"
sphinx-notfound-page = ">=1.0.4,<2.0.0"
-Sphinx-Substitution-Extensions = ">=2022.2.16,<2023.0.0"
+Sphinx-Substitution-Extensions = ">=2022.2.16"
sphinx-tabs = ">=3.4.5,<4.0.0"
[[package]]
@@ -842,13 +862,13 @@ dev = ["build", "flake8", "pre-commit", "pytest", "sphinx", "tox"]
[[package]]
name = "sphinx-substitution-extensions"
-version = "2022.2.16"
+version = "2024.10.17"
description = "Extensions for Sphinx which allow for substitutions."
optional = false
python-versions = "*"
files = [
- {file = "Sphinx Substitution Extensions-2022.2.16.tar.gz", hash = "sha256:ff7d05bd00e8b2d7eb8a403b9f317d70411d4e9b6812bf91534a50df22190c75"},
- {file = "Sphinx_Substitution_Extensions-2022.2.16-py3-none-any.whl", hash = "sha256:5a8ca34dac3984486344e95c36e3ed4766d402a71bdee7390d600f153db9795b"},
+ {file = "Sphinx Substitution Extensions-2024.10.17.tar.gz", hash = "sha256:30fa723bb44afe23adc5187601dcf0c1955dcd1b26f588773b395e852076179d"},
+ {file = "Sphinx_Substitution_Extensions-2024.10.17-py3-none-any.whl", hash = "sha256:6c1aae08edea616c5602f30368e6c15205220aa2d0b37bc47569322bce5e1271"},
]
[package.dependencies]
@@ -992,24 +1012,24 @@ full = ["httpx (>=0.22.0)", "itsdangerous", "jinja2", "python-multipart (>=0.0.7
[[package]]
name = "tomli"
-version = "2.0.2"
+version = "2.1.0"
description = "A lil' TOML parser"
optional = false
python-versions = ">=3.8"
files = [
- {file = "tomli-2.0.2-py3-none-any.whl", hash = "sha256:2ebe24485c53d303f690b0ec092806a085f07af5a5aa1464f3931eec36caaa38"},
- {file = "tomli-2.0.2.tar.gz", hash = "sha256:d46d457a85337051c36524bc5349dd91b1877838e2979ac5ced3e710ed8a60ed"},
+ {file = "tomli-2.1.0-py3-none-any.whl", hash = "sha256:a5c57c3d1c56f5ccdf89f6523458f60ef716e210fc47c4cfb188c5ba473e0391"},
+ {file = "tomli-2.1.0.tar.gz", hash = "sha256:3f646cae2aec94e17d04973e4249548320197cfabdf130015d023de4b74d8ab8"},
]
[[package]]
name = "typer"
-version = "0.12.5"
+version = "0.13.0"
description = "Typer, build great CLIs. Easy to code. Based on Python type hints."
optional = false
python-versions = ">=3.7"
files = [
- {file = "typer-0.12.5-py3-none-any.whl", hash = "sha256:62fe4e471711b147e3365034133904df3e235698399bc4de2b36c8579298d52b"},
- {file = "typer-0.12.5.tar.gz", hash = "sha256:f592f089bedcc8ec1b974125d64851029c3b1af145f04aca64d69410f0c9b722"},
+ {file = "typer-0.13.0-py3-none-any.whl", hash = "sha256:d85fe0b777b2517cc99c8055ed735452f2659cd45e451507c76f48ce5c1d00e2"},
+ {file = "typer-0.13.0.tar.gz", hash = "sha256:f1c7198347939361eec90139ffa0fd8b3df3a2259d5852a0f7400e476d95985c"},
]
[package.dependencies]
@@ -1162,100 +1182,83 @@ anyio = ">=3.0.0"
[[package]]
name = "websockets"
-version = "13.1"
+version = "14.1"
description = "An implementation of the WebSocket Protocol (RFC 6455 & 7692)"
optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
files = [
- {file = "websockets-13.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:f48c749857f8fb598fb890a75f540e3221d0976ed0bf879cf3c7eef34151acee"},
- {file = "websockets-13.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c7e72ce6bda6fb9409cc1e8164dd41d7c91466fb599eb047cfda72fe758a34a7"},
- {file = "websockets-13.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:f779498eeec470295a2b1a5d97aa1bc9814ecd25e1eb637bd9d1c73a327387f6"},
- {file = "websockets-13.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4676df3fe46956fbb0437d8800cd5f2b6d41143b6e7e842e60554398432cf29b"},
- {file = "websockets-13.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a7affedeb43a70351bb811dadf49493c9cfd1ed94c9c70095fd177e9cc1541fa"},
- {file = "websockets-13.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1971e62d2caa443e57588e1d82d15f663b29ff9dfe7446d9964a4b6f12c1e700"},
- {file = "websockets-13.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:5f2e75431f8dc4a47f31565a6e1355fb4f2ecaa99d6b89737527ea917066e26c"},
- {file = "websockets-13.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:58cf7e75dbf7e566088b07e36ea2e3e2bd5676e22216e4cad108d4df4a7402a0"},
- {file = "websockets-13.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:c90d6dec6be2c7d03378a574de87af9b1efea77d0c52a8301dd831ece938452f"},
- {file = "websockets-13.1-cp310-cp310-win32.whl", hash = "sha256:730f42125ccb14602f455155084f978bd9e8e57e89b569b4d7f0f0c17a448ffe"},
- {file = "websockets-13.1-cp310-cp310-win_amd64.whl", hash = "sha256:5993260f483d05a9737073be197371940c01b257cc45ae3f1d5d7adb371b266a"},
- {file = "websockets-13.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:61fc0dfcda609cda0fc9fe7977694c0c59cf9d749fbb17f4e9483929e3c48a19"},
- {file = "websockets-13.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ceec59f59d092c5007e815def4ebb80c2de330e9588e101cf8bd94c143ec78a5"},
- {file = "websockets-13.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:c1dca61c6db1166c48b95198c0b7d9c990b30c756fc2923cc66f68d17dc558fd"},
- {file = "websockets-13.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:308e20f22c2c77f3f39caca508e765f8725020b84aa963474e18c59accbf4c02"},
- {file = "websockets-13.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:62d516c325e6540e8a57b94abefc3459d7dab8ce52ac75c96cad5549e187e3a7"},
- {file = "websockets-13.1-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:87c6e35319b46b99e168eb98472d6c7d8634ee37750d7693656dc766395df096"},
- {file = "websockets-13.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:5f9fee94ebafbc3117c30be1844ed01a3b177bb6e39088bc6b2fa1dc15572084"},
- {file = "websockets-13.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:7c1e90228c2f5cdde263253fa5db63e6653f1c00e7ec64108065a0b9713fa1b3"},
- {file = "websockets-13.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:6548f29b0e401eea2b967b2fdc1c7c7b5ebb3eeb470ed23a54cd45ef078a0db9"},
- {file = "websockets-13.1-cp311-cp311-win32.whl", hash = "sha256:c11d4d16e133f6df8916cc5b7e3e96ee4c44c936717d684a94f48f82edb7c92f"},
- {file = "websockets-13.1-cp311-cp311-win_amd64.whl", hash = "sha256:d04f13a1d75cb2b8382bdc16ae6fa58c97337253826dfe136195b7f89f661557"},
- {file = "websockets-13.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:9d75baf00138f80b48f1eac72ad1535aac0b6461265a0bcad391fc5aba875cfc"},
- {file = "websockets-13.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:9b6f347deb3dcfbfde1c20baa21c2ac0751afaa73e64e5b693bb2b848efeaa49"},
- {file = "websockets-13.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:de58647e3f9c42f13f90ac7e5f58900c80a39019848c5547bc691693098ae1bd"},
- {file = "websockets-13.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a1b54689e38d1279a51d11e3467dd2f3a50f5f2e879012ce8f2d6943f00e83f0"},
- {file = "websockets-13.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cf1781ef73c073e6b0f90af841aaf98501f975d306bbf6221683dd594ccc52b6"},
- {file = "websockets-13.1-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8d23b88b9388ed85c6faf0e74d8dec4f4d3baf3ecf20a65a47b836d56260d4b9"},
- {file = "websockets-13.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:3c78383585f47ccb0fcf186dcb8a43f5438bd7d8f47d69e0b56f71bf431a0a68"},
- {file = "websockets-13.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:d6d300f8ec35c24025ceb9b9019ae9040c1ab2f01cddc2bcc0b518af31c75c14"},
- {file = "websockets-13.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:a9dcaf8b0cc72a392760bb8755922c03e17a5a54e08cca58e8b74f6902b433cf"},
- {file = "websockets-13.1-cp312-cp312-win32.whl", hash = "sha256:2f85cf4f2a1ba8f602298a853cec8526c2ca42a9a4b947ec236eaedb8f2dc80c"},
- {file = "websockets-13.1-cp312-cp312-win_amd64.whl", hash = "sha256:38377f8b0cdeee97c552d20cf1865695fcd56aba155ad1b4ca8779a5b6ef4ac3"},
- {file = "websockets-13.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:a9ab1e71d3d2e54a0aa646ab6d4eebfaa5f416fe78dfe4da2839525dc5d765c6"},
- {file = "websockets-13.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:b9d7439d7fab4dce00570bb906875734df13d9faa4b48e261c440a5fec6d9708"},
- {file = "websockets-13.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:327b74e915cf13c5931334c61e1a41040e365d380f812513a255aa804b183418"},
- {file = "websockets-13.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:325b1ccdbf5e5725fdcb1b0e9ad4d2545056479d0eee392c291c1bf76206435a"},
- {file = "websockets-13.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:346bee67a65f189e0e33f520f253d5147ab76ae42493804319b5716e46dddf0f"},
- {file = "websockets-13.1-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:91a0fa841646320ec0d3accdff5b757b06e2e5c86ba32af2e0815c96c7a603c5"},
- {file = "websockets-13.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:18503d2c5f3943e93819238bf20df71982d193f73dcecd26c94514f417f6b135"},
- {file = "websockets-13.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:a9cd1af7e18e5221d2878378fbc287a14cd527fdd5939ed56a18df8a31136bb2"},
- {file = "websockets-13.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:70c5be9f416aa72aab7a2a76c90ae0a4fe2755c1816c153c1a2bcc3333ce4ce6"},
- {file = "websockets-13.1-cp313-cp313-win32.whl", hash = "sha256:624459daabeb310d3815b276c1adef475b3e6804abaf2d9d2c061c319f7f187d"},
- {file = "websockets-13.1-cp313-cp313-win_amd64.whl", hash = "sha256:c518e84bb59c2baae725accd355c8dc517b4a3ed8db88b4bc93c78dae2974bf2"},
- {file = "websockets-13.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:c7934fd0e920e70468e676fe7f1b7261c1efa0d6c037c6722278ca0228ad9d0d"},
- {file = "websockets-13.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:149e622dc48c10ccc3d2760e5f36753db9cacf3ad7bc7bbbfd7d9c819e286f23"},
- {file = "websockets-13.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:a569eb1b05d72f9bce2ebd28a1ce2054311b66677fcd46cf36204ad23acead8c"},
- {file = "websockets-13.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:95df24ca1e1bd93bbca51d94dd049a984609687cb2fb08a7f2c56ac84e9816ea"},
- {file = "websockets-13.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d8dbb1bf0c0a4ae8b40bdc9be7f644e2f3fb4e8a9aca7145bfa510d4a374eeb7"},
- {file = "websockets-13.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:035233b7531fb92a76beefcbf479504db8c72eb3bff41da55aecce3a0f729e54"},
- {file = "websockets-13.1-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:e4450fc83a3df53dec45922b576e91e94f5578d06436871dce3a6be38e40f5db"},
- {file = "websockets-13.1-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:463e1c6ec853202dd3657f156123d6b4dad0c546ea2e2e38be2b3f7c5b8e7295"},
- {file = "websockets-13.1-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:6d6855bbe70119872c05107e38fbc7f96b1d8cb047d95c2c50869a46c65a8e96"},
- {file = "websockets-13.1-cp38-cp38-win32.whl", hash = "sha256:204e5107f43095012b00f1451374693267adbb832d29966a01ecc4ce1db26faf"},
- {file = "websockets-13.1-cp38-cp38-win_amd64.whl", hash = "sha256:485307243237328c022bc908b90e4457d0daa8b5cf4b3723fd3c4a8012fce4c6"},
- {file = "websockets-13.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:9b37c184f8b976f0c0a231a5f3d6efe10807d41ccbe4488df8c74174805eea7d"},
- {file = "websockets-13.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:163e7277e1a0bd9fb3c8842a71661ad19c6aa7bb3d6678dc7f89b17fbcc4aeb7"},
- {file = "websockets-13.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4b889dbd1342820cc210ba44307cf75ae5f2f96226c0038094455a96e64fb07a"},
- {file = "websockets-13.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:586a356928692c1fed0eca68b4d1c2cbbd1ca2acf2ac7e7ebd3b9052582deefa"},
- {file = "websockets-13.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7bd6abf1e070a6b72bfeb71049d6ad286852e285f146682bf30d0296f5fbadfa"},
- {file = "websockets-13.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6d2aad13a200e5934f5a6767492fb07151e1de1d6079c003ab31e1823733ae79"},
- {file = "websockets-13.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:df01aea34b6e9e33572c35cd16bae5a47785e7d5c8cb2b54b2acdb9678315a17"},
- {file = "websockets-13.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:e54affdeb21026329fb0744ad187cf812f7d3c2aa702a5edb562b325191fcab6"},
- {file = "websockets-13.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:9ef8aa8bdbac47f4968a5d66462a2a0935d044bf35c0e5a8af152d58516dbeb5"},
- {file = "websockets-13.1-cp39-cp39-win32.whl", hash = "sha256:deeb929efe52bed518f6eb2ddc00cc496366a14c726005726ad62c2dd9017a3c"},
- {file = "websockets-13.1-cp39-cp39-win_amd64.whl", hash = "sha256:7c65ffa900e7cc958cd088b9a9157a8141c991f8c53d11087e6fb7277a03f81d"},
- {file = "websockets-13.1-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:5dd6da9bec02735931fccec99d97c29f47cc61f644264eb995ad6c0c27667238"},
- {file = "websockets-13.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:2510c09d8e8df777177ee3d40cd35450dc169a81e747455cc4197e63f7e7bfe5"},
- {file = "websockets-13.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f1c3cf67185543730888b20682fb186fc8d0fa6f07ccc3ef4390831ab4b388d9"},
- {file = "websockets-13.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bcc03c8b72267e97b49149e4863d57c2d77f13fae12066622dc78fe322490fe6"},
- {file = "websockets-13.1-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:004280a140f220c812e65f36944a9ca92d766b6cc4560be652a0a3883a79ed8a"},
- {file = "websockets-13.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:e2620453c075abeb0daa949a292e19f56de518988e079c36478bacf9546ced23"},
- {file = "websockets-13.1-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:9156c45750b37337f7b0b00e6248991a047be4aa44554c9886fe6bdd605aab3b"},
- {file = "websockets-13.1-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:80c421e07973a89fbdd93e6f2003c17d20b69010458d3a8e37fb47874bd67d51"},
- {file = "websockets-13.1-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:82d0ba76371769d6a4e56f7e83bb8e81846d17a6190971e38b5de108bde9b0d7"},
- {file = "websockets-13.1-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e9875a0143f07d74dc5e1ded1c4581f0d9f7ab86c78994e2ed9e95050073c94d"},
- {file = "websockets-13.1-pp38-pypy38_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a11e38ad8922c7961447f35c7b17bffa15de4d17c70abd07bfbe12d6faa3e027"},
- {file = "websockets-13.1-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:4059f790b6ae8768471cddb65d3c4fe4792b0ab48e154c9f0a04cefaabcd5978"},
- {file = "websockets-13.1-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:25c35bf84bf7c7369d247f0b8cfa157f989862c49104c5cf85cb5436a641d93e"},
- {file = "websockets-13.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:83f91d8a9bb404b8c2c41a707ac7f7f75b9442a0a876df295de27251a856ad09"},
- {file = "websockets-13.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7a43cfdcddd07f4ca2b1afb459824dd3c6d53a51410636a2c7fc97b9a8cf4842"},
- {file = "websockets-13.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:48a2ef1381632a2f0cb4efeff34efa97901c9fbc118e01951ad7cfc10601a9bb"},
- {file = "websockets-13.1-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:459bf774c754c35dbb487360b12c5727adab887f1622b8aed5755880a21c4a20"},
- {file = "websockets-13.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:95858ca14a9f6fa8413d29e0a585b31b278388aa775b8a81fa24830123874678"},
- {file = "websockets-13.1-py3-none-any.whl", hash = "sha256:a9a396a6ad26130cdae92ae10c36af09d9bfe6cafe69670fd3b6da9b07b4044f"},
- {file = "websockets-13.1.tar.gz", hash = "sha256:a3b3366087c1bc0a2795111edcadddb8b3b59509d5db5d7ea3fdd69f954a8878"},
+ {file = "websockets-14.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a0adf84bc2e7c86e8a202537b4fd50e6f7f0e4a6b6bf64d7ccb96c4cd3330b29"},
+ {file = "websockets-14.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:90b5d9dfbb6d07a84ed3e696012610b6da074d97453bd01e0e30744b472c8179"},
+ {file = "websockets-14.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:2177ee3901075167f01c5e335a6685e71b162a54a89a56001f1c3e9e3d2ad250"},
+ {file = "websockets-14.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3f14a96a0034a27f9d47fd9788913924c89612225878f8078bb9d55f859272b0"},
+ {file = "websockets-14.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f874ba705deea77bcf64a9da42c1f5fc2466d8f14daf410bc7d4ceae0a9fcb0"},
+ {file = "websockets-14.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9607b9a442392e690a57909c362811184ea429585a71061cd5d3c2b98065c199"},
+ {file = "websockets-14.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:bea45f19b7ca000380fbd4e02552be86343080120d074b87f25593ce1700ad58"},
+ {file = "websockets-14.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:219c8187b3ceeadbf2afcf0f25a4918d02da7b944d703b97d12fb01510869078"},
+ {file = "websockets-14.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ad2ab2547761d79926effe63de21479dfaf29834c50f98c4bf5b5480b5838434"},
+ {file = "websockets-14.1-cp310-cp310-win32.whl", hash = "sha256:1288369a6a84e81b90da5dbed48610cd7e5d60af62df9851ed1d1d23a9069f10"},
+ {file = "websockets-14.1-cp310-cp310-win_amd64.whl", hash = "sha256:e0744623852f1497d825a49a99bfbec9bea4f3f946df6eb9d8a2f0c37a2fec2e"},
+ {file = "websockets-14.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:449d77d636f8d9c17952628cc7e3b8faf6e92a17ec581ec0c0256300717e1512"},
+ {file = "websockets-14.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a35f704be14768cea9790d921c2c1cc4fc52700410b1c10948511039be824aac"},
+ {file = "websockets-14.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:b1f3628a0510bd58968c0f60447e7a692933589b791a6b572fcef374053ca280"},
+ {file = "websockets-14.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3c3deac3748ec73ef24fc7be0b68220d14d47d6647d2f85b2771cb35ea847aa1"},
+ {file = "websockets-14.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7048eb4415d46368ef29d32133134c513f507fff7d953c18c91104738a68c3b3"},
+ {file = "websockets-14.1-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f6cf0ad281c979306a6a34242b371e90e891bce504509fb6bb5246bbbf31e7b6"},
+ {file = "websockets-14.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:cc1fc87428c1d18b643479caa7b15db7d544652e5bf610513d4a3478dbe823d0"},
+ {file = "websockets-14.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:f95ba34d71e2fa0c5d225bde3b3bdb152e957150100e75c86bc7f3964c450d89"},
+ {file = "websockets-14.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:9481a6de29105d73cf4515f2bef8eb71e17ac184c19d0b9918a3701c6c9c4f23"},
+ {file = "websockets-14.1-cp311-cp311-win32.whl", hash = "sha256:368a05465f49c5949e27afd6fbe0a77ce53082185bbb2ac096a3a8afaf4de52e"},
+ {file = "websockets-14.1-cp311-cp311-win_amd64.whl", hash = "sha256:6d24fc337fc055c9e83414c94e1ee0dee902a486d19d2a7f0929e49d7d604b09"},
+ {file = "websockets-14.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:ed907449fe5e021933e46a3e65d651f641975a768d0649fee59f10c2985529ed"},
+ {file = "websockets-14.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:87e31011b5c14a33b29f17eb48932e63e1dcd3fa31d72209848652310d3d1f0d"},
+ {file = "websockets-14.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:bc6ccf7d54c02ae47a48ddf9414c54d48af9c01076a2e1023e3b486b6e72c707"},
+ {file = "websockets-14.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9777564c0a72a1d457f0848977a1cbe15cfa75fa2f67ce267441e465717dcf1a"},
+ {file = "websockets-14.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a655bde548ca98f55b43711b0ceefd2a88a71af6350b0c168aa77562104f3f45"},
+ {file = "websockets-14.1-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a3dfff83ca578cada2d19e665e9c8368e1598d4e787422a460ec70e531dbdd58"},
+ {file = "websockets-14.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:6a6c9bcf7cdc0fd41cc7b7944447982e8acfd9f0d560ea6d6845428ed0562058"},
+ {file = "websockets-14.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:4b6caec8576e760f2c7dd878ba817653144d5f369200b6ddf9771d64385b84d4"},
+ {file = "websockets-14.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:eb6d38971c800ff02e4a6afd791bbe3b923a9a57ca9aeab7314c21c84bf9ff05"},
+ {file = "websockets-14.1-cp312-cp312-win32.whl", hash = "sha256:1d045cbe1358d76b24d5e20e7b1878efe578d9897a25c24e6006eef788c0fdf0"},
+ {file = "websockets-14.1-cp312-cp312-win_amd64.whl", hash = "sha256:90f4c7a069c733d95c308380aae314f2cb45bd8a904fb03eb36d1a4983a4993f"},
+ {file = "websockets-14.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:3630b670d5057cd9e08b9c4dab6493670e8e762a24c2c94ef312783870736ab9"},
+ {file = "websockets-14.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:36ebd71db3b89e1f7b1a5deaa341a654852c3518ea7a8ddfdf69cc66acc2db1b"},
+ {file = "websockets-14.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:5b918d288958dc3fa1c5a0b9aa3256cb2b2b84c54407f4813c45d52267600cd3"},
+ {file = "websockets-14.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:00fe5da3f037041da1ee0cf8e308374e236883f9842c7c465aa65098b1c9af59"},
+ {file = "websockets-14.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8149a0f5a72ca36720981418eeffeb5c2729ea55fa179091c81a0910a114a5d2"},
+ {file = "websockets-14.1-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:77569d19a13015e840b81550922056acabc25e3f52782625bc6843cfa034e1da"},
+ {file = "websockets-14.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:cf5201a04550136ef870aa60ad3d29d2a59e452a7f96b94193bee6d73b8ad9a9"},
+ {file = "websockets-14.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:88cf9163ef674b5be5736a584c999e98daf3aabac6e536e43286eb74c126b9c7"},
+ {file = "websockets-14.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:836bef7ae338a072e9d1863502026f01b14027250a4545672673057997d5c05a"},
+ {file = "websockets-14.1-cp313-cp313-win32.whl", hash = "sha256:0d4290d559d68288da9f444089fd82490c8d2744309113fc26e2da6e48b65da6"},
+ {file = "websockets-14.1-cp313-cp313-win_amd64.whl", hash = "sha256:8621a07991add373c3c5c2cf89e1d277e49dc82ed72c75e3afc74bd0acc446f0"},
+ {file = "websockets-14.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:01bb2d4f0a6d04538d3c5dfd27c0643269656c28045a53439cbf1c004f90897a"},
+ {file = "websockets-14.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:414ffe86f4d6f434a8c3b7913655a1a5383b617f9bf38720e7c0799fac3ab1c6"},
+ {file = "websockets-14.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:8fda642151d5affdee8a430bd85496f2e2517be3a2b9d2484d633d5712b15c56"},
+ {file = "websockets-14.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cd7c11968bc3860d5c78577f0dbc535257ccec41750675d58d8dc66aa47fe52c"},
+ {file = "websockets-14.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a032855dc7db987dff813583d04f4950d14326665d7e714d584560b140ae6b8b"},
+ {file = "websockets-14.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b7e7ea2f782408c32d86b87a0d2c1fd8871b0399dd762364c731d86c86069a78"},
+ {file = "websockets-14.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:39450e6215f7d9f6f7bc2a6da21d79374729f5d052333da4d5825af8a97e6735"},
+ {file = "websockets-14.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:ceada5be22fa5a5a4cdeec74e761c2ee7db287208f54c718f2df4b7e200b8d4a"},
+ {file = "websockets-14.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:3fc753451d471cff90b8f467a1fc0ae64031cf2d81b7b34e1811b7e2691bc4bc"},
+ {file = "websockets-14.1-cp39-cp39-win32.whl", hash = "sha256:14839f54786987ccd9d03ed7f334baec0f02272e7ec4f6e9d427ff584aeea8b4"},
+ {file = "websockets-14.1-cp39-cp39-win_amd64.whl", hash = "sha256:d9fd19ecc3a4d5ae82ddbfb30962cf6d874ff943e56e0c81f5169be2fda62979"},
+ {file = "websockets-14.1-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:e5dc25a9dbd1a7f61eca4b7cb04e74ae4b963d658f9e4f9aad9cd00b688692c8"},
+ {file = "websockets-14.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:04a97aca96ca2acedf0d1f332c861c5a4486fdcba7bcef35873820f940c4231e"},
+ {file = "websockets-14.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:df174ece723b228d3e8734a6f2a6febbd413ddec39b3dc592f5a4aa0aff28098"},
+ {file = "websockets-14.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:034feb9f4286476f273b9a245fb15f02c34d9586a5bc936aff108c3ba1b21beb"},
+ {file = "websockets-14.1-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:660c308dabd2b380807ab64b62985eaccf923a78ebc572bd485375b9ca2b7dc7"},
+ {file = "websockets-14.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5a42d3ecbb2db5080fc578314439b1d79eef71d323dc661aa616fb492436af5d"},
+ {file = "websockets-14.1-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:ddaa4a390af911da6f680be8be4ff5aaf31c4c834c1a9147bc21cbcbca2d4370"},
+ {file = "websockets-14.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:a4c805c6034206143fbabd2d259ec5e757f8b29d0a2f0bf3d2fe5d1f60147a4a"},
+ {file = "websockets-14.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:205f672a6c2c671a86d33f6d47c9b35781a998728d2c7c2a3e1cf3333fcb62b7"},
+ {file = "websockets-14.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5ef440054124728cc49b01c33469de06755e5a7a4e83ef61934ad95fc327fbb0"},
+ {file = "websockets-14.1-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e7591d6f440af7f73c4bd9404f3772bfee064e639d2b6cc8c94076e71b2471c1"},
+ {file = "websockets-14.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:25225cc79cfebc95ba1d24cd3ab86aaa35bcd315d12fa4358939bd55e9bd74a5"},
+ {file = "websockets-14.1-py3-none-any.whl", hash = "sha256:4d4fc827a20abe6d544a119896f6b78ee13fe81cbfef416f3f2ddf09a03f0e2e"},
+ {file = "websockets-14.1.tar.gz", hash = "sha256:398b10c77d471c0aab20a845e7a60076b6390bfdaac7a6d2edb0d2c59d75e8d8"},
]
[metadata]
lock-version = "2.0"
python-versions = "^3.10"
-content-hash = "cb08c82fb199b201cf49b83848c7281beac4b74daa314caef14d2ef812b20fcd"
+content-hash = "77d8c573bcf2670232ba1cb2b0df6c20463396ea9e26c017a9863594872f2734"
diff --git a/docs/pyproject.toml b/docs/pyproject.toml
index 62854f3e9c4..7ab9f8848e4 100644
--- a/docs/pyproject.toml
+++ b/docs/pyproject.toml
@@ -10,13 +10,15 @@ package-mode = false
python = "^3.10"
pygments = "^2.18.0"
sphinx-scylladb-theme = "^1.8.1"
+#sphinx-substitution-extensions = "=2024.10.17"
sphinx-sitemap = "^2.6.0"
+beartype = ">0.0.0"
sphinx-autobuild = "^2024.4.19"
-Sphinx = "^7.3.7"
+Sphinx = "^8.1.3"
sphinx-multiversion-scylla = "^0.3.1"
redirects_cli ="^0.1.3"
-myst-parser = "^3.0.1"
-sphinx-design = "^0.5.0"
+myst-parser = "^4.0.0"
+sphinx-design = "^0.6.1"
[build-system]
requires = ["poetry>=1.8.0"]
diff --git a/docs/source/.internal/helm-crd-warning.md b/docs/source/.internal/helm-crd-warning.md
new file mode 100644
index 00000000000..e22af94231a
--- /dev/null
+++ b/docs/source/.internal/helm-crd-warning.md
@@ -0,0 +1,5 @@
+:::{warning}
+Helm doesn't support managing CustomResourceDefinition resources ([#5871](https://github.com/helm/helm/issues/5871), [#7735](https://github.com/helm/helm/issues/7735)).
+Helm only creates CRDs on the first install and never updates them, while keeping the CRDs up to date (with any update) is absolutely essential.
+In order to update them, users have to do it manually every time.
+:::
diff --git a/docs/source/.internal/manager-license-note.md b/docs/source/.internal/manager-license-note.md
new file mode 100644
index 00000000000..caa85bd1f7d
--- /dev/null
+++ b/docs/source/.internal/manager-license-note.md
@@ -0,0 +1,5 @@
+:::{note}
+ScyllaDB Manager is available for ScyllaDB Enterprise customers and ScyllaDB Open Source users.
+With ScyllaDB Open Source, ScyllaDB Manager is limited to 5 nodes.
+See the ScyllaDB Manager [Proprietary Software License Agreement](https://www.scylladb.com/scylla-manager-software-license-agreement/) for details.
+:::
diff --git a/docs/source/.internal/tuning-qos-caution.md b/docs/source/.internal/tuning-qos-caution.md
new file mode 100644
index 00000000000..6f7b58999fe
--- /dev/null
+++ b/docs/source/.internal/tuning-qos-caution.md
@@ -0,0 +1,7 @@
+:::{caution}
+Only Pods with [`Guaranteed` QoS class](https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#guaranteed) are eligible to be tuned, otherwise they would not have pinned CPUs.
+
+Always verify that your [ScyllaCluster](/resources/scyllaclusters/basics.md) resource specifications meat [all the criteria](https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#criteria).
+
+Don't forget you have to specify limits for both [resources](api-scylla.scylladb.com-scyllaclusters-v1-.spec.datacenter.racks[].resources)(ScyllaDB) and [agentResources](api-scylla.scylladb.com-scyllaclusters-v1-.spec.datacenter.racks[].agentResources)(ScyllaDB Manager Agent) that run in the same Pod.
+:::
diff --git a/docs/source/.internal/tuning-warning.md b/docs/source/.internal/tuning-warning.md
new file mode 100644
index 00000000000..4401370bc05
--- /dev/null
+++ b/docs/source/.internal/tuning-warning.md
@@ -0,0 +1,4 @@
+:::{warning}
+We recommend that you first try out the performance tuning on a pre-production instance.
+Given the nature of the underlying tuning script, undoing the changes requires rebooting the Kubernetes node(s).
+:::
diff --git a/docs/source/architecture/components-cluster_scoped.svg b/docs/source/architecture/components-cluster_scoped.svg
new file mode 100644
index 00000000000..60b505fd139
--- /dev/null
+++ b/docs/source/architecture/components-cluster_scoped.svg
@@ -0,0 +1,424 @@
+
+
+
\ No newline at end of file
diff --git a/docs/source/architecture/components-namespaced.svg b/docs/source/architecture/components-namespaced.svg
new file mode 100644
index 00000000000..a53ee2194ed
--- /dev/null
+++ b/docs/source/architecture/components-namespaced.svg
@@ -0,0 +1,248 @@
+
+
+
\ No newline at end of file
diff --git a/docs/source/architecture/components.odg b/docs/source/architecture/components.odg
new file mode 100644
index 00000000000..4fc13199bcf
Binary files /dev/null and b/docs/source/architecture/components.odg differ
diff --git a/docs/source/architecture/deploy.odg b/docs/source/architecture/deploy.odg
new file mode 100644
index 00000000000..811c14ab324
Binary files /dev/null and b/docs/source/architecture/deploy.odg differ
diff --git a/docs/source/architecture/index.md b/docs/source/architecture/index.md
new file mode 100644
index 00000000000..0a55ce8f076
--- /dev/null
+++ b/docs/source/architecture/index.md
@@ -0,0 +1,10 @@
+# Architecture
+
+:::{toctree}
+:maxdepth: 1
+
+overview
+storage/index
+tuning
+manager
+:::
diff --git a/docs/source/architecture/manager.md b/docs/source/architecture/manager.md
new file mode 100644
index 00000000000..b0c70261768
--- /dev/null
+++ b/docs/source/architecture/manager.md
@@ -0,0 +1,34 @@
+# ScyllaDB Manager
+
+{{productName}} has a basic integration with ScyllaDB Manager. At this point there is one global ScyllaDBManager instance that manages all [ScyllaClusters](../resources/scyllaclusters/basics.md) and a corresponding controller that automatically configures the ScyllaDB Manager to monitor the ScyllaDB instances and sync [repair](#api-scylla.scylladb.com-scyllaclusters-v1-.spec.repairs[]) and [backup](#api-scylla.scylladb.com-scyllaclusters-v1-.spec.backups[]) tasks based on [ScyllaCluster](../api-reference/groups/scylla.scylladb.com/scyllaclusters.rst) definition. Unfortunately, the rest of the functionality is not yet implemented in ScyllaCluster APIs and e.g. a restore of a cluster from a backup needs to be performed by executing into the shared ScyllaDB Manager deployment and using `sctool` directly by an administrator.
+
+:::{caution}
+Because ScyllaDB Manager instance is shared by all users and their ScyllaClusters, only administrators should have privileges to access the `scylla-manager` namespace.
+:::
+
+ScyllaDB Manager uses a small ScyllaCluster instance internally and thus depends on the {{productName}} deployment and the CRD it provides.
+
+:::{include} ../.internal/manager-license-note.md
+:::
+
+## Accessing ScyllaDB Manager
+
+For the operations that are not yet supported on ScyllaClusters, you can access the ScyllaDB Manager manually.
+
+To find the ScyllaDB Manager ID for your cluster, run:
+
+:::{code-block} bash
+kubectl get scyllacluster/basic --template='{{ .status.managerId }}'
+:::
+
+:::{note}
+Note that some of the operations use *ScyllaDB Manager Agent* that runs within the ScyllaCluster that has to have access e.g. to buckets being used.
+:::
+
+## Configuring backup and repair tasks for a ScyllaCluster
+
+[Backup](#api-scylla.scylladb.com-scyllaclusters-v1-.spec.backups[]) and [repair](#api-scylla.scylladb.com-scyllaclusters-v1-.spec.repairs[]) tasks are configured for each [ScyllaCluster](../api-reference/groups/scylla.scylladb.com/scyllaclusters.rst) in its resource definition.
+
+## Manual restore procedure
+
+You can find more detail on how to perform the manual restore procedure in [this dedicated page](../resources/scyllaclusters/nodeoperations/restore.md).
diff --git a/docs/source/architecture/overview.md b/docs/source/architecture/overview.md
new file mode 100644
index 00000000000..c27ea844bac
--- /dev/null
+++ b/docs/source/architecture/overview.md
@@ -0,0 +1,31 @@
+# Overview
+
+## Foreword
+
+{{productName}} is a set of controllers and API extensions that need to be installed in your cluster.
+The Kubernetes API is extended using [CustomResourceDefinitions (CRDs)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) and [dynamic admission webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to provide new resources ([API reference](../api-reference/index.rst)).
+These resources are reconciled by controllers embedded within the {{productName}} deployment.
+
+ScyllaDB is a stateful application and {{productName}} requires you to have a storage provisioner installed in your cluster.
+To achieve the best performance, we recommend using a storage provisioner based on local NVMEs.
+You can learn more about different setups in [a dedicated storage section](./storage/overview.md).
+
+## Components
+
+{{productName}} deployment consists of several components that need to be installed / present in you Kubernetes cluster.
+By design, some of the components need elevated permissions, but they are only accessible to the administrators.
+
+
+### Cluster scoped
+```{image} ./components-cluster_scoped.svg
+:name: components-cluster-scoped
+:align: center
+:scale: 75%
+```
+
+### Namespaced
+```{image} ./components-namespaced.svg
+:name: components-namespaced
+:align: center
+:scale: 75%
+```
diff --git a/docs/source/architecture/storage/index.md b/docs/source/architecture/storage/index.md
new file mode 100644
index 00000000000..f7042662e7f
--- /dev/null
+++ b/docs/source/architecture/storage/index.md
@@ -0,0 +1,8 @@
+# Storage
+
+:::{toctree}
+:maxdepth: 1
+
+overview
+local-csi-driver
+:::
diff --git a/docs/source/architecture/storage/local-csi-driver.md b/docs/source/architecture/storage/local-csi-driver.md
new file mode 100644
index 00000000000..03dbec9777a
--- /dev/null
+++ b/docs/source/architecture/storage/local-csi-driver.md
@@ -0,0 +1,9 @@
+# Local CSI Driver
+
+## About
+
+The Local CSI Driver implements the [Container Storage Interface (CSI)](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/), a specification for container orchestrators to manage the lifecycle of volumes.
+
+It supports dynamic provisioning on local disks, so storage volumes can be created on-demand through managed directories on the local disk.
+
+You can find more details and the source code at
diff --git a/docs/source/architecture/storage/overview.md b/docs/source/architecture/storage/overview.md
new file mode 100644
index 00000000000..57fd16d3421
--- /dev/null
+++ b/docs/source/architecture/storage/overview.md
@@ -0,0 +1,23 @@
+# Overview
+
+ScyllaDB works with both local and network attached storage provisioners, but our primary focus is around the local storage that can provide the best performance. We support using 2 local provisioners: [ScyllaDB Local CSI Driver](https://github.com/scylladb/local-csi-driver) and [Kubernetes SIG Storage Local Persistence Volume Static Provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner).
+
+## Setting up local disks
+
+When a Kubernetes node having local disk(s) is created, the storage is usually uninitialized. This heavily depends on your platform and its options, but even when provisioned with mounted disks, they usually don't set up *RAID*, nor have the option to choose a file system type. (ScyllaDB needs the storage to be formatted with `xfs`.)
+
+Setting up the RAID arrays, formatting the file system or mounting it in a declarative manner is challenging and that's one of the reasons we have created the [NodeConfig](../../resources/nodeconfigs.md) custom resource.
+
+## Supported local provisioners
+
+### ScyllaDB Local CSI driver
+
+ScyllaDB Local CSI Driver supports dynamic provisioning on local disks and sharing the storage capacity.
+It is based on dynamic directories and **xfs prjquota**.
+It allows [PersistentVolumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) to be created dynamically for a corresponding [PersistentVolumeClaim](https://kubernetes.io/docs/concepts/storage/volumes/#persistentvolumeclaim) by automatically provisioning directories created on disks attached to instances. On supported filesystems, directories have quota limitations to ensure volume size limits.
+
+At this point, the Local CSI Driver doesn't support provisioning block devices.
+
+### Kubernetes SIG Storage Static Local Volume Provisioner
+
+The local volume static provisioner is a Kubernetes SIG Storage project that can turn your disks into dedicated and isolated PersistentVolumes but all of them have to be created manually.
diff --git a/docs/source/architecture/tuning.md b/docs/source/architecture/tuning.md
new file mode 100644
index 00000000000..4ff72ecbfab
--- /dev/null
+++ b/docs/source/architecture/tuning.md
@@ -0,0 +1,34 @@
+# Tuning
+
+ScyllaDB works best when it's pinned to the CPUs and not interrupted.
+To get the best performance and latency we recommend you set up your ScyllaDB with [cpu pinning using the static CPU policy](../installation/kubernetes/generic.md#static-cpu-policy).
+
+One of the most common causes of context-switching are network interrupts.
+Packets coming to a Kubernetes node need to be processed which requires using CPU shares.
+
+On a Kubernetes node there is always a couple of other processes running, like kubelet, Kubernetes provider applications, daemons and others.
+These processes require CPU shares, so we cannot dedicate entire node processing power to Scylla, we need to leave space for others.
+We take advantage of it, and we pin IRQs to CPUs not used by any ScyllaDB Pods exclusively.
+
+Performance tuning is enabled by default **when you create a corresponding [NodeConfig](../resources/nodeconfigs.md) for your nodes**.
+
+Because some of the operations it needs to perform are not multitenant or require elevated privileges, the tuning scripts are ran in a dedicated system namespace called `scylla-operator-node-tuning`.
+This namespace is created and entirely managed by {{productName}} and only administrators can access it.
+
+The tuning is based around `perftune` script that comes from [scyllaDBUtilsImage](#api-scylla.scylladb.com-scyllaoperatorconfigs-v1alpha1-.status). `perftune` executes the performance optmizations like tuning the kernel, network, disk devices, spreading IRQs across CPUs and more. Conceptually, this is run in 2 parts: tuning the [Kubernetes nodes](#kubernetes-nodes) and tuning for [ScyllaDB Pods](#scylladb-pods).
+
+:::{include} ../.internal/tuning-warning.md
+:::
+
+## Kubernetes nodes
+
+`perftune` script is executed on the targeted Kubernetes nodes and it tunes kernel, network, disk devices and more.
+This is executed right after the tuning is enabled using a [NodeConfig](../resources/nodeconfigs.md)
+
+## ScyllaDB Pods
+
+When a [ScyllaCluster](../resources/scyllaclusters/basics.md) Pod is created (and performance tuning is enabled), the Pod initializes but waits until {{productName}} runs an on-demand Job that will configure the host and the ScyllaDB process accordingly (e.g. spreading IRQs across other CPUs).
+Only after that it will actually start running ScyllaDB.
+
+:::{include} ../.internal/tuning-qos-caution.md
+:::
diff --git a/docs/source/clients/index.rst b/docs/source/clients/index.rst
deleted file mode 100644
index 0c8c4697608..00000000000
--- a/docs/source/clients/index.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-==========================================================
-Using ScyllaDB APIs
-==========================================================
-
-.. toctree::
- :titlesonly:
- :maxdepth: 1
-
-
- discovery
- cql
- alternator
diff --git a/docs/source/conf.py b/docs/source/conf.py
index 4826cd4accf..d6e13f34ef7 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -50,8 +50,18 @@
# -- Options for myst parser
-myst_enable_extensions = ["colon_fence"]
+myst_enable_extensions = ["colon_fence", "attrs_inline", "substitution"]
myst_heading_anchors = 6
+myst_substitutions = {
+ "productName": "Scylla Operator",
+ "repository": "scylladb/scylla-operator",
+ "revision": "master",
+ "imageRepository": "docker.io/scylladb/scylla",
+ "imageTag": "6.2.0",
+ "enterpriseImageRepository": "docker.io/scylladb/scylla-enterprise",
+ "enterpriseImageTag": "2024.1.12",
+ "agentVersion": "3.4.0",
+}
# -- Options for not found extension
diff --git a/docs/source/contributing.md b/docs/source/contributing.md
deleted file mode 100644
index da5fc078732..00000000000
--- a/docs/source/contributing.md
+++ /dev/null
@@ -1,155 +0,0 @@
-# Contributing to Scylla Operator
-
-## Prerequisites
-
-To develop on scylla-operator, your environment must have the following:
-
-1. [Go 1.13](https://golang.org/dl/)
- * Make sure [GOPATH](https://github.com/golang/go/wiki/SettingGOPATH) is set to `GOPATH=$HOME/go`.
-2. [Kustomize v3.1.0](https://github.com/kubernetes-sigs/kustomize/releases/tag/v3.1.0)
-3. [kubebuilder v2.3.1](https://github.com/kubernetes-sigs/kubebuilder/releases/tag/v2.3.1)
-4. [Docker](https://docs.docker.com/install/)
-5. Git client installed
-6. Github account
-
-To install all dependencies (Go, kustomize, kubebuilder, dep), simply run:
-```bash
-./install-dependencies.sh
-```
-
-## Initial Setup
-
-### Create a Fork
-
-From your browser navigate to [http://github.com/scylladb/scylla-operator](http://github.com/scylladb/scylla-operator) and click the "Fork" button.
-
-### Clone Your Fork
-
-Open a console window and do the following:
-
-```bash
-# Create the scylla operator repo path
-mkdir -p $GOPATH/src/github.com/scylladb
-
-# Navigate to the local repo path and clone your fork
-cd $GOPATH/src/github.com/scylladb
-
-# Clone your fork, where is your GitHub account name
-git clone https://github.com//scylla-operator.git
-```
-
-### Add Upstream Remote
-
-First you will need to add the upstream remote to your local git:
-```bash
-# Add 'upstream' to the list of remotes
-git remote add upstream https://github.com/scylladb/scylla-operator.git
-
-# Verify the remote was added
-git remote -v
-```
-Now you should have at least `origin` and `upstream` remotes. You can also add other remotes to collaborate with other contributors.
-
-## Development
-
-To add a feature or to make a bug fix, you will need to create a branch in your fork and then submit a pull request (PR) from the branch.
-
-### Building the project
-
-You can build the project using the Makefile commands:
-* Open the Makefile and change the `IMG` environment variable to a repository you have access to.
-* Run `make docker-push` and wait for the image to be built and uploaded in your repo.
-
-### Create a Branch
-
-From a console, create a new branch based on your fork and start working on it:
-
-```bash
-# Ensure all your remotes are up to date with the latest
-git fetch --all
-
-# Create a new branch that is based off upstream master. Give it a simple, but descriptive name.
-# Generally it will be two to three words separated by dashes and without numbers.
-git checkout -b feature-name upstream/master
-```
-
-Now you are ready to make the changes and commit to your branch.
-
-### Updating Your Fork
-
-During the development lifecycle, you will need to keep up-to-date with the latest upstream master. As others on the team push changes, you will need to `rebase` your commits on top of the latest. This avoids unnecessary merge commits and keeps the commit history clean.
-
-Whenever you need to update your local repository, you never want to merge. You **always** will rebase. Otherwise you will end up with merge commits in the git history. If you have any modified files, you will first have to stash them (`git stash save -u ""`).
-
-```bash
-git fetch --all
-git rebase upstream/master
-```
-
-Rebasing is a very powerful feature of Git. You need to understand how it works or else you will risk losing your work. Read about it in the [Git documentation](https://git-scm.com/docs/git-rebase), it will be well worth it. In a nutshell, rebasing does the following:
-- "Unwinds" your local commits. Your local commits are removed temporarily from the history.
-- The latest changes from upstream are added to the history
-- Your local commits are re-applied one by one
-- If there are merge conflicts, you will be prompted to fix them before continuing. Read the output closely. It will tell you how to complete the rebase.
-- When done rebasing, you will see all of your commits in the history.
-
-## Submitting a Pull Request
-
-Once you have implemented the feature or bug fix in your branch, you will open a PR to the upstream repo. Before opening the PR ensure you have added unit tests, are passing the integration tests, cleaned your commit history, and have rebased on the latest upstream.
-
-In order to open a pull request (PR) it is required to be up to date with the latest changes upstream. If other commits are pushed upstream before your PR is merged, you will also need to rebase again before it will be merged.
-
-### Commit History
-
-To prepare your branch to open a PR, you will need to have the minimal number of logical commits so we can maintain
-a clean commit history. Most commonly a PR will include a single commit where all changes are squashed, although
-sometimes there will be multiple logical commits.
-
-```bash
-# Inspect your commit history to determine if you need to squash commits
-git log
-
-# Rebase the commits and edit, squash, or even reorder them as you determine will keep the history clean.
-# In this example, the last 5 commits will be opened in the git rebase tool.
-git rebase -i HEAD~5
-```
-
-Once your commit history is clean, ensure you have based on the [latest upstream](#updating-your-fork) before you open the PR.
-
-### Commit messages
-
-Please make the first line of your commit message a summary of the change that a user (not a developer) of Operator would like to read,
-and prefix it with the most relevant directory of the change followed by a colon.
-The changelog gets made by looking at just these first lines so make it good!
-
-If you have more to say about the commit, then enter a blank line and carry on the description.
-Remember to say why the change was needed - the commit itself shows what was changed.
-
-Writing more is better than less. Comparing the behaviour before the change to that after the change is very useful.
-Imagine you are writing to yourself in 12 months time when you've forgotten everything about what you just did, and you need to get up to speed quickly.
-
-If the change fixes an issue then write Fixes #1234 in the commit message.
-This can be on the subject line if it will fit. If you don't want to close the associated issue just put #1234 and the change will get linked into the issue.
-
-Here is an example of a short commit message:
-
-```
-sidecar: log on reconcile loop - fixes #1234
-```
-
-And here is an example of a longer one:
-```
-
-api: now supports host networking (#1234)
-
-The operator CRD now has a "network" property that can be used to
-select host networking as well as setting the apropriate DNS policy.
-
-Fixes #1234
-```
-
-### Submitting
-
-Go to the [Scylla Operator github](https://www.github.com/scylladb/scylla-operator) to open the PR. If you have pushed recently, you should see an obvious link to open the PR. If you have not pushed recently, go to the Pull Request tab and select your fork and branch for the PR.
-
-After the PR is open, you can make changes simply by pushing new commits. Your PR will track the changes in your fork and update automatically.
diff --git a/docs/source/eks.md b/docs/source/eks.md
deleted file mode 100644
index 94abd21b15e..00000000000
--- a/docs/source/eks.md
+++ /dev/null
@@ -1,128 +0,0 @@
-# Deploying Scylla on EKS
-
-This guide is focused on deploying Scylla on EKS with improved performance.
-Performance tricks used by the script won't work with different machine tiers.
-It sets up the kubelets on EKS nodes to run with [static cpu policy](https://kubernetes.io/blog/2018/07/24/feature-highlight-cpu-manager/) and uses [local sdd disks](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssd-instance-store.html) in RAID0 for maximum performance.
-
-Most of the commands used to setup the Scylla cluster are the same for all environments
-As such we have tried to keep them separate in the [general guide](generic.md).
-
-## TL;DR;
-
-If you don't want to run the commands step-by-step, you can just run a script that will set everything up for you:
-```bash
-# Edit according to your preference
-EKS_REGION=us-east-1
-EKS_ZONES=us-east-1a,us-east-1b,us-east-1c
-
-# From inside the examples/eks folder
-cd examples/eks
-./eks.sh -z "$EKS_ZONES" -r "$EKS_REGION"
-```
-
-After you deploy, see how you can [benchmark your cluster with cassandra-stress](generic.md#benchmark-with-cassandra-stress).
-
-## Walkthrough
-
-### EKS Setup
-
-#### Configure environment variables
-
-First of all, we export all the configuration options as environment variables.
-Edit according to your own environment.
-
-```
-EKS_REGION=us-east-1
-EKS_ZONES=us-east-1a,us-east-1b,us-east-1c
-CLUSTER_NAME=scylla-demo
-```
-
-#### Creating an EKS cluster
-
-For this guide, we'll create an EKS cluster with the following:
-
-* A NodeGroup of 3 `i3-2xlarge` Nodes, where the Scylla Pods will be deployed. These nodes will only accept pods having `scylla-clusters` toleration.
-
-```
- - name: scylla-pool
- instanceType: i3.2xlarge
- desiredCapacity: 3
- labels:
- scylla.scylladb.com/node-type: scylla
- taints:
- role: "scylla-clusters:NoSchedule"
- ssh:
- allow: true
- kubeletExtraConfig:
- cpuManagerPolicy: static
-```
-
-* A NodeGroup of 4 `c4.2xlarge` Nodes to deploy `cassandra-stress` later on. These nodes will only accept pods having `cassandra-stress` toleration.
-
-```
- - name: cassandra-stress-pool
- instanceType: c4.2xlarge
- desiredCapacity: 4
- labels:
- pool: "cassandra-stress-pool"
- taints:
- role: "cassandra-stress:NoSchedule"
- ssh:
- allow: true
-```
-
-* A NodeGroup of 1 `i3.large` Node, where the monitoring stack and operator will be deployed.
-```
- - name: monitoring-pool
- instanceType: i3.large
- desiredCapacity: 1
- labels:
- pool: "monitoring-pool"
- ssh:
- allow: true
-```
-
-### Prerequisites
-
-#### Installing script third party dependencies
-
-Script requires several dependencies:
-- eksctl - See: https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html
-- kubectl - See: https://kubernetes.io/docs/tasks/tools/install-kubectl/
-
-### Deploying ScyllaDB Operator
-
-Refer to [Deploying Scylla on a Kubernetes Cluster](generic.md) in the ScyllaDB Operator documentation to deploy the ScyllaDB Operator and its prerequisites.
-
-#### Setting up nodes for ScyllaDB
-
-ScyllaDB, except when in developer mode, requires storage with XFS filesystem. The local NVMes from the cloud provider usually come as individual devices. To use their full capacity together, you'll first need to form a RAID array from those disks.
-`NodeConfig` performs the necessary RAID configuration and XFS filesystem creation, as well as it optimizes the nodes. You can read more about it in [Performance tuning](performance.md) section of ScyllaDB Operator's documentation.
-
-Deploy `NodeConfig` to let it take care of the above operations:
-```
-kubectl apply --server-side -f examples/eks/nodeconfig-alpha.yaml
-```
-
-#### Deploying Local Volume Provisioner
-
-Afterwards, deploy ScyllaDB's [Local Volume Provisioner](https://github.com/scylladb/k8s-local-volume-provisioner), capable of dynamically provisioning PersistentVolumes for your ScyllaDB clusters on mounted XFS filesystems, earlier created over the configured RAID0 arrays.
-```
-kubectl -n local-csi-driver apply --server-side -f examples/common/local-volume-provisioner/local-csi-driver/
-```
-
-### Deploying ScyllaDB
-
-Now you can follow the steps described in [Deploying Scylla on a Kubernetes Cluster](generic.md) to launch your ScyllaDB cluster in a highly performant environment.
-
-#### Accessing the database
-
-Instructions on how to access the database can also be found in the [generic guide](generic.md).
-
-### Deleting an EKS cluster
-
-Once you are done with your experiments delete your cluster using the following command:
-
-```
-eksctl delete cluster "${CLUSTER_NAME}"
-```
diff --git a/docs/source/generic.md b/docs/source/generic.md
deleted file mode 100644
index 2f5db439956..00000000000
--- a/docs/source/generic.md
+++ /dev/null
@@ -1,372 +0,0 @@
-# Deploying Scylla on a Kubernetes Cluster
-
-This is a guide to deploy a Scylla Cluster in a generic Kubernetes environment, meaning that Scylla will not be deployed with the ideal performance.
-Scylla performs the best when it has fast disks and direct access to the cpu.
-This requires some extra setup, which is platform-specific.
-For specific configuration and setup, check for details about your particular environment:
-
-* [GKE](gke.md)
-
-## Prerequisites
-
-* A Kubernetes cluster
-* A [Storage Class](https://kubernetes.io/docs/concepts/storage/storage-classes/) to provision [PersistentVolumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/).
-* Helm 3 installed, Go to the [helm docs](https://docs.helm.sh/using_helm/#installing-helm) if you need to install it.
- Make sure that you enable the [stable repository](https://github.com/helm/charts#how-do-i-enable-the-stable-repository-for-helm-3)
-
-## Running locally
-
-Running kubernetes locally is a daunting and error prone task.
-Fortunately there are ways to make life easier and [Minikube](https://minikube.sigs.k8s.io/docs/) makes it a breeze.
-
-We need to give minikube a little bit more resources than default so start minikube like this:
-```console
-minikube start --cpus=6
-```
-
-Then make kubectl aware of this local installation like this:
-```console
-eval $(minikube docker-env)
-```
-
-## Download Scylla Operator
-In this guide you will be using the examples and manifests from [Scylla Operator repository](https://github.com/scylladb/scylla-operator), so start off by cloning it to your local machine.
-```console
-git clone https://github.com/scylladb/scylla-operator.git
-cd scylla-operator
-```
-
-## Deploy Cert Manager
-First deploy Cert Manager, you can either follow [upsteam instructions](https://cert-manager.io/docs/installation/kubernetes/) or use following command:
-
-```console
-kubectl apply --server-side -f examples/common/cert-manager.yaml
-```
-This will install Cert Manager to provision a self-signed certificate.
-
-Once it's deployed, wait until Cert Manager is ready:
-
-```console
-kubectl wait --for condition=established crd/certificates.cert-manager.io crd/issuers.cert-manager.io
-kubectl -n cert-manager rollout status deployment.apps/cert-manager-webhook
-```
-
-## Deploy Scylla Operator
-
-Deploy the Scylla Operator using the following commands:
-
-```console
-kubectl apply --server-side -f deploy/operator.yaml
-```
-
-This will install the operator in namespace `scylla-operator`.
-Wait until it's ready:
-
-```console
-kubectl wait --for condition=established crd/scyllaclusters.scylla.scylladb.com
-kubectl -n scylla-operator rollout status deployment.apps/scylla-operator
-```
-
-If you want to check the logs of the operator you can do so with:
-
- ```console
-kubectl -n scylla-operator logs deployment.apps/scylla-operator
-```
-
-## Create and Initialize a Scylla Cluster
-
-Now that the operator is running, we can create an instance of a Scylla cluster by creating an instance of the `clusters.scylla.scylladb.com` resource.
-Some of that resource's values are configurable, so feel free to browse `cluster.yaml` and tweak the settings to your liking.
-Full details for all the configuration options can be found in the [Scylla Cluster CRD documentation](api-reference/groups/scylla.scylladb.com/scyllaclusters.rst).
-
-When you are ready to create a Scylla cluster, simply run:
-
-```console
-kubectl create -f examples/generic/cluster.yaml
-```
-
-We can verify that a Kubernetes object has been created that represents our new Scylla cluster with the command below.
-This is important because it shows that has successfully extended Kubernetes to make Scylla clusters a first class citizen in the Kubernetes cloud-native environment.
-
-```console
-kubectl -n scylla get ScyllaCluster
-```
-
-Checking the pods that are created is as easy as:
-
-```console
-kubectl -n scylla get pods
-```
-
-The output should be something like:
-
-```console
-NAME READY STATUS RESTARTS AGE
-simple-cluster-us-east-1-us-east-1a-0 2/2 Running 0 9m49s
-simple-cluster-us-east-1-us-east-1a-1 2/2 Running 0 7m43s
-simple-cluster-us-east-1-us-east-1a-2 2/2 Running 0 6m46s
-```
-
-It is important to note that the operator creates these instances according to a pattern.
-This pattern is as follows: `CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-INSTANCE_NUMBER` as specified in `cluster.yaml`.
-
-In the above example we have the following properties:
-
- - CLUSTER_NAME: `simple-cluster`
- - DATACENTER_NAME: `us-east-1`
- - RACK_NAME: `us-east-1a`
- - INSTANCE_NUMBER: An automatically generated number attached to the pod name.
-
-We picked the names to resemble something you can find in a cloud service but this is inconsequential, they can be set to anything you want.
-
-To check if all the desired members are running, you should see the same number of entries from the following command as the number of members that was specified in `cluster.yaml`:
-
-```console
-kubectl -n scylla get pod -l app=scylla
-```
-
-You can also track the state of a Scylla cluster from its status. To check the current status of a Cluster, run:
-
-```console
-kubectl -n scylla describe ScyllaCluster simple-cluster
-```
-
-Checking the logs of the running scylla instances can be done like this:
-
-```console
-kubectl -n scylla logs simple-cluster-us-east-1-us-east-1a-0 scylla
-```
-
-
-### Configure container kernel parameters
-
-Sometimes it is necessary to run the container with different kernel parameters.
-In order to support this, the Scylla Operator defines a cluster property `sysctls` that is a list of the desired key-value pairs to set.
-
-___For example___: To increase the number events available for asynchronous IO processing in the Linux kernel to N set sysctls to`fs.aio-max-nr=N`.
-
-```yaml
-spec:
- sysctls:
- - "fs.aio-max-nr=2097152"
-```
-
-### Deploying Alternator
-
-The operator is also capable of deploying [Alternator](https://www.scylladb.com/alternator/) instead of the regular Scylla.
-This requires a small change in the cluster definition.
-Change the `cluster.yaml` file from this:
-```yaml
-spec:
- agentVersion: 3.4.0
- version: 6.2.0
- developerMode: true
- datacenter:
- name: us-east-1
-```
-to this:
-```yaml
-spec:
- version: 6.2.0
- alternator:
- port: 8000
- writeIsolation: only_rmw_uses_lwt
- agentVersion: 3.4.0
- developerMode: true
- datacenter:
- name: us-east-1
-```
-You can specify whichever port you want.
-
-You must provide desired write isolation, supported values are: "always", "forbid_rmw", "only_rmw_uses_lwt".
-Difference between those isolation levels can be found in Scylla Alternator documentation.
-
-Once this is done the regular CQL ports will no longer be available, the cluster is a pure Alternator cluster.
-
-## Accessing the Database
-
-* From kubectl:
-
-To get a cqlsh shell in your new Cluster:
-```console
-kubectl exec -n scylla -it simple-cluster-us-east-1-us-east-1a-0 -- cqlsh
-> DESCRIBE KEYSPACES;
-```
-
-
-* From inside a Pod:
-
-When you create a new Cluster, automatically creates a Service for the clients to use in order to access the Cluster.
-The service's name follows the convention `-client`.
-You can see this Service in your cluster by running:
-```console
-kubectl -n scylla describe service simple-cluster-client
-```
-Pods running inside the Kubernetes cluster can use this Service to connect to Scylla.
-Here's an example using the [Python Driver](https://github.com/datastax/python-driver):
-```python
-from cassandra.cluster import Cluster
-
-cluster = Cluster(['simple-cluster-client.scylla.svc'])
-session = cluster.connect()
-```
-
-If you are running the Alternator you can access the API on the port you specified using plain http.
-
-## Configure Scylla
-
-The operator can take a ConfigMap and apply it to the scylla.yaml configuration file.
-This is done by adding a ConfigMap to Kubernetes and refering to this in the Rack specification.
-The ConfigMap is just a file called `scylla.yaml` that has the properties you want to change in it.
-The operator will take the default properties for the rest of the configuration.
-
-* Create a ConfigMap the default name that the operator uses is `scylla-config`:
-```console
-kubectl create configmap scylla-config -n scylla --from-file=/path/to/scylla.yaml
-```
-* Wait for the mount to propagate and then restart the cluster:
-```console
-kubectl rollout restart -n scylla statefulset/simple-cluster-us-east-1-us-east-1a
-```
-* The new config should be applied automatically by the operator, check the logs to be sure.
-
-Configuring `cassandra-rackdc.properties` is done by adding the file to the same mount as `scylla.yaml`.
-```console
-kubectl create configmap scylla-config -n scylla --from-file=/tmp/scylla.yaml --from-file=/tmp/cassandra-rackdc.properties -o yaml --dry-run | kubectl replace -f -
-```
-The operator will then apply the overridable properties `prefer_local` and `dc_suffix` if they are available in the provided mounted file.
-
-:::{note}
-If you want to enable authentication, you first need to adjust `system_auth` keyspace replication factor to the number of nodes in the datacenter via cqlsh. It allows you to ensure that the user’s information is kept highly available for the cluster. If `system_auth` is not equal to the number of nodes and a node fails, the user whose information is on that node will be denied access.
-For production environments only use `NetworkTopologyStrategy`.
-
-```shell
-kubectl -n scylla exec -it pods/simple-cluster-us-east-1-us-east-1a-0 -c scylla -- cqlsh -e "ALTER KEYSPACE system_auth WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'us-east-1' : };"
-```
-
-You can read more about enabling authentication in the [Enable authentication](https://opensource.docs.scylladb.com/stable/operating-scylla/security/authentication.html) section of ScyllaDB's documentation.
-:::
-
-## Configure Scylla Manager Agent
-
-The operator creates a second container for each scylla instance that runs [Scylla Manager Agent](https://hub.docker.com/r/scylladb/scylla-manager-agent).
-This container serves as a sidecar and it's the main endpoint for interacting with Scylla API.
-The Scylla Manager Agent can be configured with various things such as the security token used to allow access to Scylla API and storage providers for backups.
-
-To configure the agent you just create a new secret called _scylla-agent-config-secret_ and populate it with the contents in the `scylla-manager-agent.yaml` file like this:
-```console
-kubectl create secret -n scylla generic scylla-agent-config-secret --from-file scylla-manager-agent.yaml
-```
-
-See [Scylla Manager Agent configuration](https://manager.docs.scylladb.com/stable/config/scylla-manager-config.html) for a complete reference of the Scylla Manager agent config file.
-
-### Scylla Manager Agent auth token
-
-Operator provisions Agent auth token by copying value from user provided config secret or auto generates it if it's empty.
-To check which value is being used, decode content of `-auth-token` secret.
-To change it simply remove the secret. Operator will create a new one. To pick up the change in the cluster, initiate a rolling restart.
-
-## Set up monitoring
-
-To set up monitoring using Prometheus and Grafana follow [this guide](monitoring.md).
-
-## Scale a ScyllaCluster
-
-The operator supports adding new nodes to existing racks, adding new racks to the cluster, as well as removing both single nodes and entire racks. To introduce the changes, edit the cluster with:
-```console
-kubectl -n scylla edit scyllaclusters.scylla.scylladb.com/simple-cluster
-```
-* To modify the number of nodes in a rack, update the `members` field of the selected rack to a desired value.
-* To add a new rack, append it to the `.spec.datacenter.racks` list. Remember to choose a unique rack name for the new rack.
-* To remove a rack, first scale it down to zero nodes, and then remove it from `.spec.datacenter.racks` list.
-
-Having edited and saved the yaml, you can check your cluster's Status and Events to retrieve information about what's happening:
-```console
-kubectl -n scylla describe scyllaclusters.scylla.scylladb.com/simple-cluster
-```
-
-:::{note}
-If you have configured ScyllaDB with `authenticator` set to `PasswordAuthenticator`, you need to manually configure the replication factor of the `system_auth` keyspace with every scaling operation.
-
-```shell
-kubectl -n scylla exec -it pods/simple-cluster-us-east-1-us-east-1a-0 -c scylla -- cqlsh -u -p -e "ALTER KEYSPACE system_auth WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'us-east-1' : };"
-```
-
-It is recommended to set `system_auth` replication factor to the number of nodes in each datacenter.
-:::
-
-## Benchmark with cassandra-stress
-
-After deploying our cluster along with the monitoring, we can benchmark it using cassandra-stress and see its performance in Grafana. We have a mini cli that generates Kubernetes Jobs that run cassandra-stress against a cluster.
-
-> Because cassandra-stress doesn't scale well to multiple cores, we use multiple jobs with a small core count for each
-
-```bash
-
-# Run a benchmark with 10 jobs, with 6 cpus and 50.000.000 operations each.
-# Each Job will throttle throughput to 30.000 ops/sec for a total of 300.000 ops/sec.
-hack/cass-stress-gen.py --num-jobs=10 --cpu=6 --memory=20G --ops=50000000 --limit=30000
-kubectl apply -f scripts/cassandra-stress.yaml
-```
-
-Make sure you set the proper arguments in case you have altered things such as _name_ or _namespace_.
-
-```bash
-./hack/cass-stress-gen.py -h
-usage: cass-stress-gen.py [-h] [--num-jobs NUM_JOBS] [--name NAME] [--namespace NAMESPACE] [--scylla-version SCYLLA_VERSION] [--host HOST] [--cpu CPU] [--memory MEMORY] [--ops OPS] [--threads THREADS] [--limit LIMIT]
- [--connections-per-host CONNECTIONS_PER_HOST] [--print-to-stdout] [--nodeselector NODESELECTOR]
-
-Generate cassandra-stress job templates for Kubernetes.
-
-optional arguments:
- -h, --help show this help message and exit
- --num-jobs NUM_JOBS number of Kubernetes jobs to generate - defaults to 1
- --name NAME name of the generated yaml file - defaults to cassandra-stress
- --namespace NAMESPACE
- namespace of the cassandra-stress jobs - defaults to "default"
- --scylla-version SCYLLA_VERSION
- version of scylla server to use for cassandra-stress - defaults to 4.0.0
- --host HOST ip or dns name of host to connect to - defaults to scylla-cluster-client.scylla.svc
- --cpu CPU number of cpus that will be used for each job - defaults to 1
- --memory MEMORY memory that will be used for each job in GB, ie 2G - defaults to 2G * cpu
- --ops OPS number of operations for each job - defaults to 10000000
- --threads THREADS number of threads used for each job - defaults to 50 * cpu
- --limit LIMIT rate limit for each job - defaults to no rate-limiting
- --connections-per-host CONNECTIONS_PER_HOST
- number of connections per host - defaults to number of cpus
- --print-to-stdout print to stdout instead of writing to a file
- --nodeselector NODESELECTOR
- nodeselector limits cassandra-stress pods to certain nodes. Use as a label selector, eg. --nodeselector role=scylla
-```
-While the benchmark is running, open up Grafana and take a look at the monitoring metrics.
-
-After the Jobs finish, clean them up with:
-```bash
-kubectl delete -f scripts/cassandra-stress.yaml
-```
-
-## Clean Up
-
-To clean up all resources associated with this walk-through, you can run the commands below.
-
-**NOTE:** this will destroy your database and delete all of its associated data.
-
-```console
-kubectl delete -f examples/generic/cluster.yaml
-kubectl delete -f deploy/operator.yaml
-kubectl delete -f examples/common/cert-manager.yaml
-```
-
-## Troubleshooting
-
-If the cluster does not come up, the first step would be to examine the operator's logs:
-
-```console
-kubectl -n scylla-operator logs deployment.apps/scylla-operator
-```
-
-If everything looks OK in the operator logs, you can also look in the logs for one of the Scylla instances:
-
-```console
-kubectl -n scylla logs simple-cluster-us-east-1-us-east-1a-0
-```
diff --git a/docs/source/gke.md b/docs/source/gke.md
deleted file mode 100644
index 27f99ea439c..00000000000
--- a/docs/source/gke.md
+++ /dev/null
@@ -1,173 +0,0 @@
-# Deploying Scylla on GKE
-
-This guide is focused on deploying Scylla on GKE with maximum performance (without any persistence guarantees).
-It sets up the kubelets on GKE nodes to run with [static cpu policy](https://kubernetes.io/blog/2018/07/24/feature-highlight-cpu-manager/) and uses [local sdd disks](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/local-ssd) in RAID0 for maximum performance.
-
-Most of the commands used to setup the Scylla cluster are the same for all environments
-As such we have tried to keep them separate in the [general guide](generic.md).
-
-## TL;DR;
-
-If you don't want to run the commands step-by-step, you can just run a script that will set everything up for you:
-```bash
-# Edit according to your preference
-GCP_USER=$(gcloud config list account --format "value(core.account)")
-GCP_PROJECT=$(gcloud config list project --format "value(core.project)")
-GCP_ZONE=us-west1-b
-
-# From inside the examples/gke folder
-cd examples/gke
-./gke.sh -u "$GCP_USER" -p "$GCP_PROJECT" -z "$GCP_ZONE"
-
-# Example:
-# ./gke.sh -u yanniszark@arrikto.com -p gke-demo-226716 -z us-west1-b
-```
-
-:::{warning}
-Make sure to pass a ZONE (ex.: us-west1-b) and not a REGION (ex.: us-west1) or it will deploy nodes in each ZONE available in the region.
-:::
-
-After you deploy, see how you can [benchmark your cluster with cassandra-stress](generic.md#benchmark-with-cassandra-stress).
-
-## Walkthrough
-
-### Google Kubernetes Engine Setup
-
-#### Configure environment variables
-
-First of all, we export all the configuration options as environment variables.
-Edit according to your own environment.
-
-```
-GCP_USER=$( gcloud config list account --format "value(core.account)" )
-GCP_PROJECT=$( gcloud config list project --format "value(core.project)" )
-GCP_REGION=us-west1
-GCP_ZONE=us-west1-b
-CLUSTER_NAME=scylla-demo
-CLUSTER_VERSION=$( gcloud container get-server-config --zone ${GCP_ZONE} --format "value(validMasterVersions[0])" )
-```
-
-#### Creating a GKE cluster
-
-First we need to change kubelet CPU Manager policy to static by providing a config file. Create file called `systemconfig.yaml` with the following content:
-```
-kubeletConfig:
- cpuManagerPolicy: static
-```
-
-Then we'll create a GKE cluster with the following:
-
-1. A NodePool of 2 `n1-standard-8` Nodes, where the operator and the monitoring stack will be deployed. These are generic Nodes and their free capacity can be used for other purposes.
- ```
- gcloud container \
- clusters create "${CLUSTER_NAME}" \
- --cluster-version "${CLUSTER_VERSION}" \
- --node-version "${CLUSTER_VERSION}" \
- --machine-type "n1-standard-8" \
- --num-nodes "2" \
- --disk-type "pd-ssd" --disk-size "20" \
- --image-type "UBUNTU_CONTAINERD" \
- --enable-stackdriver-kubernetes \
- --no-enable-autoupgrade \
- --no-enable-autorepair
- ```
-
-2. A NodePool of 2 `n1-standard-32` Nodes to deploy `cassandra-stress` later on.
-
- ```
- gcloud container --project "${GCP_PROJECT}" \
- node-pools create "cassandra-stress-pool" \
- --cluster "${CLUSTER_NAME}" \
- --zone "${GCP_ZONE}" \
- --node-version "${CLUSTER_VERSION}" \
- --machine-type "n1-standard-32" \
- --num-nodes "2" \
- --disk-type "pd-ssd" --disk-size "20" \
- --node-taints role=cassandra-stress:NoSchedule \
- --image-type "UBUNTU_CONTAINERD" \
- --no-enable-autoupgrade \
- --no-enable-autorepair
- ```
-
-3. A NodePool of 4 `n1-standard-32` Nodes, where the Scylla Pods will be deployed. Each of these Nodes has 8 local NVMe SSDs attached, which are provided as [raw block devices](https://cloud.google.com/kubernetes-engine/docs/concepts/local-ssd#block). It is important to disable `autoupgrade` and `autorepair`. Automatic cluster upgrade or node repair has a hard timeout after which it no longer respect PDBs and force deletes the Compute Engine instances, which also deletes all data on the local SSDs. At this point, it's better to handle upgrades manually, with more control over the process and error handling.
- ```
- gcloud container \
- node-pools create "scylla-pool" \
- --cluster "${CLUSTER_NAME}" \
- --node-version "${CLUSTER_VERSION}" \
- --machine-type "n1-standard-32" \
- --num-nodes "4" \
- --disk-type "pd-ssd" --disk-size "20" \
- --local-nvme-ssd-block count="8" \
- --node-taints role=scylla-clusters:NoSchedule \
- --node-labels scylla.scylladb.com/node-type=scylla \
- --image-type "UBUNTU_CONTAINERD" \
- --system-config-from-file=systemconfig.yaml \
- --no-enable-autoupgrade \
- --no-enable-autorepair
- ```
-
-#### Setting Yourself as `cluster-admin`
-> (By default GKE doesn't give you the necessary RBAC permissions)
-
-Get the credentials for your new cluster
-```
-gcloud container clusters get-credentials "${CLUSTER_NAME}" --zone="${GCP_ZONE}"
-```
-
-Create a ClusterRoleBinding for your user.
-In order for this to work you need to have at least permission `container.clusterRoleBindings.create`.
-The easiest way to obtain this permission is to enable the `Kubernetes Engine Admin` role for your user in the GCP IAM web interface.
-```
-kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user "${GCP_USER}"
-```
-
-
-### Prerequisites
-
-### Deploying ScyllaDB Operator
-
-Refer to [Deploying Scylla on a Kubernetes Cluster](generic.md) in the ScyllaDB Operator documentation to deploy the ScyllaDB Operator and its prerequisites.
-
-#### Setting up nodes for ScyllaDB
-
-ScyllaDB, except when in developer mode, requires storage with XFS filesystem. The local NVMes from the cloud provider usually come as individual devices. To use their full capacity together, you'll first need to form a RAID array from those disks.
-`NodeConfig` performs the necessary RAID configuration and XFS filesystem creation, as well as it optimizes the nodes. You can read more about it in [Performance tuning](performance.md) section of ScyllaDB Operator's documentation.
-
-Deploy `NodeConfig` to let it take care of the above operations:
-```
-kubectl apply --server-side -f examples/gke/nodeconfig-alpha.yaml
-```
-
-#### Deploying Local Volume Provisioner
-
-Afterwards, deploy ScyllaDB's [Local Volume Provisioner](https://github.com/scylladb/k8s-local-volume-provisioner), capable of dynamically provisioning PersistentVolumes for your ScyllaDB clusters on mounted XFS filesystems, earlier created over the configured RAID0 arrays.
-```
-kubectl -n local-csi-driver apply --server-side -f examples/common/local-volume-provisioner/local-csi-driver/
-kubectl apply --server-side -f examples/common/local-volume-provisioner/local-csi-driver/00_scylladb-local-xfs.storageclass.yaml
-```
-
-### Deploy Scylla cluster
-In order for the example to work you need to modify the cluster definition in the following way:
-
-```
-sed -i "s//${GCP_REGION}/g;s//${GCP_ZONE}/g" examples/gke/cluster.yaml
-```
-
-This will inject your region and zone into the cluster definition so that it matches the kubernetes cluster you just created.
-
-### Deploying ScyllaDB
-
-Now you can follow the steps described in [Deploying Scylla on a Kubernetes Cluster](generic.md) to launch your ScyllaDB cluster in a highly performant environment.
-
-#### Accessing the database
-
-Instructions on how to access the database can also be found in the [generic guide](generic.md).
-
-### Deleting a GKE cluster
-
-Once you are done with your experiments delete your cluster using the following command:
-
-```
-gcloud container --project "${GCP_PROJECT}" clusters delete --zone "${GCP_ZONE}" "${CLUSTER_NAME}"
-```
diff --git a/docs/source/index.md b/docs/source/index.md
new file mode 100644
index 00000000000..162c5961fd7
--- /dev/null
+++ b/docs/source/index.md
@@ -0,0 +1,109 @@
+---
+sd_hide_title: true
+---
+
+# Scylla Operator Documentation
+
+:::{toctree}
+:hidden:
+:maxdepth: 1
+
+architecture/index
+installation/index
+resources/index
+quickstarts/index
+support/index
+api-reference/index
+:::
+
+## Scylla Operator
+
+::::{grid} 1 1 1 2
+:reverse:
+
+:::{grid-item}
+:columns: 12 12 12 4
+
+```{image} logo.png
+:width: 150pt
+:class: sd-m-auto
+:name: landing-page-logo
+```
+
+:::
+
+:::{grid-item}
+:child-align: justify
+:columns: 12 12 12 8
+:class: sd-d-flex-column
+
+{{productName}} project helps users to run ScyllaDB on Kubernetes.
+It extends the Kubernetes APIs using [CustomResourceDefinitions(CRDs)](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/) and runs controllers that reconcile the desired state declared using these APIs.
+
+{{productName}} works with both ScyllaDB Open Source and ScyllaDB Enterprise. By default, our examples use ScyllaDB Open Source. To make the switch to ScyllaDB Enterprise, you only have to [change the ScyllaCluster image repository](#scyllacluster-enterprise) and [adjust the ScyllaDB utils image using ScyllaOperatorConfig](resources/scyllaoperatorconfigs.md#tuning-with-scylladb-enterprise).
+
+Here is a subset of items to start with.
+You can also navigate through the documentation using the menu.
+
+:::
+
+::::
+
+
+::::{grid} 1 1 2 3
+:gutter: 4
+
+:::{grid-item-card} {material-regular}`architecture;2em` Architecture
+:link: architecture/overview
+
+Learn about the components of Scylla Operator and how they fit together.
++++
+[Learn more »](architecture/overview)
+:::
+
+:::{grid-item-card} {material-regular}`electric_bolt;2em` Installation
+:link: installation/overview
+
+Configure your Kubernetes platform, install prerequisites and all components of {{productName}}.
++++
+[Learn more »](installation/overview)
+:::
+
+:::{grid-item-card} {material-regular}`storage;2em` Working with Resources
+:link: resources/overview
+Learn about the APIs that {{productName}} provides. ScyllaClusters, ScyllaDBMonitorings and more.
++++
+[Learn more »](resources/overview)
+:::
+
+:::{grid-item-card} {material-regular}`explore;2em` Quickstarts
+:link: quickstarts/index
+
+Get it running right now. Simple GKE and EKS setups.
+
++++
+[Learn more »](quickstarts/index)
+:::
+
+:::{grid-item-card} {material-regular}`fitness_center;2em` Performance Tuning
+:link: architecture/tuning
+Tune your infra and ScyllaDB cluster for the best performance and low latency.
++++
+[Learn more »](architecture/tuning)
+:::
+
+:::{grid-item-card} {material-regular}`build;2em` Support
+:link: support/overview
+FAQs, support matrix, must-gather and more.
++++
+[Learn more »](support/overview)
+:::
+
+:::{grid-item-card} {material-regular}`menu_book;2em` API Rererence
+:link: api-reference/index
+Visit the automatically generated API reference for all our APIs.
++++
+[Learn more »](api-reference/index)
+:::
+
+::::
diff --git a/docs/source/index.rst b/docs/source/index.rst
deleted file mode 100644
index 32bf1347c2d..00000000000
--- a/docs/source/index.rst
+++ /dev/null
@@ -1,67 +0,0 @@
-=============================
-Scylla Operator Documentation
-=============================
-
-.. toctree::
- :hidden:
- :maxdepth: 1
-
- generic
- eks
- gke
- helm
- manager
- monitoring
- clients/index
- migration
- nodeoperations/index
- exposing
- multidc/index
- performance
- upgrade
- releases
- support/index
- api-reference/index
- contributing
-
-Scylla Operator is an open source project which helps users of Scylla Open Source and Scylla Enterprise run Scylla on Kubernetes (K8s)
-The Scylla operator manages Scylla clusters deployed to Kubernetes and automates tasks related to operating a Scylla cluster, like installation, out and downscale, rolling upgrades.
-
-.. image:: logo.png
- :width: 200pt
-
-For the latest status of the project, and reports issue, see the Github Project. Also check out the `K8s Operator lesson on Scylla University `_.
-
-scylla-operator is a Kubernetes Operator for managing Scylla clusters.
-
-Currently it supports:
-
-* Deploying multi-zone clusters
-* Scaling up or adding new racks
-* Scaling down
-* Monitoring with Prometheus and Grafana
-* Integration with `Scylla Manager `_
-* Dead node replacement
-* Version Upgrade
-* Backup
-* Repairs
-* Autohealing
-
-**Choose a topic to begin**:
-
-* :doc:`Deploying Scylla on a Kubernetes Cluster `
-* :doc:`Deploying Scylla on EKS `
-* :doc:`Deploying Scylla on GKE `
-* :doc:`Deploying Scylla Manager on a Kubernetes Cluster `
-* :doc:`Deploying Scylla stack using Helm Charts `
-* :doc:`Setting up Monitoring using Prometheus and Grafana `
-* :doc:`Using ScyllaDB APIs `
-* :doc:`Node operations `
-* :doc:`Exposing ScyllaCluster to other networks `
-* :doc:`Deploying multi-datacenter ScyllaDB clusters in Kubernetes `
-* :doc:`Performance tuning [Experimental] `
-* :doc:`Upgrade procedures `
-* :doc:`Releases `
-* :doc:`Support `
-* :doc:`API Reference `
-* :doc:`Contributing to the Scylla Operator Project `
diff --git a/docs/source/installation/deploy.odg b/docs/source/installation/deploy.odg
new file mode 100644
index 00000000000..496af81eec4
Binary files /dev/null and b/docs/source/installation/deploy.odg differ
diff --git a/docs/source/installation/deploy.svg b/docs/source/installation/deploy.svg
new file mode 100644
index 00000000000..d6cce5ae691
--- /dev/null
+++ b/docs/source/installation/deploy.svg
@@ -0,0 +1,577 @@
+
+
+
\ No newline at end of file
diff --git a/docs/source/installation/gitops.md b/docs/source/installation/gitops.md
new file mode 100644
index 00000000000..a486e1d63c3
--- /dev/null
+++ b/docs/source/installation/gitops.md
@@ -0,0 +1,207 @@
+# GitOps (kubectl)
+
+## Disclaimer
+
+The following commands reference manifests that come from the same repository as the source code is being built from.
+This means we can't have a pinned reference to the latest release as that is a [chicken-egg problem](https://en.wikipedia.org/wiki/Chicken_or_the_egg). Therefore, we use a rolling tag for the particular branch in our manifests.
+:::{caution}
+For production deployment, you should always replace the {{productName}} image in all the manifests that contain it with a stable (full version) reference.
+We'd encourage you to use a sha reference, although using full-version tags is also fine.
+:::
+
+
+## Installation
+
+### Prerequisites
+
+{{productName}} has a few dependencies that you need to install to your cluster first.
+
+In case you already have a supported version of each of these dependencies installed in your cluster, you can skip this part.
+
+#### Cert Manager
+
+:::{code-block} shell
+:substitutions:
+
+kubectl apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/third-party/cert-manager.yaml
+:::
+
+:::{code-block} shell
+# Wait for CRDs to propagate to all apiservers.
+kubectl wait --for condition=established --timeout=60s crd/certificates.cert-manager.io crd/issuers.cert-manager.io
+
+# Wait for components that other steps depend on.
+for deploy in cert-manager{,-cainjector,-webhook}; do
+ kubectl -n=cert-manager rollout status --timeout=10m deployment.apps/"${deploy}"
+done
+
+# Wait for webhook CA secret to be created.
+for i in {1..30}; do
+ { kubectl -n=cert-manager get secret/cert-manager-webhook-ca && break; } || sleep 1
+done
+:::
+
+#### Prometheus Operator
+
+:::{code-block} shell
+:substitutions:
+
+kubectl -n=prometheus-operator apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/third-party/prometheus-operator.yaml
+:::
+
+:::{code-block} shell
+# Wait for CRDs to propagate to all apiservers.
+kubectl wait --for='condition=established' crd/prometheuses.monitoring.coreos.com crd/prometheusrules.monitoring.coreos.com crd/servicemonitors.monitoring.coreos.com
+
+# Wait for prometheus operator deployment.
+kubectl -n=prometheus-operator rollout status --timeout=10m deployment.apps/prometheus-operator
+
+# Wait for webhook CA secret to be created.
+for i in {1..30}; do
+ { kubectl -n=cert-manager get secret/cert-manager-webhook-ca && break; } || sleep 1
+done
+:::
+
+### {{productName}}
+
+Once you have the dependencies installed and available in your cluster, it is the time to install {{productName}}.
+
+:::{code-block} shell
+:substitutions:
+
+kubectl -n=scylla-operator apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/deploy/operator.yaml
+:::
+
+::::{caution}
+{{productName}} deployment references its own image that it later runs alongside each ScyllaDB instance. Therefore, you have to also replace the image in the environment variable called `SCYLLA_OPERATOR_IMAGE`:
+:::{code-block} yaml
+:linenos:
+:emphasize-lines: 16,19,20
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: scylla-operator
+ namespace: scylla-operator
+# ...
+spec:
+ # ...
+ template:
+ # ...
+ spec:
+ # ...
+ containers:
+ - name: scylla-operator
+ # ...
+ image: docker.io/scylladb/scylla-operator:1.14.0@sha256:8c75c5780e2283f0a8f9734925352716f37e0e7f41007e50ce9b1d9924046fa1
+ env:
+ # ...
+ - name: SCYLLA_OPERATOR_IMAGE
+ value: docker.io/scylladb/scylla-operator:1.14.0@sha256:8c75c5780e2283f0a8f9734925352716f37e0e7f41007e50ce9b1d9924046fa1
+:::
+The {{productName}} image value and the `SCYLLA_OPERATOR_IMAGE` shall always match.
+Be careful not to use a rolling tag for any of them to avoid an accidental skew!
+::::
+
+:::{code-block} shell
+# Wait for CRDs to propagate to all apiservers.
+kubectl wait --for='condition=established' crd/scyllaclusters.scylla.scylladb.com crd/nodeconfigs.scylla.scylladb.com crd/scyllaoperatorconfigs.scylla.scylladb.com crd/scylladbmonitorings.scylla.scylladb.com
+
+# Wait for the components to deploy.
+kubectl -n=scylla-operator rollout status --timeout=10m deployment.apps/{scylla-operator,webhook-server}
+
+# Wait for webhook CA secret to be created.
+for i in {1..30}; do
+ { kubectl -n=cert-manager get secret/cert-manager-webhook-ca && break; } || sleep 1
+done
+:::
+
+### Setting up local storage on nodes and enabling tuning
+
+:::{caution}
+The following step heavily depends on the platform that you use, the machine type, or the options chosen when creating a node pool.
+
+Please review the [NodeConfig](../resources/nodeconfigs.md) and adjust it for your platform!
+:::
+
+:::::{tab-set}
+
+::::{tab-item} GKE (NVMe)
+:::{code-block} shell
+:substitutions:
+kubectl -n=scylla-operator apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/gke/nodeconfig-alpha.yaml
+:::
+::::
+
+::::{tab-item} EKS (NVMe)
+:::{code-block} shell
+:substitutions:
+kubectl -n=scylla-operator apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/eks/nodeconfig-alpha.yaml
+:::
+::::
+
+::::{tab-item} Any platform (Loop devices)
+:::{caution}
+This NodeConfig sets up loop devices instead of NVMe disks and is only intended for development purposes when you don't have the NVMe disks available.
+Do not expect meaningful performance with this setup.
+:::
+:::{code-block} shell
+:substitutions:
+kubectl -n=scylla-operator apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/generic/nodeconfig-alpha.yaml
+:::
+::::
+
+:::::
+
+:::{note}
+Performance tuning is enabled for all nodes that are selected by [NodeConfig](../resources/nodeconfigs.md) by default, unless opted-out.
+:::
+
+:::{code-block} shell
+# Wait for NodeConfig to apply changes to the Kubernetes nodes.
+kubectl wait --for='condition=Reconciled' --timeout=10m nodeconfigs.scylla.scylladb.com/scylladb-nodepool-1
+:::
+
+### Local CSI driver
+
+:::{code-block} shell
+:substitutions:
+
+kubectl -n=local-csi-driver apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/common/local-volume-provisioner/local-csi-driver/{00_namespace,00_scylladb-local-xfs.storageclass,10_csidriver,10_driver.serviceaccount,10_provisioner_clusterrole,20_provisioner_clusterrolebinding,50_daemonset}.yaml
+:::
+
+:::{code-block} shell
+# Wait for it to deploy.
+kubectl -n=local-csi-driver rollout status --timeout=10m daemonset.apps/local-csi-driver
+:::
+
+### ScyllaDB Manager
+
+:::{include} ../.internal/manager-license-note.md
+:::
+
+:::::{tab-set}
+
+::::{tab-item} Production (sized)
+:::{code-block} shell
+:substitutions:
+kubectl -n=scylla-manager apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/deploy/manager-prod.yaml
+:::
+::::
+
+::::{tab-item} Development (sized)
+:::{code-block} shell
+:substitutions:
+kubectl -n=scylla-manager apply --server-side -f=https://raw.githubusercontent.com/{{repository}}/{{revision}}/deploy/manager-dev.yaml
+:::
+::::
+
+:::::
+
+:::{code-block} shell
+# Wait for it to deploy.
+kubectl -n=scylla-manager rollout status --timeout=10m deployment.apps/scylla-manager
+:::
+
+## Next steps
+
+Now that you've successfully installed {{productName}}, it's time to look at [how to run ScyllaDB](../resources/scyllaclusters/basics.md).
diff --git a/docs/source/helm.md b/docs/source/installation/helm.md
similarity index 90%
rename from docs/source/helm.md
rename to docs/source/installation/helm.md
index e157523c417..ff54170ddb0 100644
--- a/docs/source/helm.md
+++ b/docs/source/installation/helm.md
@@ -1,4 +1,7 @@
-# Deploying Scylla stack using Helm Charts
+# Helm
+
+:::{include} ../.internal/helm-crd-warning.md
+:::
In this example we will install Scylla stack on Kubernetes. This includes the following components:
- Scylla Operator
@@ -163,7 +166,7 @@ racks:
Above cluster will use 4.3.0 Scylla, 2.2.1 Scylla Manager Agent sidecar and will have a single rack having 2 nodes.
Each node will have a single CPU and 1 GiB of memory.
-For other customizable fields, please refer to [ScyllaCluster CRD](api-reference/groups/scylla.scylladb.com/scyllaclusters.rst).
+For other customizable fields, please refer to [ScyllaCluster CRD](../api-reference/groups/scylla.scylladb.com/scyllaclusters.rst).
CRD Rack Spec and Helm Chart Rack should have the same fields.
### Installation
@@ -180,7 +183,7 @@ Scylla Operator will provision this cluster on your K8s environment.
Scylla Manager Chart allows to customize and deploy Scylla Manager in K8s environment.
Scylla Manager consist of two applications (Scylla Manager itself and Scylla Manager Controller) and additional Scylla cluster.
-To read more about Scylla Manager see [Manager guide](manager.md).
+To read more about Scylla Manager see [Manager guide](../architecture/manager.md).
### Scylla Manager
@@ -313,7 +316,7 @@ Two running nodes, exactly what we were asking for.
## Monitoring
-To spin up a Prometheus monitoring refer to [monitoring guide](monitoring.md).
+To spin up a Prometheus monitoring refer to [monitoring guide](../resources/scylladbmonitorings.md).
Helm charts can create ServiceMonitors needed to observe Scylla Manager and Scylla.
Both of these Helm Charts allows to specify whether you want to create a ServiceMonitor:
@@ -329,6 +332,26 @@ helm upgrade --install scylla --namespace scylla scylla/scylla -f examples/helm/
Helm should notice the difference, install the ServiceMonitor, and then Prometheous will be able to scrape metrics.
+## Upgrade via Helm
+
+Replace `` with the name of your Helm release for Scylla Operator and replace `` with the version number you want to install:
+1. Make sure Helm chart repository is up-to-date:
+ ```
+ helm repo add scylla-operator https://storage.googleapis.com/scylla-operator-charts/stable
+ helm repo update
+ ```
+2. Update CRD resources. We recommend using `--server-side` flag for `kubectl apply`, if your version supports it.
+ ```
+ tmpdir=$( mktemp -d ) \
+ && helm pull scylla-operator/scylla-operator --version --untar --untardir "${tmpdir}" \
+ && find "${tmpdir}"/scylla-operator/crds/ -name '*.yaml' -printf '-f=%p ' \
+ | xargs kubectl apply
+ ```
+3. Update Scylla Operator
+ ```
+ helm upgrade --version scylla-operator/scylla-operator
+ ```
+
## Cleanup
To remove these applications you can simply uninstall them using Helm CLI:
diff --git a/docs/source/installation/index.md b/docs/source/installation/index.md
new file mode 100644
index 00000000000..50a02ed71e1
--- /dev/null
+++ b/docs/source/installation/index.md
@@ -0,0 +1,10 @@
+# Installation
+
+:::{toctree}
+:maxdepth: 1
+
+overview
+kubernetes/index
+gitops
+helm
+:::
diff --git a/docs/source/installation/kubernetes/eks.md b/docs/source/installation/kubernetes/eks.md
new file mode 100644
index 00000000000..0f94317f4c9
--- /dev/null
+++ b/docs/source/installation/kubernetes/eks.md
@@ -0,0 +1,17 @@
+# EKS
+
+## Kubelet
+
+### Static CPU policy
+
+`eksctl` allows you to set [static CPU policy](./generic.md#static-cpu-policy) for each node pool like:
+```{code} yaml
+:number-lines:
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+# ...
+nodeGroups:
+- name: scylla-pool
+ kubeletExtraConfig:
+ cpuManagerPolicy: static
+```
diff --git a/docs/source/installation/kubernetes/generic.md b/docs/source/installation/kubernetes/generic.md
new file mode 100644
index 00000000000..1b0bfd7dda6
--- /dev/null
+++ b/docs/source/installation/kubernetes/generic.md
@@ -0,0 +1,24 @@
+# Generic
+
+Because {{productName}} aims to leverage the best performance available, there are a few extra steps that need to be configured on your Kubernetes cluster.
+
+## Kubelet
+
+### Static CPU policy
+
+By default, *kubelet* uses the CFS quota to enforce pod CPU limits.
+When the Kubernetes node runs a lot of CPU-bound Pods, the processes can move over different CPU cores, depending on whether the Pod is throttled and which CPU cores are available.
+However, kubelet may be configured to assign CPUs exclusively by setting the CPU manager policy to static.
+
+To get the best performance and latency ScyllaDB Pods should run under [static CPU policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy) to pin cores.
+
+:::{note}
+Configuring kubelet options is provider specific.
+We provide a few examples for the major ones later in this section, otherwise please consult the documentation for your Kubernetes platform.
+:::
+
+## Nodes
+
+### Labels
+
+For the purposes of the installation guides, we assume that the nodes meant to run ScyllaDB (ScyllaClusters) have label `scylla.scylladb.com/node-type=scylla`.
diff --git a/docs/source/installation/kubernetes/gke.md b/docs/source/installation/kubernetes/gke.md
new file mode 100644
index 00000000000..b1ba88d1fa4
--- /dev/null
+++ b/docs/source/installation/kubernetes/gke.md
@@ -0,0 +1,12 @@
+# GKE
+
+## Kubelet
+
+### Static CPU policy
+
+GKE allows you to set [static CPU policy](./generic.md#static-cpu-policy) using a [node system configuration](https://cloud.google.com/kubernetes-engine/docs/how-to/node-system-config)
+:::{code} yaml
+:number-lines:
+kubeletConfig:
+ cpuManagerPolicy: static
+:::
diff --git a/docs/source/installation/kubernetes/index.md b/docs/source/installation/kubernetes/index.md
new file mode 100644
index 00000000000..fc560ee48e6
--- /dev/null
+++ b/docs/source/installation/kubernetes/index.md
@@ -0,0 +1,9 @@
+# Kubernetes
+
+:::{toctree}
+:maxdepth: 1
+
+generic
+eks
+gke
+:::
diff --git a/docs/source/installation/overview.md b/docs/source/installation/overview.md
new file mode 100644
index 00000000000..86b2a0d6baa
--- /dev/null
+++ b/docs/source/installation/overview.md
@@ -0,0 +1,108 @@
+# Overview
+
+## Kubernetes
+
+{{productName}} is a set of controllers and Kubernetes API extensions.
+Therefore, we assume you either have an existing, conformant Kubernetes cluster and/or are already familiar with how a Kubernetes cluster is deployed and operated.
+
+{{productName}} controllers and API extensions may have dependencies on some of the newer Kubernetes features and APIs that need to be available.
+More over, {{productName}} implements additional features like performance tuning, some of which are platform/OS specific.
+While we do our best to implement these routines as generically as possible, sometimes there isn't any low level API to base them on and they may work only on a subset of platforms.
+
+:::{caution}
+We *strongly* recommend using a [supported Kubernetes platform](../support/releases.md#supported-kubernetes-platforms).
+Issues on unsupported platforms are unlikely to be addressed.
+:::
+
+:::{note}
+Before reporting an issue, please see our [support page](../support/overview.md) and [troubleshooting installation issues](../support/troubleshooting/installation)
+:::
+
+## {{productName}} components
+
+{{productName}} consists of multiple components that need to be installed in your cluster.
+This is by no means a complete list of all resources, rather it aims to show the major components in one place.
+
+
+```{figure} deploy.svg
+:class: sd-m-auto
+:name: deploy-overview
+```
+
+:::{note}
+Depending on [which storage provisioner you choose](../architecture/storage/overview.md), the `local-csi-driver` may be replaced or complemented by a different component.
+:::
+
+### {{productName}}
+
+{{productName}} contains the Kubernetes API extensions and corresponding controllers and admission hooks that run inside `scylla-operator` namespace.
+
+You can learn more about the APIs in [resources section](../resources/overview.md) and the [generated API reference](../api-reference/index.rst).
+
+### ScyllaDB Manager
+
+ScyllaDB Manager is a global deployment that is responsible for operating all [ScyllaClusters](../api-reference/groups/scylla.scylladb.com/scyllaclusters.rst) and runs inside `scylla-manager` namespace.
+There is a corresponding controller running in {{productName}} that syncs the [ScyllaCluster](../api-reference/groups/scylla.scylladb.com/scyllaclusters.rst) metadata, [backup](#api-scylla.scylladb.com-scyllaclusters-v1-.spec.backups[]) and [repair](#api-scylla.scylladb.com-scyllaclusters-v1-.spec.repairs[]) tasks into the manager (and vice versa) and avoids accessing the shared instance by users. Unfortunately, at this point, other task like restoring from a backup require executing into the shared ScyllaDB Manager deployment which effectively needs administrator privileges.
+
+ScyllaDB Manager uses a small ScyllaCluster instance internally and thus depends on the {{productName}} deployment and the CRD it provides.
+
+### NodeConfig
+
+[NodeConfig](../resources/nodeconfigs.md) is a cluster-scoped custom resource provided by {{productName}} that helps you set local disks on Kubernetes nodes, create and mount a file system, configure performance tuning and more.
+
+### ScyllaOperatorConfig
+
+[ScyllaOperatorConfig](../resources/scyllaoperatorconfigs.md) is a cluster-coped custom resource provided by {{productName}} to help you configure {{productName}}. It helps you configure auxiliary images, see which ones are in use and more.
+
+### Local CSI driver
+
+ScyllaDB provides you with a custom [Local CSI driver](../architecture/storage/local-csi-driver.md) that lets you dynamically provision PersistentVolumes, share the disk space but still track the capacity and use quotas.
+
+## Notes
+
+:::{note}
+Before reporting and issue, please see our [support page](../support/overview.md) and [troubleshooting installation issues](../support/troubleshooting/installation.md#troubleshooting-installation-issues)
+:::
+
+## Installation modes
+
+Depending on your preference, there is more than one way to install {{productName}} and there may be more to come / or provided by other parties or supply chains.
+
+At this point, we provide 2 ways to install the operator - [GitOps/manifests](#gitops) and [Helm charts](#helm). Given we provide only a subset of helm charts for the main resources and because **Helm can't update CRDs** - you still have to resort to using the manifests or GitOps anyway. For a consistent experience we'd recommend using the [GitOps flow](#gitops) which will also give you a better idea about what you actually deploy and maintain.
+
+:::{caution}
+Do not use rolling tags (like `latest`, `1.14`) with our manifests in production.
+The manifests and images for a particular release are tightly coupled and any update requires updating both of them, while the rolling tags may surprisingly update only the images.
+You should always use the full version (e.g. `1.14.0`) and/or using the corresponding *sha* reference.
+:::
+
+:::{note}
+To avoid races, when you create a CRD, you need to wait for it to be propagated to other instances of the kubernetes-apiserver, before you can reliably create the corresponding CRs.
+:::
+
+:::{note}
+When you create [ValidatingWebhookConfiguration](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration) or [MutatingWebhookConfiguration](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration), you have to wait for the corresponding webhook deployments to be available, or the kubernetes-apiserver will fail all requests for resources affected by these webhhok configurations.
+Also note that some platforms have non-conformant networking setups by default that prevents the kube-apiserver from talking to the webhooks - [see our troubleshooting guide for more info](../support/troubleshooting/installation.md#webhooks).
+:::
+
+### GitOps
+
+We provide a set of Kubernetes manifest that contain all necessary objects to apply to your Kubernetes cluster.
+Depending on your preference applying them may range from using `git` with a declarative CD to `git` and `kubectl`.
+To keep the instructions clear for everyone we'll demonstrate applying the manifests using `kubectl`, that everyone is familiar with and is able to translate it to the GitOps platform of his choosing.
+
+For details, please see the [dedicated section describing the deployment using GitOps (kubectl)](./gitops.md).
+
+### Helm
+
+:::{include} ../.internal/helm-crd-warning.md
+:::
+
+For details, please see the [dedicated section describing the deployment using Helm](./helm.md).
+
+## Upgrades
+
+{{productName}} supports N+1 upgrades only.
+That means to you can only update by 1 minor version at the time and wait for it to successfully roll out and then update all ScyllaClusters that also run using the image that's being updated. ({{productName}} injects it as a sidecar to help run and manage ScyllaDB.)
+
+We value the stability of our APIs and all API changes are backwards compatible.
diff --git a/docs/source/manager.md b/docs/source/manager.md
deleted file mode 100644
index 9a8db2fd37a..00000000000
--- a/docs/source/manager.md
+++ /dev/null
@@ -1,258 +0,0 @@
-# Deploying Scylla Manager on a Kubernetes Cluster
-
-Scylla Manager is a product for database operations automation,
-it can schedule tasks such as repairs and backups.
-Scylla Manager can manage multiple Scylla clusters and run cluster-wide tasks
-in a controlled and predictable way.
-
-Scylla Manager is available for Scylla Enterprise customers and Scylla Open Source users.
-With Scylla Open Source, Scylla Manager is limited to 5 nodes.
-See the Scylla Manager [Proprietary Software License Agreement](https://www.scylladb.com/scylla-manager-software-license-agreement/) for details.
-
-## Prerequisites
-
-* Kubernetes cluster
-* Scylla Operator - see [generic guide](generic.md)
-
-## Architecture
-
-Scylla Manager in K8s consist of:
-- Dedicated Scylla Cluster
-
- Scylla Manager persists its state to a Scylla cluster.
-Additional small single node cluster is spawned in the Manager namespace.
-
-- Scylla Manager Controller
-
- Main mission of Controller is to watch changes of Scylla Clusters, and synchronize three states.
- 1. What user wants - task definition in CRD.
- 2. What Controller registered - Task name to Task ID mapping - CRD status.
- 3. Scylla Manager task listing - internal state of Scylla Manager.
-
- When Scylla Cluster CRD is being deployed Controller will register it in Scylla Manager once cluster reaches desired node count.
-Once Cluster is fully up and running it will schedule all tasks defined in Cluster CRD.
-Controller also supports task updates and unscheduling.
-
-- Scylla Manager
-
- Regular Scylla Manager, the same used in cloud and bare metal deployments.
-
-
-
-## Deploy Scylla Manager
-
-Deploy the Scylla Manager using the following commands:
-
-```console
-kubectl apply -f deploy/manager-prod.yaml
-```
-
-This will install the Scylla Manager in the `scylla-manager` namespace.
-You can check if the Scylla Manager is up and running with:
-
-```console
-kubectl -n scylla-manager get pods
-NAME READY STATUS RESTARTS AGE
-scylla-manager-cluster-manager-dc-manager-rack-0 2/2 Running 0 37m
-scylla-manager-controller-0 1/1 Running 0 28m
-scylla-manager-scylla-manager-7bd9f968b9-w25jw 1/1 Running 0 37m
-```
-
-As you can see there are three pods:
-* `scylla-manager-cluster-manager-dc-manager-rack-0` - is a single node Scylla cluster.
-* `scylla-manager-controller-0` - Scylla Manager Controller.
-* `scylla-manager-scylla-manager-7bd9f968b9-w25jw` - Scylla Manager.
-
-To see if Scylla Manager is fully up and running we can check their logs.
-To do this, execute following command:
-
- ```console
-kubectl -n scylla-manager logs scylla-manager-controller-0
-```
-
-The output should be something like:
-```console
-{"L":"INFO","T":"2020-09-23T11:25:27.882Z","M":"Scylla Manager Controller started","version":"","build_date":"","commit":"","built_by":"","go_version":"","options":{"Name":"scylla-manager-controller-0","Namespace":"scylla-manager","LogLevel":"debug","ApiAddress":"http://127.0.0.1:5080/api/v1"},"_trace_id":"LQEJV3kDR5Gx9M3XQ2YnnQ"}
-{"L":"INFO","T":"2020-09-23T11:25:28.435Z","M":"Registering Components.","_trace_id":"LQEJV3kDR5Gx9M3XQ2YnnQ"}
-```
-
-To check logs of Scylla Manager itself, use following command:
-```console
-kubectl -n scylla-manager logs scylla-manager-scylla-manager-7bd9f968b9-w25jw
-```
-
-The output should be something like:
-
-```console
-{"L":"INFO","T":"2020-09-23T11:26:53.238Z","M":"Scylla Manager Server","version":"2.1.2-0.20200816.76cc4dcc","pid":1,"_trace_id":"xQhkJ0OuR8e6iMDEpM62Hg"}
-{"L":"INFO","T":"2020-09-23T11:26:54.519Z","M":"Using config","config":{"HTTP":"127.0.0.1:5080","HTTPS":"","TLSCertFile":"/var/lib/scylla-manager/scylla_manager.crt","TLSKeyFile":"/var/lib/scylla-manager/scylla_manager.key","TLSCAFile":"","Prometheus":":56090","PrometheusScrapeInterval":5000000000,"debug":"127.0.0.1:56112","Logger":{"Mode":"stderr","Level":"info","Development":false},"Database":{"Hosts":["scylla-manager-cluster-manager-dc-manager-rack-0.scylla-manager.svc"],"SSL":false,"User":"","Password":"","LocalDC":"","Keyspace":"scylla_manager","MigrateDir":"/etc/scylla-manager/cql","MigrateTimeout":30000000000,"MigrateMaxWaitSchemaAgreement":300000000000,"ReplicationFactor":1,"Timeout":600000000,"TokenAware":true},"SSL":{"CertFile":"","Validate":true,"UserCertFile":"","UserKeyFile":""},"Healthcheck":{"Timeout":250000000,"SSLTimeout":750000000},"Backup":{"DiskSpaceFreeMinPercent":10,"AgeMax":43200000000000},"Repair":{"SegmentsPerRepair":1,"ShardParallelMax":0,"ShardFailedSegmentsMax":100,"PollInterval":200000000,"ErrorBackoff":300000000000,"AgeMax":0,"ShardingIgnoreMsbBits":12}},"config_files":["/mnt/etc/scylla-manager/scylla-manager.yaml"],"_trace_id":"xQhkJ0OuR8e6iMDEpM62Hg"}
-{"L":"INFO","T":"2020-09-23T11:26:54.519Z","M":"Checking database connectivity...","_trace_id":"xQhkJ0OuR8e6iMDEpM62Hg"}
-```
-
-If there are no errors in the logs, let's spin a Scylla Cluster.
-
-## Cluster registration
-
-
-When the Scylla Manager is fully up and running, lets create a regular instance of Scylla cluster.
-
-See [generic tutorial](generic.md) to spawn your cluster.
-
-Note: If you already have some Scylla Clusters, after installing Manager they should be
-automatically registered in Scylla Manager.
-
-Once cluster reaches desired node count, cluster status will be updated with ID under which it was registered in Manager.
-
- ```console
-kubectl -n scylla describe Cluster
-
-[...]
-Status:
- Manager Id: d1d532cd-49f2-4c97-9263-25126532803b
- Racks:
- us-east-1a:
- Members: 3
- Ready Members: 3
- Version: 4.0.0
-```
-You can use this ID to talk to Scylla Manager using `sctool` CLI installed in Scylla Manager Pod.
-You can also use Cluster name in `namespace/cluster-name` format.
-
-```console
-kubectl -n scylla-manager exec -ti scylla-manager-scylla-manager-7bd9f968b9-w25jw -- sctool task list
-
-Cluster: scylla/simple-cluster (d1d532cd-49f2-4c97-9263-25126532803b)
-╭─────────────────────────────────────────────────────────────┬──────────────────────────────────────┬────────────────────────────────┬────────╮
-│ Task │ Arguments │ Next run │ Status │
-├─────────────────────────────────────────────────────────────┼──────────────────────────────────────┼────────────────────────────────┼────────┤
-│ healthcheck/400b2723-eec5-422a-b7f3-236a0e10575b │ │ 23 Sep 20 14:28:42 CEST (+15s) │ DONE │
-│ healthcheck_rest/28169610-a969-4c20-9d11-ab7568b8a1bd │ │ 23 Sep 20 14:29:57 CEST (+1m) │ NEW │
-╰─────────────────────────────────────────────────────────────┴──────────────────────────────────────┴────────────────────────────────┴────────╯
-
-```
-
-Scylla Manager by default registers recurring healhcheck tasks for Agent and for each of the enabled frontends (CQL, Alternator).
-
-In this task listing we can see CQL and REST healthchecks.
-
-## Task scheduling
-
-You can either define tasks prior Cluster creation, or for existing Cluster.
-Let's edit already running cluster definition to add repair and backup task.
-```console
-kubectl -n scylla edit Cluster simple-cluster
-```
-
-Add following task definition to Cluster spec:
-```
- repairs:
- - name: "users repair"
- keyspace: ["users"]
- interval: "1d"
- backups:
- - name: "weekly backup"
- location: ["s3:cluster-backups"]
- retention: 3
- interval: "7d"
- - name: "daily backup"
- location: ["s3:cluster-backups"]
- retention: 7
- interval: "1d"
-```
-
-For full task definition configuration consult [ScyllaCluster CRD](api-reference/groups/scylla.scylladb.com/scyllaclusters.rst).
-
-**Note**: Scylla Manager Agent must have access to above bucket prior the update in order to schedule backup task.
-Consult Scylla Manager documentation for details on how to set it up.
-
-Scylla Manager Controller will spot this change and will schedule tasks in Scylla Manager.
-
-```console
-kubectl -n scylla-manager exec -ti scylla-manager-scylla-manager-7bd9f968b9-w25jw -- sctool task list
-
-Cluster: scylla/simple-cluster (d1d532cd-49f2-4c97-9263-25126532803b)
-╭─────────────────────────────────────────────────────────────┬──────────────────────────────────────┬────────────────────────────────┬────────╮
-│ Task │ Arguments │ Next run │ Status │
-├─────────────────────────────────────────────────────────────┼──────────────────────────────────────┼────────────────────────────────┼────────┤
-│ healthcheck/400b2723-eec5-422a-b7f3-236a0e10575b │ │ 23 Sep 20 14:28:42 CEST (+15s) │ DONE │
-│ backup/275aae7f-c436-4fc8-bcec-479e65fb8372 │ -L s3:cluster-backups --retention 3 │ 23 Sep 20 14:28:58 CEST (+7d) │ NEW │
-│ healthcheck_rest/28169610-a969-4c20-9d11-ab7568b8a1bd │ │ 23 Sep 20 14:29:57 CEST (+1m) │ NEW │
-│ repair/d4946360-c29d-4bb4-8b9d-619ada495c2a │ │ 23 Sep 20 14:38:42 CEST │ NEW │
-╰─────────────────────────────────────────────────────────────┴──────────────────────────────────────┴────────────────────────────────┴────────╯
-
-```
-
-As you can see, we have two new tasks, weekly recurring backup, and one repair which should start shortly.
-
-To check progress of run you can use following command:
-
-```console
-kubectl -n scylla-manager exec -ti scylla-manager-scylla-manager-7bd9f968b9-w25jw -- sctool task progress --cluster d1d532cd-49f2-4c97-9263-25126532803b repair/d4946360-c29d-4bb4-8b9d-619ada495c2a
-Status: RUNNING
-Start time: 23 Sep 20 14:38:42 UTC
-Duration: 13s
-Progress: 2.69%
-Datacenters:
- - us-east-1
-+--------------------+-------+
-| system_auth | 8.06% |
-| system_distributed | 0.00% |
-| system_traces | 0.00% |
-+--------------------+-------+
-
-```
-Other tasks can be also tracked using the same command, but using different task ID.
-Task IDs are present in Cluster Status as well as in task listing.
-
-## Clean Up
-
-To clean up all resources associated with Scylla Manager, you can run the commands below.
-
-**NOTE:** this will destroy your Scylla Manager database and delete all of its associated data.
-
-```console
-kubectl delete -f deploy/manager-prod.yaml
-```
-
-## Troubleshooting
-
-**Manager is not running**
-
-If the Scylla Manager does not come up, the first step would be to examine the Manager and Controller logs:
-
-```console
-kubectl -n scylla-manager logs -f scylla-manager-controller-0 scylla-manager-controller
-kubectl -n scylla-manager logs -f scylla-manager-controller-0 scylla-manager-scylla-manager-7bd9f968b9-w25jw
-```
-
-
-**My task wasn't scheduled**
-
-If your task wasn't scheduled, Cluster status will be updated with error messages for each failed task.
-You can also consult Scylla Manager logs.
-
-Example:
-
-Following status describes error when backup task cannot be scheduled, due to lack of access to bucket:
-```console
-Status:
- Backups:
- Error: create backup target: location is not accessible: 10.100.16.62: giving up after 2 attempts: after 15s: timeout - make sure the location is correct and credentials are set, to debug SSH to 10.100.16.62 and run "scylla-manager-agent check-location -L s3:manager-test --debug"; 10.107.193.33: giving up after 2 attempts: after 15s: timeout - make sure the location is correct and credentials are set, to debug SSH to 10.107.193.33 and run "scylla-manager-agent check-location -L s3:manager-test --debug"; 10.109.197.60: giving up after 2 attempts: after 15s: timeout - make sure the location is correct and credentials are set, to debug SSH to 10.109.197.60 and run "scylla-manager-agent check-location -L s3:manager-test --debug"
- Id: 00000000-0000-0000-0000-000000000000
- Interval: 0
- Location:
- s3:manager-test
- Name: adhoc backup
- Num Retries: 3
- Retention: 3
- Start Date: now
- Manager Id: 2b9dbe8c-9daa-4703-a66d-c29f63a917c8
- Racks:
- us-east-1a:
- Members: 3
- Ready Members: 3
- Version: 4.0.0
-```
-
-Because Controller is infinitely retrying to schedule each defined task, once permission issues will be resolved,
-task should appear in task listing and Cluster status.
diff --git a/docs/source/migration.md b/docs/source/migration.md
deleted file mode 100644
index 6b450637a22..00000000000
--- a/docs/source/migration.md
+++ /dev/null
@@ -1,146 +0,0 @@
-# Version migrations
-
-
-## `v0.3.0` -> `v1.0.0` migration
-
-`v0.3.0` used a very common name as a CRD kind (`Cluster`). In `v1.0.0` this issue was solved by using less common kind
-which is easier to disambiguate (`ScyllaCluster`).
-***This change is backward incompatible, which means manual migration is needed.***
-
-This procedure involves having two CRDs registered at the same time. We will detach Scylla Pods
-from Scylla Operator for a short period to ensure that nothing is garbage collected when Scylla Operator is upgraded.
-Compared to the [upgrade guide](upgrade.md) where full deletion is requested, this procedure shouldn't cause downtimes.
-Although detaching resources from their controller is considered hacky. This means that you shouldn't run procedure
-out of the box on production. Make sure this procedure works well multiple times on your staging environment first.
-
-***Read the whole procedure and make sure you understand what is going on before executing any of the commands!***
-
-In case of any issues or questions regarding this procedure, you're welcomed on our [Scylla Users Slack](http://slack.scylladb.com/)
-on #kubernetes channel.
-
-## Procedure
-
-1. Execute this whole procedure for each cluster sequentially. To get a list of existing clusters execute the following
- ```
- kubectl -n scylla get cluster.scylla.scylladb.com
-
- NAME AGE
- simple-cluster 30m
- ```
- All below commands will use `scylla` namespace and `simple-cluster` as a cluster name.
-1. Make sure you're using v1.0.0 tag:
- ```
- git checkout v1.0.0
- ```
-1. Upgrade your `cert-manager` to `v1.0.0`. If you installed it from a static file from this repo, simply execute the following:
- ```
- kubectl apply -f examples/common/cert-manager.yaml
- ```
- If your `cert-manager` was installed in another way, follow official instructions on `cert-manager` website.
-1. `deploy/operator.yaml` file contains multiple resources. Extract **only** `CustomResourceDefinition` to separate file.
-1. Install v1.0.0 CRD definition from file created in the previous step:
- ```
- kubectl apply -f examples/common/crd.yaml
- ```
-1. Save your existing `simple-cluster` Cluster definition to a file:
- ```
- kubectl -n scylla get cluster.scylla.scylladb.com simple-cluster -o yaml > existing-cluster.yaml
- ```
-1. Migrate `Kind` and `ApiVersion` to new values using:
- ```
- sed -i 's/scylla.scylladb.com\/v1alpha1/scylla.scylladb.com\/v1/g' existing-cluster.yaml
- sed -i 's/kind: Cluster/kind: ScyllaCluster/g' existing-cluster.yaml
- ```
-1. Install migrated CRD instance
- ```
- kubectl apply -f existing-cluster.yaml
- ```
- At this point, we should have two CRDs describing your Scylla cluster, although the new one is not controlled by the Operator.
-1. Get UUID of newly created ScyllaCluster resource:
- ```
- kubectl -n scylla get ScyllaCluster simple-cluster --template="{{ .metadata.uid }}"
-
- 12a3678d-8511-4c9c-8a48-fa78d3992694
- ```
- Save output UUID somewhere, it will be referred as `` in commands below.
-
- ***Depending on your shell, you might get additional '%' sign at the end of UUID, make sure to remove it!***
-
-1. Upgrade ClusterRole attached to each of the Scylla nodes to grant them permission to lookup Scylla clusters:
- ```
- kubectl patch ClusterRole simple-cluster-member --type "json" -p '[{"op":"add","path":"/rules/-","value":{"apiGroups":["scylla.scylladb.com"],"resources":["scyllaclusters"],"verbs":["get"]}}]'
- ```
- Amend role name according to your cluster name, it should look like `-member`.
-1. Get a list of all Services associated with your cluster. First get list of all services:
- ```
- kubectl -n scylla get svc -l "scylla/cluster=simple-cluster"
-
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- simple-cluster-client ClusterIP None 9180/TCP 109m
- simple-cluster-us-east-1-us-east-1a-0 ClusterIP 10.43.23.96 7000/TCP,7001/TCP,7199/TCP,10001/TCP,9042/TCP,9142/TCP,9160/TCP 109m
- simple-cluster-us-east-1-us-east-1a-1 ClusterIP 10.43.66.22 7000/TCP,7001/TCP,7199/TCP,10001/TCP,9042/TCP,9142/TCP,9160/TCP 108m
- simple-cluster-us-east-1-us-east-1a-2 ClusterIP 10.43.246.25 7000/TCP,7001/TCP,7199/TCP,10001/TCP,9042/TCP,9142/TCP,9160/TCP 106m
-
- ```
-1. For each service, change its `ownerReference` to point to new CRD instance:
- ```
- kubectl -n scylla patch svc --type='json' -p='[{"op": "replace", "path": "/metadata/ownerReferences/0/apiVersion", "value":"scylla.scylladb.com/v1"}, {"op": "replace", "path": "/metadata/ownerReferences/0/kind", "value":"ScyllaCluster"}, {"op": "replace", "path": "/metadata/ownerReferences/0/uid", "value":""}]'
- ```
- Replace `` with Service name, and `` with saved UUID from one of the previous steps.
-1. Get a list of all Services again to see if none was deleted. Check also "Age" column, it shouldn't be lower than previous result.
- ```
- kubectl -n scylla get svc -l "scylla/cluster=simple-cluster"
-
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- simple-cluster-client ClusterIP None 9180/TCP 110m
- simple-cluster-us-east-1-us-east-1a-0 ClusterIP 10.43.23.96 7000/TCP,7001/TCP,7199/TCP,10001/TCP,9042/TCP,9142/TCP,9160/TCP 110m
- simple-cluster-us-east-1-us-east-1a-1 ClusterIP 10.43.66.22 7000/TCP,7001/TCP,7199/TCP,10001/TCP,9042/TCP,9142/TCP,9160/TCP 109m
- simple-cluster-us-east-1-us-east-1a-2 ClusterIP 10.43.246.25 7000/TCP,7001/TCP,7199/TCP,10001/TCP,9042/TCP,9142/TCP,9160/TCP 107m
-
- ```
-1. Get a list of StatefulSets associated with your cluster:
- ```
- kubectl -n scylla get sts -l "scylla/cluster=simple-cluster"
-
- NAME READY AGE
- simple-cluster-us-east-1-us-east-1a 3/3 104m
- ```
-1. For each StatefulSet from previous step, change its `ownerReference` to point to new CRD instance.
-
- ```
- kubectl -n scylla patch sts --type='json' -p='[{"op": "replace", "path": "/metadata/ownerReferences/0/apiVersion", "value":"scylla.scylladb.com/v1"}, {"op": "replace", "path": "/metadata/ownerReferences/0/kind", "value":"ScyllaCluster"}, {"op": "replace", "path": "/metadata/ownerReferences/0/uid", "value":""}]'
- ```
- Replace `` with StatefulSet name, and `` with saved UUID from one of the previous steps.
-
-1. Now when all k8s resources bound to Scylla are attached to new CRD, we can remove 0.3.0 Operator and old CRD definition.
- Checkout `v0.3.0` version, and remove Scylla Operator, and old CRD:
- ```
- git checkout v0.3.0
- kubectl delete -f examples/generic/operator.yaml
- ```
-1. Checkout `v1.0.0`, and install upgraded Scylla Operator:
- ```
- git checkout v1.0.0
- kubectl apply -f deploy/operator.yaml
- ```
-1. Wait until Scylla Operator boots up:
- ```
- kubectl -n scylla-operator-system wait --for=condition=ready pod --all --timeout=600s
- ```
-1. Get a list of StatefulSets associated with your cluster:
- ```
- kubectl -n scylla get sts -l "scylla/cluster=simple-cluster"
-
- NAME READY AGE
- simple-cluster-us-east-1-us-east-1a 3/3 104m
-1. For each StatefulSet from previous step, change its sidecar container image to `v1.0.0`, and wait until change will be propagated. This step will initiate a rolling restart of pods one by one.
- ```
- kubectl -n scylla patch sts --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/initContainers/0/image", "value":"scylladb/scylla-operator:v1.0.0"}]'
- kubectl -n scylla rollout status sts
- ```
- Replace `` with StatefulSet name.
-1. If you're using Scylla Manager, bump Scylla Manager Controller image to `v1.0.0`
- ```
- kubectl -n scylla-manager-system patch sts scylla-manager-controller --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value":"scylladb/scylla-operator:v1.0.0"}]'
- ```
-1. Your Scylla cluster is now migrated to `v1.0.0`.
diff --git a/docs/source/multidc/index.rst b/docs/source/multidc/index.rst
deleted file mode 100644
index a2f1eae7709..00000000000
--- a/docs/source/multidc/index.rst
+++ /dev/null
@@ -1,18 +0,0 @@
-==========================================================
-Deploying multi-datacenter ScyllaDB clusters in Kubernetes
-==========================================================
-
-Prepare a platform for a multi datacenter ScyllaDB cluster deployment:
-
-.. toctree::
- :maxdepth: 1
-
- eks
- gke
-
-Deploy a multi-datacenter ScyllaDB cluster in Kubernetes:
-
-.. toctree::
- :maxdepth: 1
-
- multidc
diff --git a/docs/source/performance.md b/docs/source/performance.md
deleted file mode 100644
index ff48cfb582d..00000000000
--- a/docs/source/performance.md
+++ /dev/null
@@ -1,100 +0,0 @@
-# Performance tuning
-
-Scylla Operator 1.6 introduces a new experimental feature allowing users to optimize Kubernetes nodes.
-
-:::{warning}
-We recommend that you first try out the performance tuning on a pre-production instance.
-Given the nature of the underlying tuning script, undoing the changes requires rebooting the Kubernetes node(s).
-:::
-
-## Node tuning
-
-Starting from Operator 1.6, a new CRD called NodeConfig is available, allowing users to target Nodes which should be tuned.
-When a Node is supposed to be optimized, the Scylla Operator creates a DaemonSet covering these Nodes.
-Nodes matching the provided placement conditions will be subject to tuning.
-
-Below example NodeConfig tunes nodes having `scylla.scylladb.com/node-type=scylla` label:
-```
-apiVersion: scylla.scylladb.com/v1alpha1
-kind: NodeConfig
-metadata:
- name: cluster
-spec:
- placement:
- nodeSelector:
- scylla.scylladb.com/node-type: scylla
-```
-For more details about new CRD use:
-```
-kubectl explain nodeconfigs.scylla.scylladb.com/v1alpha1
-```
-
-For all optimizations we use a Python script available in the Scylla image called perftune.
-Perftune executes the performance optmizations like tuning the kernel, network, disk devices, spreading IRQs across CPUs and more.
-
-Tuning consists of two separate optimizations: common node tuning, and tuning based on Scylla Pods and their resource assignment.
-Node tuning is executed immediately. Pod tuning is executed when Scylla Pod lands on the same Node.
-
-Scylla works most efficently when it's pinned to CPU and not interrupted.
-One of the most common causes of context-switching are network interrupts. Packets coming to a node need to be processed,
-and this requires CPU shares.
-
-On K8s we always have at least a couple of processes running on the node: kubelet, kubernetes provider applications, daemons etc.
-These processes require CPU shares, so we cannot dedicate entire node processing power to Scylla, we need to leave space for others.
-We take advantage of it, and we pin IRQs to CPUs not used by any Scylla Pods exclusively.
-
-Tuning resources are created in a special namespace called `scylla-operator-node-tuning`.
-
-The tuning is applied only to pods with `Guaranteed` QoS class. Please double check your ScyllaCluster resource specification
-to see if it meets all conditions.
-
-## Kubernetes tuning
-
-By default, the kubelet uses the CFS quota to enforce pod CPU limits.
-When the node runs many CPU-bound pods, the workload can move around different CPU cores depending on whether the pod
-is throttled and which CPU cores are available.
-However, kubelet may be configured to assign CPUs exclusively, by setting the CPU manager policy to static.
-
-Setting up kubelet configuration is provider specific. Please check the docs for your distribution or talk to your
-provider.
-
-Only pods within the [Guaranteed QoS class](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed)) can take advantage of this option.
-When such pod lands on a Node, kubelet will pin them to specific CPUs, and those won't be part of the shared pool.
-
-In our case there are two requirements each ScyllaCluster must fulfill to receive a Guaranteed QoS class:
-* resource request and limits must be equal or only limits have to be provided
-* agentResources must be provided and their requests and limits must be equal, or only limits have to be provided
-
-An example of such a ScyllaCluster that receives a Guaranteed QoS class is below:
-
-```
-apiVersion: scylla.scylladb.com/v1
-kind: ScyllaCluster
-metadata:
- name: guaranteed-cluster
- namespace: scylla
-spec:
- agentVersion: 3.4.0
- version: 6.2.0
- datacenter:
- name: us-east-1
- racks:
- - name: us-east-1a
- members: 3
- storage:
- capacity: 500Gi
- agentResources:
- requests:
- cpu: 1
- memory: 1G
- limits:
- cpu: 1
- memory: 1G
- resources:
- requests:
- cpu: 4
- memory: 16G
- limits:
- cpu: 4
- memory: 16G
-```
diff --git a/docs/source/quickstarts/eks.md b/docs/source/quickstarts/eks.md
new file mode 100644
index 00000000000..03738c994e2
--- /dev/null
+++ b/docs/source/quickstarts/eks.md
@@ -0,0 +1,50 @@
+# Deploying ScyllaDB on EKS
+
+This is a quickstart guide to help you set up a basic EKS cluster quickly with local NVMes and solid performance.
+
+This is by no means a complete guide, and you should always consult your provider's documentation.
+
+## Prerequisites
+
+In this guide we'll be using `eksctl` to set up the cluster, and you'll need `kubectl` to talk to it.
+
+If you don't have those already, or are not available through your package manager, you can try these links to learn more about installing them:
+- [eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+
+## Creating an EKS cluster
+
+First, let's create a declarative config to used with eksctl
+:::{code-block} bash
+:substitutions:
+
+curl --fail --retry 5 --retry-all-errors -o 'clusterconfig.eksctl.yaml' -L https://raw.githubusercontent.com/{{repository}}/{{revision}}/examples/eks/clusterconfig.eksctl.yaml
+:::
+
+With the config ready, we can easily create an EKS cluster by running
+
+:::{code} bash
+
+eksctl create cluster -f=clusterconfig.eksctl.yaml
+:::
+
+## Deploying {{productName}}
+
+To deploy {{productName}} follow the [installation guide](../installation/overview.md).
+
+## Creating ScyllaDB
+
+To deploy a ScyllaDB cluster please head to [our dedicated section on the topic](../resources/scyllaclusters/basics.md).
+
+## Accessing ScyllaDB
+
+We also hve a whole section dedicated to [how you can access teh ScyllaDB cluster you've just created](../resources/scyllaclusters/clients/index.md).
+
+## Deleting the EKS cluster
+
+Once you are done, you can delete the EKS cluster using the following command:
+
+:::{code}
+
+eksctl delete cluster -f=clusterconfig.eksctl.yaml
+:::
diff --git a/docs/source/quickstarts/gke.md b/docs/source/quickstarts/gke.md
new file mode 100644
index 00000000000..29bc8a14729
--- /dev/null
+++ b/docs/source/quickstarts/gke.md
@@ -0,0 +1,76 @@
+# Deploying ScyllaDB on GKE
+
+This is a quickstart guide to help you set up a basic GKE cluster quickly with local NVMes and solid performance.
+
+This is by no means a complete guide, and you should always consult your provider's documentation.
+
+
+## Creating a GKE cluster
+
+First, we need to create a kubelet config to configure [static CPU policy](../installation/kubernetes/generic.md#static-cpu-policy)
+:::{code} bash
+:number-lines:
+
+cat > systemconfig.yaml <
+ racks:
+ - name:
+ placement:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: failure-domain.beta.kubernetes.io/zone
+ operator: In
+ values:
+ -
+:::
+::::
+
+::::{tab-item} EKS
+:::{code} yaml
+spec:
+ datacenter:
+ name:
+ racks:
+ - name:
+ placement:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: topology.kubernetes.io/zone
+ operator: In
+ values:
+ -
+:::
+::::
+
+:::::
+
+## Next steps
+
+To follow up with other advanced topics, see [the section index for options](./index.md).
diff --git a/docs/source/clients/alternator.md b/docs/source/resources/scyllaclusters/clients/alternator.md
similarity index 100%
rename from docs/source/clients/alternator.md
rename to docs/source/resources/scyllaclusters/clients/alternator.md
diff --git a/docs/source/clients/cql.md b/docs/source/resources/scyllaclusters/clients/cql.md
similarity index 100%
rename from docs/source/clients/cql.md
rename to docs/source/resources/scyllaclusters/clients/cql.md
diff --git a/docs/source/clients/discovery.md b/docs/source/resources/scyllaclusters/clients/discovery.md
similarity index 100%
rename from docs/source/clients/discovery.md
rename to docs/source/resources/scyllaclusters/clients/discovery.md
diff --git a/docs/source/resources/scyllaclusters/clients/index.md b/docs/source/resources/scyllaclusters/clients/index.md
new file mode 100644
index 00000000000..0ef199da592
--- /dev/null
+++ b/docs/source/resources/scyllaclusters/clients/index.md
@@ -0,0 +1,10 @@
+# ScyllaDB clients
+
+:::{toctree}
+:titlesonly:
+:maxdepth: 1
+
+discovery
+cql
+alternator
+:::
diff --git a/docs/source/static/exposing/clusterip.svg b/docs/source/resources/scyllaclusters/exposing-images/clusterip.svg
similarity index 100%
rename from docs/source/static/exposing/clusterip.svg
rename to docs/source/resources/scyllaclusters/exposing-images/clusterip.svg
diff --git a/docs/source/static/exposing/loadbalancer.svg b/docs/source/resources/scyllaclusters/exposing-images/loadbalancer.svg
similarity index 100%
rename from docs/source/static/exposing/loadbalancer.svg
rename to docs/source/resources/scyllaclusters/exposing-images/loadbalancer.svg
diff --git a/docs/source/static/exposing/multivpc.svg b/docs/source/resources/scyllaclusters/exposing-images/multivpc.svg
similarity index 100%
rename from docs/source/static/exposing/multivpc.svg
rename to docs/source/resources/scyllaclusters/exposing-images/multivpc.svg
diff --git a/docs/source/static/exposing/podips.svg b/docs/source/resources/scyllaclusters/exposing-images/podips.svg
similarity index 100%
rename from docs/source/static/exposing/podips.svg
rename to docs/source/resources/scyllaclusters/exposing-images/podips.svg
diff --git a/docs/source/exposing.md b/docs/source/resources/scyllaclusters/exposing.md
similarity index 98%
rename from docs/source/exposing.md
rename to docs/source/resources/scyllaclusters/exposing.md
index 9ec6e0ba4e5..9a0d9e4bf6a 100644
--- a/docs/source/exposing.md
+++ b/docs/source/resources/scyllaclusters/exposing.md
@@ -219,7 +219,7 @@ Both client and nodes are deployed within the same Kubernetes cluster.
They talk through ClusterIP addresses taken from the Service.
Because ClusterIP Services are only routable within the same Kubernetes cluster, this cluster won't be reachable from outside.
-
+
### In-cluster node-to-node, VPC clients-to-nodes
@@ -242,7 +242,7 @@ In this scenario, we assume that the Pod IP subnet is routable within a VPC.
Clients within the VPC network can communicate directly with ScyllaCluster nodes using PodIPs.
Nodes communicate with each other exclusively within the same Kubernetes cluster.
-
+
### Multi VPC
@@ -271,7 +271,7 @@ Both ScyllaClusters use the same `exposeOptions`, nodes broadcast their Pod IP a
Clients, whether deployed within the same Kubernetes cluster or within a VPC, have the capability to reach nodes using their Pod IPs.
Since there is no requirement for any address other than the Pod IP, the `Headless` service type is sufficient.
-
+
### Internet
@@ -297,7 +297,7 @@ ScyllaDB nodes broadcast this external address to clients, enabling drivers to c
Since all ScyllaDB nodes reside within the same Kubernetes cluster, there is no need to route traffic through the internet.
Consequently, the nodes are configured to communicate via ClusterIP, which is also accessible within LoadBalancer Services.
-
+
---
diff --git a/docs/source/resources/scyllaclusters/index.md b/docs/source/resources/scyllaclusters/index.md
new file mode 100644
index 00000000000..2fde34a98dc
--- /dev/null
+++ b/docs/source/resources/scyllaclusters/index.md
@@ -0,0 +1,11 @@
+# ScyllaClusters
+
+:::{toctree}
+:maxdepth: 1
+
+basics
+clients/index
+nodeoperations/index
+multidc/index
+exposing
+:::
diff --git a/docs/source/multidc/eks.md b/docs/source/resources/scyllaclusters/multidc/eks.md
similarity index 91%
rename from docs/source/multidc/eks.md
rename to docs/source/resources/scyllaclusters/multidc/eks.md
index 266dd7d3a4d..e87db8951b9 100644
--- a/docs/source/multidc/eks.md
+++ b/docs/source/resources/scyllaclusters/multidc/eks.md
@@ -41,7 +41,7 @@ nodeGroups:
```
Specify the first cluster's configuration file and save it as `cluster-us-east-1.yaml`.
-Refer to [Creating an EKS cluster](../eks.md#creating-an-eks-cluster) section of ScyllaDB Operator documentation for the reference of the configuration of node groups.
+Refer to [Creating an EKS cluster](../../../quickstarts/eks.md#creating-an-eks-cluster) section of ScyllaDB Operator documentation for the reference of the configuration of node groups.
To deploy the first cluster, use the below command:
```shell
@@ -60,13 +60,9 @@ kubectl config current-context
For any `kubectl` commands that you will want to run against this cluster, use the `--context` flag with the value returned by the above command.
-#### Deploy ScyllaDB Operator
+#### Deploy {{productName}}
-Once the cluster is ready, refer to [Deploying Scylla on a Kubernetes Cluster](../generic.md) to deploy the ScyllaDB Operator and its prerequisites.
-
-#### Prepare nodes for running ScyllaDB
-
-Then, prepare the nodes for running ScyllaDB workloads and deploy a volume provisioner following the steps described in [Deploying Scylla on EKS](../eks.md#prerequisites) in ScyllaDB Operator documentation.
+To deploy {{productName}} follow the [installation guide](../../../installation/overview.md).
### Create the second EKS cluster
diff --git a/docs/source/multidc/gke.md b/docs/source/resources/scyllaclusters/multidc/gke.md
similarity index 89%
rename from docs/source/multidc/gke.md
rename to docs/source/resources/scyllaclusters/multidc/gke.md
index b119d9e9b3b..bd2aaf6a686 100644
--- a/docs/source/multidc/gke.md
+++ b/docs/source/resources/scyllaclusters/multidc/gke.md
@@ -79,7 +79,7 @@ gcloud container clusters create scylladb-us-east1 \
--services-secondary-range-name=services
```
-Refer to [Creating a GKE cluster](../gke.md#creating-a-gke-cluster) section of ScyllaDB Operator documentation for more information regarding the configuration and deployment of additional node pools, including the one dedicated for ScyllaDB nodes.
+Refer to [Creating a GKE cluster](../../../quickstarts/gke.md#creating-a-gke-cluster) section of {{productName}} documentation for more information regarding the configuration and deployment of additional node pools, including the one dedicated for ScyllaDB nodes.
You will need to get the cluster's context for future operations. To do so, use the below command:
```shell
@@ -88,13 +88,9 @@ kubectl config current-context
For any `kubectl` commands that you will want to run against this cluster, use the `--context` flag with the value returned by the above command.
-#### Deploy ScyllaDB Operator
+#### Deploy {{productName}}
-Once the cluster is ready, refer to [Deploying Scylla on a Kubernetes Cluster](../generic.md) to deploy the ScyllaDB Operator and its prerequisites.
-
-#### Prepare nodes for running ScyllaDB
-
-Then, prepare the nodes for running ScyllaDB workloads and deploy a volume provisioner following the steps described in [Deploying Scylla on GKE](../gke.md) page of the documentation.
+To deploy {{productName}} follow the [installation guide](../../../installation/overview.md).
### Create the second GKE cluster
@@ -153,4 +149,4 @@ Refer to [Automatically created firewall rules](https://cloud.google.com/kuberne
---
Having followed the above steps, you should now have a platform prepared for deploying a multi-datacenter ScyllaDB cluster.
-Refer to [Deploy a multi-datacenter ScyllaDB cluster in multiple interconnected Kubernetes clusters](multidc.md) in ScyllaDB Operator documentation for guidance.
+Refer to [Deploy a multi-datacenter ScyllaDB cluster in multiple interconnected Kubernetes clusters](multidc.md) in {{productName}} documentation for guidance.
diff --git a/docs/source/resources/scyllaclusters/multidc/index.md b/docs/source/resources/scyllaclusters/multidc/index.md
new file mode 100644
index 00000000000..9eb9a4eb965
--- /dev/null
+++ b/docs/source/resources/scyllaclusters/multidc/index.md
@@ -0,0 +1,18 @@
+# Deploying multi-datacenter ScyllaDB clusters in Kubernetes
+
+Prepare a platform for a multi datacenter ScyllaDB cluster deployment:
+
+:::{toctree}
+:maxdepth: 1
+
+eks
+gke
+:::
+
+Deploy a multi-datacenter ScyllaDB cluster in Kubernetes:
+
+:::{toctree}
+:maxdepth: 1
+
+multidc
+:::
diff --git a/docs/source/multidc/multidc.md b/docs/source/resources/scyllaclusters/multidc/multidc.md
similarity index 96%
rename from docs/source/multidc/multidc.md
rename to docs/source/resources/scyllaclusters/multidc/multidc.md
index b2062d26f34..a71ec4ea891 100644
--- a/docs/source/multidc/multidc.md
+++ b/docs/source/resources/scyllaclusters/multidc/multidc.md
@@ -6,7 +6,7 @@ This guide will walk you through the example procedure of deploying two datacent
:::{note}
This guide is dedicated to deploying multi-datacenter ScyllaDB clusters and does not discuss unrelated configuration options.
-For details of ScyllaDB cluster deployments and their configuration, refer to [Deploying Scylla on a Kubernetes Cluster](../generic.md) in ScyllaDB Operator documentation.
+For details of ScyllaDB cluster deployments and their configuration, see the [ScyllaCluster resource documentation](../../scyllaclusters/basics.md).
:::
## Prerequisites
@@ -14,7 +14,7 @@ For details of ScyllaDB cluster deployments and their configuration, refer to [D
As this document describes the procedure of deploying a Multi Datacenter ScyllaDB cluster, you are expected to have the required infrastructure prepared.
Let's assume two interconnected Kubernetes clusters, capable of communicating with each other over PodIPs, with each cluster meeting the following requirements:
- a node pool dedicated to ScyllaDB nodes composed of at least 3 nodes running in different zones (with unique `topology.kubernetes.io/zone` label), configured to run ScyllaDB, each labeled with `scylla.scylladb.com/node-type: scylla`
-- running ScyllaDB Operator and its prerequisites
+- running {{productName}} and its prerequisites
- running a storage provisioner capable of provisioning XFS volumes of StorageClass `scylladb-local-xfs` in each of the nodes dedicated to ScyllaDB instances
You can refer to one of our guides describing the process of preparing such infrastructure:
@@ -28,11 +28,11 @@ See [Install Tools](https://kubernetes.io/docs/tasks/tools/) in Kubernetes docum
## Multi Datacenter ScyllaDB Cluster
-In v1.11, ScyllaDB Operator introduced support for manual multi-datacenter ScyllaDB cluster deployments.
+In v1.11, {{productName}} introduced support for manual multi-datacenter ScyllaDB cluster deployments.
:::{warning}
-ScyllaDB Operator only supports *manual configuration* of multi-datacenter ScyllaDB clusters.
-In other words, although ScyllaCluster API exposes the machinery necessary for setting up multi-datacenter ScylaDB clusters, the ScyllaDB Operator only automates operations for a single datacenter.
+{{productName}} only supports *manual configuration* of multi-datacenter ScyllaDB clusters.
+In other words, although ScyllaCluster API exposes the machinery necessary for setting up multi-datacenter ScylaDB clusters, the {{productName}} only automates operations for a single datacenter.
Operations related to multiple datacenters may require manual intervention of a human operator.
Most notably, destroying one of the Kubernetes clusters or ScyllaDB datacenters is going to leave DN nodes behind in other datacenters, and their removal has to be carried out manually.
@@ -54,7 +54,7 @@ For more details regarding the function and implementation of external seeds, re
Since this guide assumes interconnectivity over PodIPs of the Kubernetes clusters, you are going to configure the ScyllaDB cluster's nodes to communicate over PodIPs.
This is enabled by a subset of `exposeOptions` specified in ScyllaCluster API, introduced in v1.11.
-For this particular setup, define the ScyllaClusers as follows:
+For this particular setup, define the ScyllaClusters as follows:
```yaml
apiVersion: scylla.scylladb.com/v1
kind: ScyllaCluster
@@ -69,7 +69,7 @@ spec:
type: PodIP
```
-However, other configuration options allow for the manual deployment of multi-datacenter ScyllaDB clusters in different network setups. For details, refer to [Exposing ScyllaClusters](../exposing.md) in ScyllaDB Operator documentation.
+However, other configuration options allow for the manual deployment of multi-datacenter ScyllaDB clusters in different network setups. For details, refer to [Exposing ScyllaClusters](../exposing.md) in {{productName}} documentation.
#### Deploy a multi-datacenter ScyllaDB Cluster
@@ -567,8 +567,8 @@ UN 172.16.87.27 503 KB 256 ? c19c89cb-e24c-4062-9df4-2aa90
To integrate a multi-datacenter ScyllaDB cluster with Scylla Manager, you must deploy the Scylla Manager in only one datacenter.
In this example, let's choose the Kubernetes cluster deployed in the first datacenter to host it.
-To deploy Scylla Manager, follow the steps described in [Deploying Scylla Manager on a Kubernetes Cluster](../manager.md)
-in ScyllaDB Operator documentation.
+To deploy Scylla Manager, follow the steps described in [Deploying Scylla Manager on a Kubernetes Cluster](../../../architecture/manager.md)
+in {{productName}} documentation.
In order to define the Scylla Manager tasks, add them to the ScyllaCluster object deployed in the same Kubernetes cluster
in which your Scylla Manager is running.
@@ -598,4 +598,4 @@ kubectl --context="${CONTEXT_DC2}" -n=scylla patch scyllacluster/scylla-cluster
## ScyllaDBMonitoring
To monitor your cluster, deploy ScyllaDBMonitoring in every datacenter independently.
-To deploy ScyllaDB Monitoring, follow the steps described in [Deploy managed monitoring](../monitoring.md#deploy-managed-monitoring) in ScyllaDB Operator documentation.
+To deploy ScyllaDB Monitoring, follow the steps described in [Deploy managed monitoring](../../../resources/scylladbmonitorings.md#deploy-managed-monitoring) in {{productName}} documentation.
diff --git a/docs/source/nodeoperations/automatic-cleanup.md b/docs/source/resources/scyllaclusters/nodeoperations/automatic-cleanup.md
similarity index 100%
rename from docs/source/nodeoperations/automatic-cleanup.md
rename to docs/source/resources/scyllaclusters/nodeoperations/automatic-cleanup.md
diff --git a/docs/source/nodeoperations/index.rst b/docs/source/resources/scyllaclusters/nodeoperations/index.rst
similarity index 100%
rename from docs/source/nodeoperations/index.rst
rename to docs/source/resources/scyllaclusters/nodeoperations/index.rst
diff --git a/docs/source/nodeoperations/maintenance-mode.md b/docs/source/resources/scyllaclusters/nodeoperations/maintenance-mode.md
similarity index 100%
rename from docs/source/nodeoperations/maintenance-mode.md
rename to docs/source/resources/scyllaclusters/nodeoperations/maintenance-mode.md
diff --git a/docs/source/nodeoperations/replace-node.md b/docs/source/resources/scyllaclusters/nodeoperations/replace-node.md
similarity index 98%
rename from docs/source/nodeoperations/replace-node.md
rename to docs/source/resources/scyllaclusters/nodeoperations/replace-node.md
index 3e6a8c7f024..2baca66f626 100644
--- a/docs/source/nodeoperations/replace-node.md
+++ b/docs/source/resources/scyllaclusters/nodeoperations/replace-node.md
@@ -71,4 +71,4 @@ _This procedure is for replacing one dead node. To replace more than one dead no
UN 10.43.191.172 74.77 KB 256 ? 1ffa7a82-c41c-4706-8f5f-4d45a39c7003 us-east-1a
```
1. Run the repair on the cluster to make sure that the data is synced with the other nodes in the cluster.
- You can use [Scylla Manager](../manager.md) to run the repair.
+ You can use [Scylla Manager](../../../architecture/manager.md) to run the repair.
diff --git a/docs/source/nodeoperations/restore.md b/docs/source/resources/scyllaclusters/nodeoperations/restore.md
similarity index 96%
rename from docs/source/nodeoperations/restore.md
rename to docs/source/resources/scyllaclusters/nodeoperations/restore.md
index b3a88ad29ab..151810667fc 100644
--- a/docs/source/nodeoperations/restore.md
+++ b/docs/source/resources/scyllaclusters/nodeoperations/restore.md
@@ -1,12 +1,12 @@
# Restore from backup
-This procedure will describe how to restore from backup taken using [Scylla Manager](../manager.md) to a fresh **empty** cluster of any size.
+This procedure will describe how to restore from backup taken using [Scylla Manager](../../../architecture/manager.md) to a fresh **empty** cluster of any size.
:::{warning}
Restoring schema with **ScyllaDB OS 5.4.X** or **ScyllaDB Enterprise 2024.1.X** and `consistent_cluster_management` isn’t supported.
When creating the `target` ScyllaDB cluster, configure it with `consistent_cluster_management: false`.
-Refer to [API Reference](../api-reference/index.rst) to learn how to customize ScyllaDB configuration files.
+Refer to [API Reference](../../../api-reference/index.rst) to learn how to customize ScyllaDB configuration files.
When following the steps for schema restore, ensure you follow the additional steps dedicated to affected ScyllaDB versions.
:::
@@ -162,7 +162,7 @@ scyllacluster.scylla.scylladb.com/target condition met
### Restoring schema with **ScyllaDB OS 5.4.X** or **ScyllaDB Enterprise 2024.1.X** and `consistent_cluster_management`
After you've followed the above steps with a ScyllaDB target cluster with `consistent_cluster_management` disabled, you'll need to enable Raft by configuring the target cluster with `consistent_cluster_management: true`.
-Refer to [API Reference](../api-reference/index.rst) to learn how to customize ScyllaDB configuration files.
+Refer to [API Reference](../../../api-reference/index.rst) to learn how to customize ScyllaDB configuration files.
You will then need to execute a rolling restart of the ScyllaCluster for the change to take effect.
```console
diff --git a/docs/source/nodeoperations/scylla-upgrade.md b/docs/source/resources/scyllaclusters/nodeoperations/scylla-upgrade.md
similarity index 100%
rename from docs/source/nodeoperations/scylla-upgrade.md
rename to docs/source/resources/scyllaclusters/nodeoperations/scylla-upgrade.md
diff --git a/docs/source/monitoring.md b/docs/source/resources/scylladbmonitorings.md
similarity index 84%
rename from docs/source/monitoring.md
rename to docs/source/resources/scylladbmonitorings.md
index 22bda7f2501..c35c4456fd9 100644
--- a/docs/source/monitoring.md
+++ b/docs/source/resources/scylladbmonitorings.md
@@ -1,43 +1,17 @@
-# Monitoring
+# ScyllaDBMonitorings
-Scylla Operator 1.8 introduced a new API resource `ScyllaDBMonitoring`, allowing users to deploy a managed monitoring
+Scylla Operator 1.8 introduced a new API resource called [ScyllaDBMonitoring](../api-reference/groups/scylla.scylladb.com/scylladbmonitorings), allowing users to deploy a managed monitoring
setup for their Scylla Clusters.
-```yaml
-apiVersion: scylla.scylladb.com/v1alpha1
-kind: ScyllaDBMonitoring
-metadata:
- name: example
-spec:
- type: Platform
- endpointsSelector:
- matchLabels:
- app.kubernetes.io/name: scylla
- scylla-operator.scylladb.com/scylla-service-type: member
- scylla/cluster: replace-with-your-scyllacluster-name
- components:
- prometheus:
- storage:
- volumeClaimTemplate:
- spec:
- storageClassName: scylladb-local-xfs
- resources:
- requests:
- storage: 1Gi
- grafana:
- exposeOptions:
- webInterface:
- ingress:
- ingressClassName: haproxy
- dnsDomains:
- - test-grafana.test.svc.cluster.local
- annotations:
- haproxy-ingress.github.io/ssl-passthrough: "true"
+
+```{literalinclude} ../../../examples/monitoring/v1alpha1/scylladbmonitoring.yaml
+:language: yaml
+:linenos:
```
For details, refer to the below command:
```console
-$ kubectl explain scylladbmonitorings.scylla.scylladb.com/v1alpha1
+kubectl explain scylladbmonitorings.scylla.scylladb.com/v1alpha1
```
## Deploy managed monitoring
@@ -47,9 +21,7 @@ $ kubectl explain scylladbmonitorings.scylla.scylladb.com/v1alpha1
### Requirements
Before you can set up your ScyllaDB monitoring, you need Scylla Operator already installed in your Kubernetes cluster.
-For more information on how to deploy Scylla Operator, see:
-* [Deploying Scylla on a Kubernetes Cluster](generic.md)
-* [Deploying Scylla stack using Helm Charts](helm.md)
+For more information on how to deploy Scylla Operator, see [the installation guide](../installation/overview.md).
The above example of the monitoring setup also makes use of HAProxy Ingress and Prometheus Operator.
You can deploy them in your Kubernetes cluster using the provided third party examples. If you already have them deployed
diff --git a/docs/source/resources/scyllaoperatorconfigs.md b/docs/source/resources/scyllaoperatorconfigs.md
new file mode 100644
index 00000000000..447630a61a0
--- /dev/null
+++ b/docs/source/resources/scyllaoperatorconfigs.md
@@ -0,0 +1,34 @@
+# ScyllaOperatorConfigs
+
+[ScyllaOperatorConfig](../api-reference/groups/scylla.scylladb.com/scyllaoperatorconfigs.rst) holds the global configuration for {{productName}}.
+It is automatically created by {{productName}}, if it's missing, and also reports some of the configuration (like auxiliary images) that are in use.
+
+This is a singleton resource where only a single instance named `cluster` is valid.
+
+:::{code-block} yaml
+:linenos:
+
+apiVersion: scylla.scylladb.com/v1alpha1
+kind: ScyllaOperatorConfig
+metadata:
+ name: cluster
+ # ...
+spec:
+ scyllaUtilsImage: ""
+status:
+ bashToolsImage: registry.access.redhat.com/ubi9/ubi:9.3-1361.1699548029@sha256:6b95efc134c2af3d45472c0a2f88e6085433df058cc210abb2bb061ac4d74359
+ grafanaImage: docker.io/grafana/grafana:9.5.12@sha256:7d2f2a8b7aebe30bf3f9ae0f190e508e571b43f65753ba3b1b1adf0800bc9256
+ observedGeneration: 1
+ prometheusVersion: v2.44.0
+ scyllaDBUtilsImage: docker.io/scylladb/scylla:5.4.0@sha256:b9070afdb2be0d5c59b1c196e1bb66660351403cb30d5c6ba446ef8c3b0754f1
+:::
+
+## Tuning with ScyllaDB Enterprise
+
+To enable tuning using the scripts from ScyllaDB Enterprise you have to adjust the `scyllaUtilsImage`
+:::{code-block} yaml
+:substitutions:
+
+ spec:
+ scyllaUtilsImage: "{{enterpriseImageRepository}}:{{enterpriseImageTag}}"
+:::
diff --git a/docs/source/support/index.md b/docs/source/support/index.md
new file mode 100644
index 00000000000..d4ae9aa918a
--- /dev/null
+++ b/docs/source/support/index.md
@@ -0,0 +1,12 @@
+# Support
+
+:::{toctree}
+:titlesonly:
+:maxdepth: 1
+
+overview
+known-issues
+troubleshooting/index
+must-gather
+releases
+:::
diff --git a/docs/source/support/index.rst b/docs/source/support/index.rst
deleted file mode 100644
index 9c623218acb..00000000000
--- a/docs/source/support/index.rst
+++ /dev/null
@@ -1,12 +0,0 @@
-==========================================================
-Support
-==========================================================
-
-.. toctree::
- :titlesonly:
- :maxdepth: 1
-
- overview
- known-issues
- troubleshooting/index
- must-gather
diff --git a/docs/source/releases.md b/docs/source/support/releases.md
similarity index 96%
rename from docs/source/releases.md
rename to docs/source/support/releases.md
index 745383fd912..3b82cd77b9a 100644
--- a/docs/source/releases.md
+++ b/docs/source/support/releases.md
@@ -70,6 +70,10 @@ Support matrix table shows the version requirements for a particular **scylla-op
| Scylla Monitoring | `(CRD)` | `(CRD)` | `(CRD)` |
:::
+### Architectures
+
+{{productName}} image is published as a manifest list to `docker.io/scylladb/scylla-operator:X.Y.Z` containing image build for `amd64` and `aarch64`.
+
### Supported Kubernetes platforms
We officially test and recommend to use the following platforms:
diff --git a/docs/source/upgrade.md b/docs/source/upgrade.md
deleted file mode 100644
index bc458be7c3d..00000000000
--- a/docs/source/upgrade.md
+++ /dev/null
@@ -1,184 +0,0 @@
-# Upgrade of Scylla Operator
-
-This page describes Scylla Operator upgrade procedures.
-There are two generic update procedures - via Helm and via kubectl. Before upgrading, please check this page to find out
-if your target version requires additional upgrade steps.
-
-## Upgrade via Helm
-
-Helm doesn't support managing CustomResourceDefinition resources ([#5871](https://github.com/helm/helm/issues/5871), [#7735](https://github.com/helm/helm/issues/7735))
-These are only created on first install and never updated. In order to update them, users have to do it manually.
-
-Replace `` with the name of your Helm release for Scylla Operator and replace `` with the version number you want to install:
-1. Make sure Helm chart repository is up-to-date:
- ```
- helm repo add scylla-operator https://storage.googleapis.com/scylla-operator-charts/stable
- helm repo update
- ```
-2. Update CRD resources. We recommend using `--server-side` flag for `kubectl apply`, if your version supports it.
- ```
- tmpdir=$( mktemp -d ) \
- && helm pull scylla-operator/scylla-operator --version --untar --untardir "${tmpdir}" \
- && find "${tmpdir}"/scylla-operator/crds/ -name '*.yaml' -printf '-f=%p ' \
- | xargs kubectl apply
- ```
-3. Update Scylla Operator
- ```
- helm upgrade --version scylla-operator/scylla-operator
- ```
-
-## Upgrade via kubectl
-
-Replace `` with the version number you want to install:
-
-1. Checkout source code of version you want to use:
- ```
- git checkout
- ```
-2. Manifests use rolling minor version tag, you may want to pin it to specific version:
- ```
- find deploy/operator -name "*.yaml" | xargs sed --follow-symlinks -i -E "s^docker.io/scylladb/scylla-operator:[0-9]+\.[0-9]+^docker.io/scylladb/scylla-operator:^g"
- ```
-3. Update Scylla Operator. We recommend using `--server-side` flag for `kubectl apply`, if your version supports it.
- ```
- kubectl apply -f deploy/operator
- ```
-
----
-
-## `v1.2.0` -> `v1.3.0`
-
-Sidecar image is going to be upgraded automatically, so a rolling restart of your Scylla clusters is expected during the upgrade procedure.
-
-1. Checkout source code of v1.3.0:
- ```
- git checkout v1.3.0
- ```
-1. Update Scylla Operator from deploy directory:
- ```
- kubectl -n scylla-operator apply -f deploy/operator
- ```
-1. Wait until Scylla Operator is up and running:
- ```
- kubectl wait --for condition=established crd/scyllaclusters.scylla.scylladb.com
- kubectl -n scylla-operator rollout status deployment.apps/scylla-operator
- ```
-
-## `v1.1.0` -> `v1.2.0`
-
-1.2.0 release brought a lot of changes to the Scylla Operator deployment process.
-To properly update Scylla Operator one must delete old objects and install updated ones.
-
-Sidecar image is going to be upgraded automatically, so a rolling restart of your Scylla clusters is expected during the upgrade procedure.
-
-1. Checkout source code of v1.2.0:
- ```
- git checkout v1.2.0
- ```
-1. Remove old scylla operator namespace - in our case it's called `scylla-operator-system`:
- ```
- kubectl delete namespace scylla-operator-system --wait=true
- ```
-1. Remove old webhooks:
- ```
- kubectl delete MutatingWebhookConfiguration scylla-operator-mutating-webhook-configuration
- kubectl delete ValidatingWebhookConfiguration scylla-operator-validating-webhook-configuration
- ```
-1. Install Scylla Operator from deploy directory:
- ```
- kubectl -n scylla-operator apply -f deploy/operator
- ```
-1. Wait until Scylla Operator is up and running:
- ```
- kubectl wait --for condition=established crd/scyllaclusters.scylla.scylladb.com
- kubectl -n scylla-operator rollout status deployment.apps/scylla-operator
- ```
-
-## `v1.0.0` -> `v1.1.0`
-
-During this update we will change probes and image for Scylla Operator.
-A new version brings an automation for upgrade of sidecar image, so a rolling restart of managed Scylla clusters is expected.
-
-1. Get name of StatefulSet managing Scylla Operator
- ```shell
- kubectl --namespace scylla-operator-system get sts --selector="control-plane=controller-manager"
-
- NAME READY AGE
- scylla-operator-controller-manager 1/1 95m
- ```
-
-1. Change probes and used container image by applying following patch:
- ```yaml
- spec:
- template:
- spec:
- containers:
- - name: manager
- image: docker.io/scylladb/scylla-operator:1.1.0
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8080
- scheme: HTTP
- readinessProbe:
- $retainKeys:
- - httpGet
- httpGet:
- path: /readyz
- port: 8080
- scheme: HTTP
- ```
- To apply above patch save it to file (`operator-patch.yaml` for example) and apply to Operator StatefulSet:
- ```shell
- kubectl -n scylla-operator-system patch sts scylla-operator-controller-manager --patch "$(cat operator-patch.yaml)"
- ```
-
-
-## `v0.3.0` -> `v1.0.0`
-
-***Note:*** There's an experimental migration procedure available [here](migration.md).
-
-`v0.3.0` used a very common name as a CRD kind (`Cluster`). In `v1.0.0` this issue was solved by using less common
-kind which is easier to disambiguate. (`ScyllaCluster`).
-This change is backward incompatible, so Scylla cluster must be turned off and recreated from scratch.
-In case you need to preserve your data, refer to backup and restore guide.
-
-1. Get list of existing Scylla clusters
- ```
- kubectl -n scylla get cluster.scylla.scylladb.com
-
- NAME AGE
- simple-cluster 30m
- ```
-1. Delete each one of them
-
- ```
- kubectl -n scylla delete cluster.scylla.scylladb.com simple-cluster
- ```
-1. Make sure you're on `v0.3.0` branch
- ```
- git checkout v0.3.0
- ```
-1. Delete existing CRD and Operator
- ```
- kubectl delete -f examples/generic/operator.yaml
- ```
-1. Checkout `v1.0.0` version
- ```
- git checkout v1.0.0
- ```
-1. Install new CRD and Scylla Operator
- ```
- kubectl apply -f deploy/operator.yaml
- ```
-1. Migrate your existing Scylla Cluster definition. Change `apiVersion` and `kind` from:
- ```
- apiVersion: scylla.scylladb.com/v1alpha1
- kind: Cluster
- ```
- to:
- ```
- apiVersion: scylla.scylladb.com/v1
- kind: ScyllaCluster
- ```
-1. Once your cluster definition is ready, use `kubectl apply` to install fresh Scylla cluster.
diff --git a/examples/common/cert-manager.yaml b/examples/common/cert-manager.yaml
deleted file mode 100644
index 5d715948e07..00000000000
--- a/examples/common/cert-manager.yaml
+++ /dev/null
@@ -1,5840 +0,0 @@
-# Copyright 2022 The cert-manager Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Namespace
-metadata:
- name: cert-manager
----
-# Source: cert-manager/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: certificaterequests.cert-manager.io
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.14.0"
-spec:
- group: cert-manager.io
- names:
- kind: CertificateRequest
- listKind: CertificateRequestList
- plural: certificaterequests
- shortNames:
- - cr
- - crs
- singular: certificaterequest
- categories:
- - cert-manager
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Approved")].status
- name: Approved
- type: string
- - jsonPath: .status.conditions[?(@.type=="Denied")].status
- name: Denied
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- type: string
- - jsonPath: .spec.username
- name: Requestor
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired state of the CertificateRequest resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
- type: object
- required:
- - issuerRef
- - request
- properties:
- duration:
- description: Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute.
- type: string
- extra:
- description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: object
- additionalProperties:
- type: array
- items:
- type: string
- groups:
- description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- isCA:
- description: "Requested basic constraints isCA value. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`."
- type: boolean
- issuerRef:
- description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified."
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: "The PEM-encoded X.509 certificate signing request to be submitted to the issuer for signing. \n If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest."
- type: string
- format: byte
- uid:
- description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- usages:
- description: "Requested key usages and extended key usages. \n NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. \n If unset, defaults to `digital signature` and `key encipherment`."
- type: array
- items:
- description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- username:
- description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
- type: string
- status:
- description: 'Status of the CertificateRequest. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
- type: object
- properties:
- ca:
- description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
- type: string
- format: byte
- certificate:
- description: The PEM encoded X.509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
- type: string
- format: byte
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
- type: array
- items:
- description: CertificateRequestCondition contains condition information for a CertificateRequest.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
- type: string
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- failureTime:
- description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- served: true
- storage: true
----
-# Source: cert-manager/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: certificates.cert-manager.io
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.14.0"
-spec:
- group: cert-manager.io
- names:
- kind: Certificate
- listKind: CertificateList
- plural: certificates
- shortNames:
- - cert
- - certs
- singular: certificate
- categories:
- - cert-manager
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .spec.secretName
- name: Secret
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: "A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
- type: object
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired state of the Certificate resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
- type: object
- required:
- - issuerRef
- - secretName
- properties:
- additionalOutputFormats:
- description: "Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. \n This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components."
- type: array
- items:
- description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
- type: object
- required:
- - type
- properties:
- type:
- description: Type is the name of the format type that should be written to the Certificate's target Secret.
- type: string
- enum:
- - DER
- - CombinedPEM
- commonName:
- description: "Requested common name X509 certificate subject attribute. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 NOTE: TLS clients will ignore this value when any subject alternative name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). \n Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set."
- type: string
- dnsNames:
- description: Requested DNS subject alternative names.
- type: array
- items:
- type: string
- duration:
- description: "Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. \n If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration."
- type: string
- emailAddresses:
- description: Requested email subject alternative names.
- type: array
- items:
- type: string
- encodeUsagesInRequest:
- description: "Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. \n This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions."
- type: boolean
- ipAddresses:
- description: Requested IP address subject alternative names.
- type: array
- items:
- type: string
- isCA:
- description: "Requested basic constraints isCA value. The isCA value is used to set the `isCA` field on the created CertificateRequest resources. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`."
- type: boolean
- issuerRef:
- description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified."
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- keystores:
- description: Additional keystore output formats to be stored in the Certificate's Secret.
- type: object
- properties:
- jks:
- description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- pkcs12:
- description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
- type: object
- required:
- - create
- - passwordSecretRef
- properties:
- create:
- description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
- type: boolean
- passwordSecretRef:
- description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- profile:
- description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
- type: string
- enum:
- - LegacyRC2
- - LegacyDES
- - Modern2023
- literalSubject:
- description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components."
- type: string
- nameConstraints:
- description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components."
- type: object
- properties:
- critical:
- description: if true then the name constraints are marked critical.
- type: boolean
- excluded:
- description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted
- type: object
- properties:
- dnsDomains:
- description: DNSDomains is a list of DNS domains that are permitted or excluded.
- type: array
- items:
- type: string
- emailAddresses:
- description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
- type: array
- items:
- type: string
- ipRanges:
- description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
- type: array
- items:
- type: string
- uriDomains:
- description: URIDomains is a list of URI domains that are permitted or excluded.
- type: array
- items:
- type: string
- permitted:
- description: Permitted contains the constraints in which the names must be located.
- type: object
- properties:
- dnsDomains:
- description: DNSDomains is a list of DNS domains that are permitted or excluded.
- type: array
- items:
- type: string
- emailAddresses:
- description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
- type: array
- items:
- type: string
- ipRanges:
- description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
- type: array
- items:
- type: string
- uriDomains:
- description: URIDomains is a list of URI domains that are permitted or excluded.
- type: array
- items:
- type: string
- otherNames:
- description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.'
- type: array
- items:
- type: object
- properties:
- oid:
- description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221".
- type: string
- utf8Value:
- description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
- type: string
- privateKey:
- description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy.
- type: object
- properties:
- algorithm:
- description: "Algorithm is the private key algorithm of the corresponding private key for this certificate. \n If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm."
- type: string
- enum:
- - RSA
- - ECDSA
- - Ed25519
- encoding:
- description: "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified."
- type: string
- enum:
- - PKCS1
- - PKCS8
- rotationPolicy:
- description: "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. \n If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility."
- type: string
- enum:
- - Never
- - Always
- size:
- description: "Size is the key bit size of the corresponding private key for this certificate. \n If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed."
- type: integer
- renewBefore:
- description: "How long before the currently issued certificate's expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). \n NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. \n If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration."
- type: string
- revisionHistoryLimit:
- description: "The maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. \n If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`."
- type: integer
- format: int32
- secretName:
- description: Name of the Secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. The Secret resource lives in the same namespace as the Certificate resource.
- type: string
- secretTemplate:
- description: Defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
- type: object
- properties:
- annotations:
- description: Annotations is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels is a key value map to be copied to the target Kubernetes Secret.
- type: object
- additionalProperties:
- type: string
- subject:
- description: "Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 \n The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set."
- type: object
- properties:
- countries:
- description: Countries to be used on the Certificate.
- type: array
- items:
- type: string
- localities:
- description: Cities to be used on the Certificate.
- type: array
- items:
- type: string
- organizationalUnits:
- description: Organizational Units to be used on the Certificate.
- type: array
- items:
- type: string
- organizations:
- description: Organizations to be used on the Certificate.
- type: array
- items:
- type: string
- postalCodes:
- description: Postal codes to be used on the Certificate.
- type: array
- items:
- type: string
- provinces:
- description: State/Provinces to be used on the Certificate.
- type: array
- items:
- type: string
- serialNumber:
- description: Serial number to be used on the Certificate.
- type: string
- streetAddresses:
- description: Street addresses to be used on the Certificate.
- type: array
- items:
- type: string
- uris:
- description: Requested URI subject alternative names.
- type: array
- items:
- type: string
- usages:
- description: "Requested key usages and extended key usages. These usages are used to set the `usages` field on the created CertificateRequest resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages will additionally be encoded in the `request` field which contains the CSR blob. \n If unset, defaults to `digital signature` and `key encipherment`."
- type: array
- items:
- description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
- type: string
- enum:
- - signing
- - digital signature
- - content commitment
- - key encipherment
- - key agreement
- - data encipherment
- - cert sign
- - crl sign
- - encipher only
- - decipher only
- - any
- - server auth
- - client auth
- - code signing
- - email protection
- - s/mime
- - ipsec end system
- - ipsec tunnel
- - ipsec user
- - timestamping
- - ocsp signing
- - microsoft sgc
- - netscape sgc
- status:
- description: 'Status of the Certificate. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
- type: object
- properties:
- conditions:
- description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
- type: array
- items:
- description: CertificateCondition contains condition information for an Certificate.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`, `Issuing`).
- type: string
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- failedIssuanceAttempts:
- description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
- type: integer
- lastFailureTime:
- description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.
- type: string
- format: date-time
- nextPrivateKeySecretName:
- description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
- type: string
- notAfter:
- description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
- type: string
- format: date-time
- notBefore:
- description: The time after which the certificate stored in the secret named by this resource in `spec.secretName` is valid.
- type: string
- format: date-time
- renewalTime:
- description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
- type: string
- format: date-time
- revision:
- description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
- type: integer
- served: true
- storage: true
----
-# Source: cert-manager/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: challenges.acme.cert-manager.io
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.14.0"
-spec:
- group: acme.cert-manager.io
- names:
- kind: Challenge
- listKind: ChallengeList
- plural: challenges
- singular: challenge
- categories:
- - cert-manager
- - cert-manager-acme
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - authorizationURL
- - dnsName
- - issuerRef
- - key
- - solver
- - token
- - type
- - url
- properties:
- authorizationURL:
- description: The URL to the ACME Authorization resource that this challenge is a part of.
- type: string
- dnsName:
- description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- key:
- description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.'
- type: string
- solver:
- description: Contains the domain solving configuration that should be used to solve this challenge resource.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
- type: string
- clientSecretSecretRef:
- description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
- type: object
- properties:
- clientID:
- description: client ID of the managed identity, can not be used at the same time as resourceID
- type: string
- resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
- type: string
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- accessKeyIDSecretRef:
- description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
- type: object
- additionalProperties:
- type: string
- parentRefs:
- description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
- type: array
- items:
- description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
- type: object
- required:
- - name
- properties:
- group:
- description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
- type: string
- default: gateway.networking.k8s.io
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- kind:
- description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific."
- type: string
- default: Gateway
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- name:
- description: "Name is the name of the referent. \n Support: Core"
- type: string
- maxLength: 253
- minLength: 1
- namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
- type: string
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
- type: integer
- format: int32
- maximum: 65535
- minimum: 1
- sectionName:
- description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
- type: string
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- ingressClassName:
- description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- x-kubernetes-map-type: atomic
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- x-kubernetes-map-type: atomic
- x-kubernetes-map-type: atomic
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- imagePullSecrets:
- description: If specified, the pod's imagePullSecrets
- type: array
- items:
- description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
- type: object
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- x-kubernetes-map-type: atomic
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- token:
- description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
- type: string
- type:
- description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
- type: string
- enum:
- - HTTP-01
- - DNS-01
- url:
- description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
- type: string
- wildcard:
- description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
- type: boolean
- status:
- type: object
- properties:
- presented:
- description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
- type: boolean
- processing:
- description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
- type: boolean
- reason:
- description: Contains human readable information on why the Challenge is in the current state.
- type: string
- state:
- description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- served: true
- storage: true
- subresources:
- status: {}
----
-# Source: cert-manager/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clusterissuers.cert-manager.io
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: "cert-manager"
- # Generated labels
- app.kubernetes.io/version: "v1.14.0"
-spec:
- group: cert-manager.io
- names:
- kind: ClusterIssuer
- listKind: ClusterIssuerList
- plural: clusterissuers
- singular: clusterissuer
- categories:
- - cert-manager
- scope: Cluster
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the ClusterIssuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- caBundle:
- description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
- type: string
- format: byte
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
- type: string
- clientSecretSecretRef:
- description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
- type: object
- properties:
- clientID:
- description: client ID of the managed identity, can not be used at the same time as resourceID
- type: string
- resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
- type: string
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- accessKeyIDSecretRef:
- description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
- type: object
- additionalProperties:
- type: string
- parentRefs:
- description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
- type: array
- items:
- description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
- type: object
- required:
- - name
- properties:
- group:
- description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
- type: string
- default: gateway.networking.k8s.io
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- kind:
- description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific."
- type: string
- default: Gateway
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- name:
- description: "Name is the name of the referent. \n Support: Core"
- type: string
- maxLength: 253
- minLength: 1
- namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
- type: string
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
- type: integer
- format: int32
- maximum: 65535
- minimum: 1
- sectionName:
- description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
- type: string
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- ingressClassName:
- description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- x-kubernetes-map-type: atomic
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- x-kubernetes-map-type: atomic
- x-kubernetes-map-type: atomic
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- imagePullSecrets:
- description: If specified, the pod's imagePullSecrets
- type: array
- items:
- description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
- type: object
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- x-kubernetes-map-type: atomic
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- issuingCertificateURLs:
- description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceAccountRef:
- description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
- type: object
- required:
- - name
- properties:
- name:
- description: Name of the ServiceAccount used to request a token.
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
- type: string
- format: byte
- caBundleSecretRef:
- description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the ClusterIssuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastPrivateKeyHash:
- description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- served: true
- storage: true
----
-# Source: cert-manager/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: issuers.cert-manager.io
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: "cert-manager"
- # Generated labels
- app.kubernetes.io/version: "v1.14.0"
-spec:
- group: cert-manager.io
- names:
- kind: Issuer
- listKind: IssuerList
- plural: issuers
- singular: issuer
- categories:
- - cert-manager
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].message
- name: Status
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
- type: object
- required:
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Desired state of the Issuer resource.
- type: object
- properties:
- acme:
- description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
- type: object
- required:
- - privateKeySecretRef
- - server
- properties:
- caBundle:
- description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
- type: string
- format: byte
- disableAccountKeyGeneration:
- description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
- type: boolean
- email:
- description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
- type: string
- enableDurationFeature:
- description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
- type: boolean
- externalAccountBinding:
- description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
- type: object
- required:
- - keyID
- - keySecretRef
- properties:
- keyAlgorithm:
- description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
- type: string
- enum:
- - HS256
- - HS384
- - HS512
- keyID:
- description: keyID is the ID of the CA key that the External Account is bound to.
- type: string
- keySecretRef:
- description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- preferredChain:
- description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
- type: string
- maxLength: 64
- privateKeySecretRef:
- description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- server:
- description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
- type: string
- skipTLSVerify:
- description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
- type: boolean
- solvers:
- description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
- type: array
- items:
- description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
- type: object
- properties:
- dns01:
- description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
- type: object
- properties:
- acmeDNS:
- description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
- type: object
- required:
- - accountSecretRef
- - host
- properties:
- accountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- host:
- type: string
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- type: object
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- properties:
- accessTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientSecretSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- clientTokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceConsumerDomain:
- type: string
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- type: object
- required:
- - resourceGroupName
- - subscriptionID
- properties:
- clientID:
- description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
- type: string
- clientSecretSecretRef:
- description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- type: string
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
- type: object
- properties:
- clientID:
- description: client ID of the managed identity, can not be used at the same time as resourceID
- type: string
- resourceID:
- description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
- type: string
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
- type: string
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- type: object
- required:
- - project
- properties:
- hostedZoneName:
- description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- type: object
- properties:
- apiKeySecretRef:
- description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- cnameStrategy:
- description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
- type: string
- enum:
- - None
- - Follow
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- type: object
- required:
- - tokenSecretRef
- properties:
- tokenSecretRef:
- description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- rfc2136:
- description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
- type: object
- required:
- - nameserver
- properties:
- nameserver:
- description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
- type: string
- tsigAlgorithm:
- description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
- type: string
- tsigKeyName:
- description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- type: object
- required:
- - region
- properties:
- accessKeyID:
- description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: string
- accessKeyIDSecretRef:
- description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: Always set the region when using AccessKeyID and SecretAccessKey
- type: string
- role:
- description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- webhook:
- description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
- type: object
- required:
- - groupName
- - solverName
- properties:
- config:
- description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
- type: string
- solverName:
- description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
- type: string
- http01:
- description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
- type: object
- properties:
- gatewayHTTPRoute:
- description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
- type: object
- properties:
- labels:
- description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
- type: object
- additionalProperties:
- type: string
- parentRefs:
- description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
- type: array
- items:
- description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
- type: object
- required:
- - name
- properties:
- group:
- description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
- type: string
- default: gateway.networking.k8s.io
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- kind:
- description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific."
- type: string
- default: Gateway
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- name:
- description: "Name is the name of the referent. \n Support: Core"
- type: string
- maxLength: 253
- minLength: 1
- namespace:
- description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
- type: string
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- port:
- description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
- type: integer
- format: int32
- maximum: 65535
- minimum: 1
- sectionName:
- description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
- type: string
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- ingress:
- description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
- type: object
- properties:
- class:
- description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- ingressClassName:
- description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- ingressTemplate:
- description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver ingress.
- type: object
- additionalProperties:
- type: string
- name:
- description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
- type: string
- podTemplate:
- description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
- type: object
- properties:
- metadata:
- description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
- type: object
- properties:
- annotations:
- description: Annotations that should be added to the create ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- labels:
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- additionalProperties:
- type: string
- spec:
- description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
- type: object
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- type: object
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- type: object
- required:
- - preference
- - weight
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- x-kubernetes-map-type: atomic
- weight:
- description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
- type: object
- required:
- - nodeSelectorTerms
- properties:
- nodeSelectorTerms:
- description: Required. A list of node selector terms. The terms are ORed.
- type: array
- items:
- description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
- type: object
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchFields:
- description: A list of node selector requirements by node's fields.
- type: array
- items:
- description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- x-kubernetes-map-type: atomic
- x-kubernetes-map-type: atomic
- podAffinity:
- description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- podAntiAffinity:
- description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
- type: object
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
- type: array
- items:
- description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
- type: object
- required:
- - podAffinityTerm
- - weight
- properties:
- podAffinityTerm:
- description: Required. A pod affinity term, associated with the corresponding weight.
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- weight:
- description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
- type: integer
- format: int32
- requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
- type: array
- items:
- description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
- type: object
- required:
- - topologyKey
- properties:
- labelSelector:
- description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
- type: array
- items:
- type: string
- x-kubernetes-list-type: atomic
- namespaceSelector:
- description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
- type: object
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- type: array
- items:
- description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
- type: object
- required:
- - key
- - operator
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- type: array
- items:
- type: string
- matchLabels:
- description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- additionalProperties:
- type: string
- x-kubernetes-map-type: atomic
- namespaces:
- description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
- type: array
- items:
- type: string
- topologyKey:
- description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
- type: string
- imagePullSecrets:
- description: If specified, the pod's imagePullSecrets
- type: array
- items:
- description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
- type: object
- properties:
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- x-kubernetes-map-type: atomic
- nodeSelector:
- description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
- type: object
- additionalProperties:
- type: string
- priorityClassName:
- description: If specified, the pod's priorityClassName.
- type: string
- serviceAccountName:
- description: If specified, the pod's service account
- type: string
- tolerations:
- description: If specified, the pod's tolerations.
- type: array
- items:
- description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
- type: object
- properties:
- effect:
- description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
- type: string
- key:
- description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- type: string
- operator:
- description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
- type: string
- tolerationSeconds:
- description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- type: integer
- format: int64
- value:
- description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
- type: string
- serviceType:
- description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
- type: string
- selector:
- description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
- type: object
- properties:
- dnsNames:
- description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- dnsZones:
- description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
- type: array
- items:
- type: string
- matchLabels:
- description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
- type: object
- additionalProperties:
- type: string
- ca:
- description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
- type: object
- required:
- - secretName
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
- type: array
- items:
- type: string
- issuingCertificateURLs:
- description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
- type: array
- items:
- type: string
- ocspServers:
- description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
- type: array
- items:
- type: string
- secretName:
- description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
- type: string
- selfSigned:
- description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
- type: object
- properties:
- crlDistributionPoints:
- description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
- type: array
- items:
- type: string
- vault:
- description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
- type: object
- required:
- - auth
- - path
- - server
- properties:
- auth:
- description: Auth configures how cert-manager authenticates with the Vault server.
- type: object
- properties:
- appRole:
- description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
- type: object
- required:
- - path
- - roleId
- - secretRef
- properties:
- path:
- description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
- type: string
- roleId:
- description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
- type: string
- secretRef:
- description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- kubernetes:
- description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
- type: object
- required:
- - role
- properties:
- mountPath:
- description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
- type: string
- role:
- description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- serviceAccountRef:
- description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
- type: object
- required:
- - name
- properties:
- name:
- description: Name of the ServiceAccount used to request a token.
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- caBundle:
- description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
- type: string
- format: byte
- caBundleSecretRef:
- description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- namespace:
- description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
- type: string
- path:
- description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
- type: string
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- venafi:
- description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
- type: object
- required:
- - zone
- properties:
- cloud:
- description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - apiTokenSecretRef
- properties:
- apiTokenSecretRef:
- description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
- type: object
- required:
- - name
- properties:
- key:
- description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
- type: string
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
- type: string
- tpp:
- description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
- type: object
- required:
- - credentialsRef
- - url
- properties:
- caBundle:
- description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
- type: string
- format: byte
- credentialsRef:
- description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
- type: object
- required:
- - name
- properties:
- name:
- description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- url:
- description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
- type: string
- zone:
- description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
- type: string
- status:
- description: Status of the Issuer. This is set and managed automatically.
- type: object
- properties:
- acme:
- description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
- type: object
- properties:
- lastPrivateKeyHash:
- description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- lastRegisteredEmail:
- description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
- type: string
- uri:
- description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
- type: string
- conditions:
- description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
- type: array
- items:
- description: IssuerCondition contains condition information for an Issuer.
- type: object
- required:
- - status
- - type
- properties:
- lastTransitionTime:
- description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
- type: string
- format: date-time
- message:
- description: Message is a human readable description of the details of the last transition, complementing reason.
- type: string
- observedGeneration:
- description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
- type: integer
- format: int64
- reason:
- description: Reason is a brief machine readable explanation for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of (`True`, `False`, `Unknown`).
- type: string
- enum:
- - "True"
- - "False"
- - Unknown
- type:
- description: Type of the condition, known values are (`Ready`).
- type: string
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- served: true
- storage: true
----
-# Source: cert-manager/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: orders.acme.cert-manager.io
- labels:
- app: 'cert-manager'
- app.kubernetes.io/name: 'cert-manager'
- app.kubernetes.io/instance: 'cert-manager'
- # Generated labels
- app.kubernetes.io/version: "v1.14.0"
-spec:
- group: acme.cert-manager.io
- names:
- kind: Order
- listKind: OrderList
- plural: orders
- singular: order
- categories:
- - cert-manager
- - cert-manager-acme
- scope: Namespaced
- versions:
- - name: v1
- subresources:
- status: {}
- additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.issuerRef.name
- name: Issuer
- priority: 1
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - jsonPath: .metadata.creationTimestamp
- description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- name: Age
- type: date
- schema:
- openAPIV3Schema:
- description: Order is a type to represent an Order with an ACME server
- type: object
- required:
- - metadata
- - spec
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- type: object
- required:
- - issuerRef
- - request
- properties:
- commonName:
- description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
- type: string
- dnsNames:
- description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- duration:
- description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
- type: string
- ipAddresses:
- description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
- type: array
- items:
- type: string
- issuerRef:
- description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
- type: object
- required:
- - name
- properties:
- group:
- description: Group of the resource being referred to.
- type: string
- kind:
- description: Kind of the resource being referred to.
- type: string
- name:
- description: Name of the resource being referred to.
- type: string
- request:
- description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
- type: string
- format: byte
- status:
- type: object
- properties:
- authorizations:
- description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
- type: array
- items:
- description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
- type: object
- required:
- - url
- properties:
- challenges:
- description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
- type: array
- items:
- description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
- type: object
- required:
- - token
- - type
- - url
- properties:
- token:
- description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
- type: string
- type:
- description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
- type: string
- url:
- description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
- type: string
- identifier:
- description: Identifier is the DNS name to be validated as part of this authorization
- type: string
- initialState:
- description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL is the URL of the Authorization that must be completed
- type: string
- wildcard:
- description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
- type: boolean
- certificate:
- description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
- type: string
- format: byte
- failureTime:
- description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
- type: string
- format: date-time
- finalizeURL:
- description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
- type: string
- reason:
- description: Reason optionally provides more information about a why the order is in the current state.
- type: string
- state:
- description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
- type: string
- enum:
- - valid
- - ready
- - pending
- - processing
- - invalid
- - expired
- - errored
- url:
- description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
- type: string
- served: true
- storage: true
----
-# Source: cert-manager/templates/cainjector-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager-cainjector
- namespace: cert-manager
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
----
-# Source: cert-manager/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager
- namespace: cert-manager
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
----
-# Source: cert-manager/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: cert-manager-webhook
- namespace: cert-manager
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["get", "create", "update", "patch"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["apiregistration.k8s.io"]
- resources: ["apiservices"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["apiextensions.k8s.io"]
- resources: ["customresourcedefinitions"]
- verbs: ["get", "list", "watch", "update", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Issuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "issuers/status"]
- verbs: ["update", "patch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ClusterIssuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "clusterissuers/status"]
- verbs: ["update", "patch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
- verbs: ["update", "patch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates/finalizers", "certificaterequests/finalizers"]
- verbs: ["update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders"]
- verbs: ["create", "delete", "get", "list", "watch"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Orders controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders", "orders/status"]
- verbs: ["update", "patch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders", "challenges"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers", "issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges"]
- verbs: ["create", "delete"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["orders/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Challenges controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- # Use to update challenge resource status
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "challenges/status"]
- verbs: ["update", "patch"]
- # Used to watch challenge resources
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges"]
- verbs: ["get", "list", "watch"]
- # Used to watch challenges, issuer and clusterissuer resources
- - apiGroups: ["cert-manager.io"]
- resources: ["issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- # Need to be able to retrieve ACME account private key to complete challenges
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
- # Used to create events
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
- # HTTP01 rules
- - apiGroups: [""]
- resources: ["pods", "services"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- - apiGroups: [ "gateway.networking.k8s.io" ]
- resources: [ "httproutes" ]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- # We require the ability to specify a custom hostname when we are creating
- # new ingress resources.
- # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- - apiGroups: ["route.openshift.io"]
- resources: ["routes/custom-host"]
- verbs: ["create"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges/finalizers"]
- verbs: ["update"]
- # DNS01 rules (duplicated above)
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests"]
- verbs: ["create", "update", "delete"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses"]
- verbs: ["get", "list", "watch"]
- # We require these rules to support users with the OwnerReferencesPermissionEnforcement
- # admission controller enabled:
- # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- - apiGroups: ["networking.k8s.io"]
- resources: ["ingresses/finalizers"]
- verbs: ["update"]
- - apiGroups: ["gateway.networking.k8s.io"]
- resources: ["gateways", "httproutes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["gateway.networking.k8s.io"]
- resources: ["gateways/finalizers", "httproutes/finalizers"]
- verbs: ["update"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-cluster-view
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
- rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["clusterissuers"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-view
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
- rbac.authorization.k8s.io/aggregate-to-view: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["get", "list", "watch"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "orders"]
- verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-edit
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates", "certificaterequests", "issuers"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
- - apiGroups: ["cert-manager.io"]
- resources: ["certificates/status"]
- verbs: ["update"]
- - apiGroups: ["acme.cert-manager.io"]
- resources: ["challenges", "orders"]
- verbs: ["create", "delete", "deletecollection", "patch", "update"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-approve:cert-manager-io
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["cert-manager.io"]
- resources: ["signers"]
- verbs: ["approve"]
- resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
-# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-controller-certificatesigningrequests
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["certificates.k8s.io"]
- resources: ["certificatesigningrequests"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["certificates.k8s.io"]
- resources: ["certificatesigningrequests/status"]
- verbs: ["update", "patch"]
- - apiGroups: ["certificates.k8s.io"]
- resources: ["signers"]
- resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
- verbs: ["sign"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: cert-manager-webhook:subjectaccessreviews
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
-rules:
-- apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-cainjector
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-cainjector
-subjects:
- - name: cert-manager-cainjector
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-issuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-issuers
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-clusterissuers
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-clusterissuers
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificates
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificates
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-orders
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-orders
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-challenges
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-challenges
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-ingress-shim
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-ingress-shim
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-approve:cert-manager-io
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-approve:cert-manager-io
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-controller-certificatesigningrequests
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cert-manager"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-controller-certificatesigningrequests
-subjects:
- - name: cert-manager
- namespace: cert-manager
- kind: ServiceAccount
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: cert-manager-webhook:subjectaccessreviews
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cert-manager-webhook:subjectaccessreviews
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# leader election rules
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager-cainjector:leaderelection
- namespace: kube-system
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- # Used for leader election by the controller
- # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
- # see cmd/cainjector/start.go#L113
- # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
- # see cmd/cainjector/start.go#L137
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
- verbs: ["get", "update", "patch"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager:leaderelection
- namespace: kube-system
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-rules:
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- resourceNames: ["cert-manager-controller"]
- verbs: ["get", "update", "patch"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: cert-manager-webhook:dynamic-serving
- namespace: cert-manager
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- resourceNames:
- - 'cert-manager-webhook-ca'
- verbs: ["get", "list", "watch", "update"]
-# It's not possible to grant CREATE permission on a single resourceName.
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager-cainjector:leaderelection
- namespace: kube-system
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager-cainjector:leaderelection
-subjects:
- - kind: ServiceAccount
- name: cert-manager-cainjector
- namespace: cert-manager
----
-# Source: cert-manager/templates/rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager:leaderelection
- namespace: kube-system
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager:leaderelection
-subjects:
- - apiGroup: ""
- kind: ServiceAccount
- name: cert-manager
- namespace: cert-manager
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: cert-manager-webhook:dynamic-serving
- namespace: cert-manager
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: cert-manager-webhook:dynamic-serving
-subjects:
-- apiGroup: ""
- kind: ServiceAccount
- name: cert-manager-webhook
- namespace: cert-manager
----
-# Source: cert-manager/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager
- namespace: cert-manager
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-spec:
- type: ClusterIP
- ports:
- - protocol: TCP
- port: 9402
- name: tcp-prometheus-servicemonitor
- targetPort: 9402
- selector:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
----
-# Source: cert-manager/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
- name: cert-manager-webhook
- namespace: cert-manager
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
-spec:
- type: ClusterIP
- ports:
- - name: https
- port: 443
- protocol: TCP
- targetPort: "https"
- selector:
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
----
-# Source: cert-manager/templates/cainjector-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-cainjector
- namespace: cert-manager
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
-spec:
- replicas: 1
- revisionHistoryLimit:
- selector:
- matchLabels:
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- template:
- metadata:
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.14.0"
- spec:
- serviceAccountName: cert-manager-cainjector
- enableServiceLinks: false
- securityContext:
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- containers:
- - name: cert-manager-cainjector
- image: "quay.io/jetstack/cert-manager-cainjector:v1.14.0"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --leader-election-namespace=kube-system
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- nodeSelector:
- kubernetes.io/os: linux
----
-# Source: cert-manager/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager
- namespace: cert-manager
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
-spec:
- replicas: 1
- revisionHistoryLimit:
- selector:
- matchLabels:
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- template:
- metadata:
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.14.0"
- annotations:
- prometheus.io/path: "/metrics"
- prometheus.io/scrape: 'true'
- prometheus.io/port: '9402'
- spec:
- serviceAccountName: cert-manager
- enableServiceLinks: false
- securityContext:
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- containers:
- - name: cert-manager-controller
- image: "quay.io/jetstack/cert-manager-controller:v1.14.0"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --cluster-resource-namespace=$(POD_NAMESPACE)
- - --leader-election-namespace=kube-system
- - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.0
- - --max-concurrent-challenges=60
- ports:
- - containerPort: 9402
- name: http-metrics
- protocol: TCP
- - containerPort: 9403
- name: http-healthz
- protocol: TCP
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- # LivenessProbe settings are based on those used for the Kubernetes
- # controller-manager. See:
- # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
- livenessProbe:
- httpGet:
- port: http-healthz
- path: /livez
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 15
- successThreshold: 1
- failureThreshold: 8
- nodeSelector:
- kubernetes.io/os: linux
----
-# Source: cert-manager/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: cert-manager-webhook
- namespace: cert-manager
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
-spec:
- replicas: 1
- revisionHistoryLimit:
- selector:
- matchLabels:
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- template:
- metadata:
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
- spec:
- serviceAccountName: cert-manager-webhook
- enableServiceLinks: false
- securityContext:
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- containers:
- - name: cert-manager-webhook
- image: "quay.io/jetstack/cert-manager-webhook:v1.14.0"
- imagePullPolicy: IfNotPresent
- args:
- - --v=2
- - --secure-port=10250
- - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- - --dynamic-serving-dns-names=cert-manager-webhook
- - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
- - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
-
- ports:
- - name: https
- protocol: TCP
- containerPort: 10250
- - name: healthcheck
- protocol: TCP
- containerPort: 6080
- livenessProbe:
- httpGet:
- path: /livez
- port: 6080
- scheme: HTTP
- initialDelaySeconds: 60
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /healthz
- port: 6080
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 5
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- nodeSelector:
- kubernetes.io/os: linux
----
-# Source: cert-manager/templates/webhook-mutating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
- annotations:
- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
- - name: webhook.cert-manager.io
- rules:
- - apiGroups:
- - "cert-manager.io"
- apiVersions:
- - "v1"
- operations:
- - CREATE
- resources:
- - "certificaterequests"
- admissionReviewVersions: ["v1"]
- # This webhook only accepts v1 cert-manager resources.
- # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
- # this webhook (after the resources have been converted to v1).
- matchPolicy: Equivalent
- timeoutSeconds: 30
- failurePolicy: Fail
- # Only include 'sideEffects' field in Kubernetes 1.12+
- sideEffects: None
- clientConfig:
- service:
- name: cert-manager-webhook
- namespace: cert-manager
- path: /mutate
----
-# Source: cert-manager/templates/webhook-validating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: cert-manager-webhook
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.14.0"
- annotations:
- cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
- - name: webhook.cert-manager.io
- namespaceSelector:
- matchExpressions:
- - key: cert-manager.io/disable-validation
- operator: NotIn
- values:
- - "true"
- rules:
- - apiGroups:
- - "cert-manager.io"
- - "acme.cert-manager.io"
- apiVersions:
- - "v1"
- operations:
- - CREATE
- - UPDATE
- resources:
- - "*/*"
- admissionReviewVersions: ["v1"]
- # This webhook only accepts v1 cert-manager resources.
- # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
- # this webhook (after the resources have been converted to v1).
- matchPolicy: Equivalent
- timeoutSeconds: 30
- failurePolicy: Fail
- sideEffects: None
- clientConfig:
- service:
- name: cert-manager-webhook
- namespace: cert-manager
- path: /validate
diff --git a/examples/common/cert-manager.yaml b/examples/common/cert-manager.yaml
new file mode 120000
index 00000000000..0422723adaf
--- /dev/null
+++ b/examples/common/cert-manager.yaml
@@ -0,0 +1 @@
+../third-party/cert-manager.yaml
\ No newline at end of file
diff --git a/examples/eks/clusterconfig.eksctl.yaml b/examples/eks/clusterconfig.eksctl.yaml
new file mode 100644
index 00000000000..684a3794f81
--- /dev/null
+++ b/examples/eks/clusterconfig.eksctl.yaml
@@ -0,0 +1,30 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+ name: my-cluster
+ region: eu-central-1
+availabilityZones:
+- eu-central-1a
+- eu-central-1b
+- eu-central-1c
+nodeGroups:
+- name: scylla-pool
+ instanceType: i4i.2xlarge
+ desiredCapacity: 3
+ labels:
+ scylla.scylladb.com/node-type: scylla
+ taints:
+ scylla-operator.scylladb.com/dedicated: "scyllaclusters:NoSchedule"
+ kubeletExtraConfig:
+ cpuManagerPolicy: static
+ availabilityZones:
+ - eu-central-1a
+ - eu-central-1b
+ - eu-central-1c
+- name: infra-pool
+ instanceType: i3.large
+ desiredCapacity: 1
+ labels:
+ scylla.scylladb.com/node-type: infra
+ ssh:
+ allow: true
diff --git a/examples/eks/eks-cluster.yaml b/examples/eks/eks-cluster.yaml
deleted file mode 100644
index 8d82053317c..00000000000
--- a/examples/eks/eks-cluster.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-apiVersion: eksctl.io/v1alpha5
-kind: ClusterConfig
-
-metadata:
- name:
- region:
-
-availabilityZones:
--
-
-nodeGroups:
-- name: scylla-pool
- instanceType: i4i.2xlarge
- desiredCapacity: 3
- labels:
- scylla.scylladb.com/node-type: scylla
- taints:
- role: "scylla-clusters:NoSchedule"
- ssh:
- allow: true
- kubeletExtraConfig:
- cpuManagerPolicy: static
- availabilityZones:
- -
-
-- name: cassandra-stress-pool
- instanceType: c4.2xlarge
- desiredCapacity: 4
- labels:
- pool: "cassandra-stress-pool"
- taints:
- role: "cassandra-stress:NoSchedule"
- ssh:
- allow: true
-
-- name: monitoring-pool
- instanceType: i3.large
- desiredCapacity: 1
- labels:
- pool: "monitoring-pool"
- ssh:
- allow: true
diff --git a/examples/eks/nodeconfig-alpha.yaml b/examples/eks/nodeconfig-alpha.yaml
index 8f5cfa95fe1..bc4e6a65ff9 100644
--- a/examples/eks/nodeconfig-alpha.yaml
+++ b/examples/eks/nodeconfig-alpha.yaml
@@ -1,9 +1,16 @@
apiVersion: scylla.scylladb.com/v1alpha1
kind: NodeConfig
metadata:
- name: cluster
+ name: scylladb-nodepool-1
spec:
localDiskSetup:
+ raids:
+ - name: nvmes
+ type: RAID0
+ RAID0:
+ devices:
+ modelRegex: Amazon EC2 NVMe Instance Storage
+ nameRegex: ^/dev/nvme\d+n\d+$
filesystems:
- device: /dev/md/nvmes
type: xfs
@@ -12,18 +19,11 @@ spec:
mountPoint: /mnt/persistent-volumes
unsupportedOptions:
- prjquota
- raids:
- - name: nvmes
- type: RAID0
- RAID0:
- devices:
- modelRegex: Amazon EC2 NVMe Instance Storage
- nameRegex: ^/dev/nvme\d+n\d+$
placement:
nodeSelector:
scylla.scylladb.com/node-type: scylla
tolerations:
- effect: NoSchedule
- key: role
+ key: scylla-operator.scylladb.com/dedicated
operator: Equal
- value: scylla-clusters
+ value: scyllaclusters
diff --git a/examples/eks/cluster.yaml b/examples/eks/scyllacluster.yaml
similarity index 94%
rename from examples/eks/cluster.yaml
rename to examples/eks/scyllacluster.yaml
index a8d4929f80c..2e848bd6831 100644
--- a/examples/eks/cluster.yaml
+++ b/examples/eks/scyllacluster.yaml
@@ -1,15 +1,7 @@
-# Namespace where the Scylla Cluster will be created
-apiVersion: v1
-kind: Namespace
-metadata:
- name: scylla
----
-# Scylla Cluster
apiVersion: scylla.scylladb.com/v1
kind: ScyllaCluster
metadata:
- name: scylla-cluster
- namespace: scylla
+ name: basic
spec:
agentVersion: 3.4.0@sha256:441403aed8880cad1feef68aa7a8ee9ffd99a458dc1dcff3dc54ce5bf3cb07b7
version: 6.2.0
diff --git a/examples/generic/cluster.yaml b/examples/generic/scyllacluster.yaml
similarity index 79%
rename from examples/generic/cluster.yaml
rename to examples/generic/scyllacluster.yaml
index c425cb82fc3..3c1d7a7f70a 100644
--- a/examples/generic/cluster.yaml
+++ b/examples/generic/scyllacluster.yaml
@@ -1,17 +1,7 @@
-# Namespace where the Scylla Cluster will be created
-apiVersion: v1
-kind: Namespace
-metadata:
- name: scylla
----
-# Simple Scylla Cluster
apiVersion: scylla.scylladb.com/v1
kind: ScyllaCluster
metadata:
- labels:
- controller-tools.k8s.io: "1.0"
name: simple-cluster
- namespace: scylla
spec:
agentVersion: 3.4.0@sha256:441403aed8880cad1feef68aa7a8ee9ffd99a458dc1dcff3dc54ce5bf3cb07b7
version: 6.2.0
diff --git a/examples/gke/nodeconfig-alpha.yaml b/examples/gke/nodeconfig-alpha.yaml
index c14d2d3ac19..952d91568b8 100644
--- a/examples/gke/nodeconfig-alpha.yaml
+++ b/examples/gke/nodeconfig-alpha.yaml
@@ -1,9 +1,15 @@
apiVersion: scylla.scylladb.com/v1alpha1
kind: NodeConfig
metadata:
- name: cluster
+ name: scylladb-nodepool-1
spec:
localDiskSetup:
+ raids:
+ - name: nvmes
+ type: RAID0
+ RAID0:
+ devices:
+ nameRegex: ^/dev/nvme\d+n\d+$
filesystems:
- device: /dev/md/nvmes
type: xfs
@@ -12,17 +18,11 @@ spec:
mountPoint: /mnt/persistent-volumes
unsupportedOptions:
- prjquota
- raids:
- - name: nvmes
- type: RAID0
- RAID0:
- devices:
- nameRegex: ^/dev/nvme\d+n\d+$
placement:
nodeSelector:
scylla.scylladb.com/node-type: scylla
tolerations:
- effect: NoSchedule
- key: role
+ key: scylla-operator.scylladb.com/dedicated
operator: Equal
- value: scylla-clusters
+ value: scyllaclusters
diff --git a/examples/gke/cluster.yaml b/examples/gke/scyllacluster.yaml
similarity index 82%
rename from examples/gke/cluster.yaml
rename to examples/gke/scyllacluster.yaml
index 14925b1f835..4bf5930e81a 100644
--- a/examples/gke/cluster.yaml
+++ b/examples/gke/scyllacluster.yaml
@@ -1,15 +1,7 @@
-# Namespace where the Scylla Cluster will be created
-apiVersion: v1
-kind: Namespace
-metadata:
- name: scylla
----
-# Scylla Cluster
apiVersion: scylla.scylladb.com/v1
kind: ScyllaCluster
metadata:
- name: scylla-cluster
- namespace: scylla
+ name: basic
spec:
agentVersion: 3.4.0@sha256:441403aed8880cad1feef68aa7a8ee9ffd99a458dc1dcff3dc54ce5bf3cb07b7
version: 6.2.0
@@ -43,7 +35,7 @@ spec:
values:
-
tolerations:
- - key: role
+ - key: scylla-operator.scylladb.com/dedicated
operator: Equal
- value: scylla-clusters
+ value: scyllaclusters
effect: NoSchedule
diff --git a/examples/third-party/cert-manager.yaml b/examples/third-party/cert-manager.yaml
new file mode 100644
index 00000000000..5d715948e07
--- /dev/null
+++ b/examples/third-party/cert-manager.yaml
@@ -0,0 +1,5840 @@
+# Copyright 2022 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cert-manager
+---
+# Source: cert-manager/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: certificaterequests.cert-manager.io
+ labels:
+ app: 'cert-manager'
+ app.kubernetes.io/name: 'cert-manager'
+ app.kubernetes.io/instance: 'cert-manager'
+ # Generated labels
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ group: cert-manager.io
+ names:
+ kind: CertificateRequest
+ listKind: CertificateRequestList
+ plural: certificaterequests
+ shortNames:
+ - cr
+ - crs
+ singular: certificaterequest
+ categories:
+ - cert-manager
+ scope: Namespaced
+ versions:
+ - name: v1
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Approved")].status
+ name: Approved
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Denied")].status
+ name: Denied
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - jsonPath: .spec.issuerRef.name
+ name: Issuer
+ type: string
+ - jsonPath: .spec.username
+ name: Requestor
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used."
+ type: object
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired state of the CertificateRequest resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ type: object
+ required:
+ - issuerRef
+ - request
+ properties:
+ duration:
+ description: Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute.
+ type: string
+ extra:
+ description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
+ type: object
+ additionalProperties:
+ type: array
+ items:
+ type: string
+ groups:
+ description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ isCA:
+ description: "Requested basic constraints isCA value. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`."
+ type: boolean
+ issuerRef:
+ description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified."
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ request:
+ description: "The PEM-encoded X.509 certificate signing request to be submitted to the issuer for signing. \n If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest."
+ type: string
+ format: byte
+ uid:
+ description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
+ type: string
+ usages:
+ description: "Requested key usages and extended key usages. \n NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. \n If unset, defaults to `digital signature` and `key encipherment`."
+ type: array
+ items:
+ description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
+ type: string
+ enum:
+ - signing
+ - digital signature
+ - content commitment
+ - key encipherment
+ - key agreement
+ - data encipherment
+ - cert sign
+ - crl sign
+ - encipher only
+ - decipher only
+ - any
+ - server auth
+ - client auth
+ - code signing
+ - email protection
+ - s/mime
+ - ipsec end system
+ - ipsec tunnel
+ - ipsec user
+ - timestamping
+ - ocsp signing
+ - microsoft sgc
+ - netscape sgc
+ username:
+ description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable.
+ type: string
+ status:
+ description: 'Status of the CertificateRequest. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+ type: object
+ properties:
+ ca:
+ description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available.
+ type: string
+ format: byte
+ certificate:
+ description: The PEM encoded X.509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field.
+ type: string
+ format: byte
+ conditions:
+ description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+ type: array
+ items:
+ description: CertificateRequestCondition contains condition information for a CertificateRequest.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable explanation for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of (`True`, `False`, `Unknown`).
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`).
+ type: string
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ failureTime:
+ description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off.
+ type: string
+ format: date-time
+ served: true
+ storage: true
+---
+# Source: cert-manager/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: certificates.cert-manager.io
+ labels:
+ app: 'cert-manager'
+ app.kubernetes.io/name: 'cert-manager'
+ app.kubernetes.io/instance: 'cert-manager'
+ # Generated labels
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ group: cert-manager.io
+ names:
+ kind: Certificate
+ listKind: CertificateList
+ plural: certificates
+ shortNames:
+ - cert
+ - certs
+ singular: certificate
+ categories:
+ - cert-manager
+ scope: Namespaced
+ versions:
+ - name: v1
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - jsonPath: .spec.secretName
+ name: Secret
+ type: string
+ - jsonPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ description: "A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)."
+ type: object
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired state of the Certificate resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ type: object
+ required:
+ - issuerRef
+ - secretName
+ properties:
+ additionalOutputFormats:
+ description: "Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. \n This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components."
+ type: array
+ items:
+ description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
+ type: object
+ required:
+ - type
+ properties:
+ type:
+ description: Type is the name of the format type that should be written to the Certificate's target Secret.
+ type: string
+ enum:
+ - DER
+ - CombinedPEM
+ commonName:
+ description: "Requested common name X509 certificate subject attribute. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 NOTE: TLS clients will ignore this value when any subject alternative name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). \n Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set."
+ type: string
+ dnsNames:
+ description: Requested DNS subject alternative names.
+ type: array
+ items:
+ type: string
+ duration:
+ description: "Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. \n If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration."
+ type: string
+ emailAddresses:
+ description: Requested email subject alternative names.
+ type: array
+ items:
+ type: string
+ encodeUsagesInRequest:
+ description: "Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. \n This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions."
+ type: boolean
+ ipAddresses:
+ description: Requested IP address subject alternative names.
+ type: array
+ items:
+ type: string
+ isCA:
+ description: "Requested basic constraints isCA value. The isCA value is used to set the `isCA` field on the created CertificateRequest resources. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`."
+ type: boolean
+ issuerRef:
+ description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified."
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ keystores:
+ description: Additional keystore output formats to be stored in the Certificate's Secret.
+ type: object
+ properties:
+ jks:
+ description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
+ type: object
+ required:
+ - create
+ - passwordSecretRef
+ properties:
+ create:
+ description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
+ type: boolean
+ passwordSecretRef:
+ description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ pkcs12:
+ description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
+ type: object
+ required:
+ - create
+ - passwordSecretRef
+ properties:
+ create:
+ description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
+ type: boolean
+ passwordSecretRef:
+ description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ profile:
+ description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret."
+ type: string
+ enum:
+ - LegacyRC2
+ - LegacyDES
+ - Modern2023
+ literalSubject:
+ description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components."
+ type: string
+ nameConstraints:
+ description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components."
+ type: object
+ properties:
+ critical:
+ description: if true then the name constraints are marked critical.
+ type: boolean
+ excluded:
+ description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted
+ type: object
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
+ type: array
+ items:
+ type: string
+ uriDomains:
+ description: URIDomains is a list of URI domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ permitted:
+ description: Permitted contains the constraints in which the names must be located.
+ type: object
+ properties:
+ dnsDomains:
+ description: DNSDomains is a list of DNS domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ emailAddresses:
+ description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ ipRanges:
+ description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.
+ type: array
+ items:
+ type: string
+ uriDomains:
+ description: URIDomains is a list of URI domains that are permitted or excluded.
+ type: array
+ items:
+ type: string
+ otherNames:
+ description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.'
+ type: array
+ items:
+ type: object
+ properties:
+ oid:
+ description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221".
+ type: string
+ utf8Value:
+ description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+ type: string
+ privateKey:
+ description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy.
+ type: object
+ properties:
+ algorithm:
+ description: "Algorithm is the private key algorithm of the corresponding private key for this certificate. \n If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm."
+ type: string
+ enum:
+ - RSA
+ - ECDSA
+ - Ed25519
+ encoding:
+ description: "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified."
+ type: string
+ enum:
+ - PKCS1
+ - PKCS8
+ rotationPolicy:
+ description: "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. \n If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility."
+ type: string
+ enum:
+ - Never
+ - Always
+ size:
+ description: "Size is the key bit size of the corresponding private key for this certificate. \n If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed."
+ type: integer
+ renewBefore:
+ description: "How long before the currently issued certificate's expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). \n NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. \n If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration."
+ type: string
+ revisionHistoryLimit:
+ description: "The maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. \n If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`."
+ type: integer
+ format: int32
+ secretName:
+ description: Name of the Secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. The Secret resource lives in the same namespace as the Certificate resource.
+ type: string
+ secretTemplate:
+ description: Defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret.
+ type: object
+ properties:
+ annotations:
+ description: Annotations is a key value map to be copied to the target Kubernetes Secret.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels is a key value map to be copied to the target Kubernetes Secret.
+ type: object
+ additionalProperties:
+ type: string
+ subject:
+ description: "Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 \n The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set."
+ type: object
+ properties:
+ countries:
+ description: Countries to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ localities:
+ description: Cities to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ organizationalUnits:
+ description: Organizational Units to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ organizations:
+ description: Organizations to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ postalCodes:
+ description: Postal codes to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ provinces:
+ description: State/Provinces to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ serialNumber:
+ description: Serial number to be used on the Certificate.
+ type: string
+ streetAddresses:
+ description: Street addresses to be used on the Certificate.
+ type: array
+ items:
+ type: string
+ uris:
+ description: Requested URI subject alternative names.
+ type: array
+ items:
+ type: string
+ usages:
+ description: "Requested key usages and extended key usages. These usages are used to set the `usages` field on the created CertificateRequest resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages will additionally be encoded in the `request` field which contains the CSR blob. \n If unset, defaults to `digital signature` and `key encipherment`."
+ type: array
+ items:
+ description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\""
+ type: string
+ enum:
+ - signing
+ - digital signature
+ - content commitment
+ - key encipherment
+ - key agreement
+ - data encipherment
+ - cert sign
+ - crl sign
+ - encipher only
+ - decipher only
+ - any
+ - server auth
+ - client auth
+ - code signing
+ - email protection
+ - s/mime
+ - ipsec end system
+ - ipsec tunnel
+ - ipsec user
+ - timestamping
+ - ocsp signing
+ - microsoft sgc
+ - netscape sgc
+ status:
+ description: 'Status of the Certificate. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+ type: object
+ properties:
+ conditions:
+ description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`.
+ type: array
+ items:
+ description: CertificateCondition contains condition information for an Certificate.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details of the last transition, complementing reason.
+ type: string
+ observedGeneration:
+ description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate.
+ type: integer
+ format: int64
+ reason:
+ description: Reason is a brief machine readable explanation for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of (`True`, `False`, `Unknown`).
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, known values are (`Ready`, `Issuing`).
+ type: string
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ failedIssuanceAttempts:
+ description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+ type: integer
+ lastFailureTime:
+ description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.
+ type: string
+ format: date-time
+ nextPrivateKeySecretName:
+ description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False.
+ type: string
+ notAfter:
+ description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`.
+ type: string
+ format: date-time
+ notBefore:
+ description: The time after which the certificate stored in the secret named by this resource in `spec.secretName` is valid.
+ type: string
+ format: date-time
+ renewalTime:
+ description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled.
+ type: string
+ format: date-time
+ revision:
+ description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field."
+ type: integer
+ served: true
+ storage: true
+---
+# Source: cert-manager/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: challenges.acme.cert-manager.io
+ labels:
+ app: 'cert-manager'
+ app.kubernetes.io/name: 'cert-manager'
+ app.kubernetes.io/instance: 'cert-manager'
+ # Generated labels
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ group: acme.cert-manager.io
+ names:
+ kind: Challenge
+ listKind: ChallengeList
+ plural: challenges
+ singular: challenge
+ categories:
+ - cert-manager
+ - cert-manager-acme
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.dnsName
+ name: Domain
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: Challenge is a type to represent a Challenge request with an ACME server
+ type: object
+ required:
+ - metadata
+ - spec
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ type: object
+ required:
+ - authorizationURL
+ - dnsName
+ - issuerRef
+ - key
+ - solver
+ - token
+ - type
+ - url
+ properties:
+ authorizationURL:
+ description: The URL to the ACME Authorization resource that this challenge is a part of.
+ type: string
+ dnsName:
+ description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
+ type: string
+ issuerRef:
+ description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ key:
+ description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.'
+ type: string
+ solver:
+ description: Contains the domain solving configuration that should be used to solve this challenge resource.
+ type: object
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
+ type: object
+ properties:
+ acmeDNS:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
+ type: object
+ required:
+ - accountSecretRef
+ - host
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ host:
+ type: string
+ akamai:
+ description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
+ type: object
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ serviceConsumerDomain:
+ type: string
+ azureDNS:
+ description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - resourceGroupName
+ - subscriptionID
+ properties:
+ clientID:
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
+ type: string
+ clientSecretSecretRef:
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ environment:
+ description: name of the Azure environment (default AzurePublicCloud)
+ type: string
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ hostedZoneName:
+ description: name of the DNS zone that should be used
+ type: string
+ managedIdentity:
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
+ type: object
+ properties:
+ clientID:
+ description: client ID of the managed identity, can not be used at the same time as resourceID
+ type: string
+ resourceID:
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
+ type: string
+ resourceGroupName:
+ description: resource group the DNS zone is located in
+ type: string
+ subscriptionID:
+ description: ID of the Azure subscription
+ type: string
+ tenantID:
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
+ type: string
+ cloudDNS:
+ description: Use the Google Cloud DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - project
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge records.
+ type: object
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ email:
+ description: Email of the account, only required when using API key based authentication.
+ type: string
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
+ type: string
+ enum:
+ - None
+ - Follow
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - tokenSecretRef
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
+ type: object
+ required:
+ - nameserver
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+ type: string
+ tsigKeyName:
+ description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
+ type: string
+ tsigSecretSecretRef:
+ description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ route53:
+ description: Use the AWS Route53 API to manage DNS01 challenge records.
+ type: object
+ required:
+ - region
+ properties:
+ accessKeyID:
+ description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: string
+ accessKeyIDSecretRef:
+ description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ hostedZoneID:
+ description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
+ type: string
+ region:
+ description: Always set the region when using AccessKeyID and SecretAccessKey
+ type: string
+ role:
+ description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+ type: string
+ secretAccessKeySecretRef:
+ description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ webhook:
+ description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
+ type: object
+ required:
+ - groupName
+ - solverName
+ properties:
+ config:
+ description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ groupName:
+ description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
+ type: string
+ solverName:
+ description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
+ type: string
+ http01:
+ description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
+ type: object
+ properties:
+ gatewayHTTPRoute:
+ description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
+ type: object
+ properties:
+ labels:
+ description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
+ type: object
+ additionalProperties:
+ type: string
+ parentRefs:
+ description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
+ type: array
+ items:
+ description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
+ type: string
+ default: gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ kind:
+ description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific."
+ type: string
+ default: Gateway
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ name:
+ description: "Name is the name of the referent. \n Support: Core"
+ type: string
+ maxLength: 253
+ minLength: 1
+ namespace:
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ type: string
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ port:
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ type: integer
+ format: int32
+ maximum: 65535
+ minimum: 1
+ sectionName:
+ description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
+ type: string
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ serviceType:
+ description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
+ type: string
+ ingress:
+ description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
+ type: object
+ properties:
+ class:
+ description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ ingressClassName:
+ description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ ingressTemplate:
+ description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ name:
+ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ podTemplate:
+ description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to the create ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the created ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
+ type: object
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints
+ type: object
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules for the pod.
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ type: object
+ required:
+ - preference
+ - weight
+ properties:
+ preference:
+ description: A node selector term, associated with the corresponding weight.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements by node's labels.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector requirements by node's fields.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
+ type: object
+ required:
+ - nodeSelectorTerms
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms. The terms are ORed.
+ type: array
+ items:
+ description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements by node's labels.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector requirements by node's fields.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-map-type: atomic
+ podAffinity:
+ description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term, associated with the corresponding weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ weight:
+ description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term, associated with the corresponding weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ weight:
+ description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ imagePullSecrets:
+ description: If specified, the pod's imagePullSecrets
+ type: array
+ items:
+ description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ x-kubernetes-map-type: atomic
+ nodeSelector:
+ description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: If specified, the pod's priorityClassName.
+ type: string
+ serviceAccountName:
+ description: If specified, the pod's service account
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
+ type: object
+ properties:
+ effect:
+ description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ serviceType:
+ description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
+ type: string
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
+ type: object
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ dnsZones:
+ description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
+ type: object
+ additionalProperties:
+ type: string
+ token:
+ description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server.
+ type: string
+ type:
+ description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".
+ type: string
+ enum:
+ - HTTP-01
+ - DNS-01
+ url:
+ description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.
+ type: string
+ wildcard:
+ description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.
+ type: boolean
+ status:
+ type: object
+ properties:
+ presented:
+ description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).
+ type: boolean
+ processing:
+ description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.
+ type: boolean
+ reason:
+ description: Contains human readable information on why the Challenge is in the current state.
+ type: string
+ state:
+ description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.
+ type: string
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+# Source: cert-manager/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterissuers.cert-manager.io
+ labels:
+ app: 'cert-manager'
+ app.kubernetes.io/name: 'cert-manager'
+ app.kubernetes.io/instance: "cert-manager"
+ # Generated labels
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ group: cert-manager.io
+ names:
+ kind: ClusterIssuer
+ listKind: ClusterIssuerList
+ plural: clusterissuers
+ singular: clusterissuer
+ categories:
+ - cert-manager
+ scope: Cluster
+ versions:
+ - name: v1
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
+ type: object
+ required:
+ - spec
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the ClusterIssuer resource.
+ type: object
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
+ type: object
+ required:
+ - privateKeySecretRef
+ - server
+ properties:
+ caBundle:
+ description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
+ type: string
+ format: byte
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
+ type: string
+ enableDurationFeature:
+ description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
+ type: boolean
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
+ type: object
+ required:
+ - keyID
+ - keySecretRef
+ properties:
+ keyAlgorithm:
+ description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
+ type: string
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ keyID:
+ description: keyID is the ID of the CA key that the External Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
+ type: string
+ maxLength: 64
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ server:
+ description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+ type: string
+ skipTLSVerify:
+ description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
+ type: boolean
+ solvers:
+ description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+ type: array
+ items:
+ description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
+ type: object
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
+ type: object
+ properties:
+ acmeDNS:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
+ type: object
+ required:
+ - accountSecretRef
+ - host
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ host:
+ type: string
+ akamai:
+ description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
+ type: object
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ serviceConsumerDomain:
+ type: string
+ azureDNS:
+ description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - resourceGroupName
+ - subscriptionID
+ properties:
+ clientID:
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
+ type: string
+ clientSecretSecretRef:
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ environment:
+ description: name of the Azure environment (default AzurePublicCloud)
+ type: string
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ hostedZoneName:
+ description: name of the DNS zone that should be used
+ type: string
+ managedIdentity:
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
+ type: object
+ properties:
+ clientID:
+ description: client ID of the managed identity, can not be used at the same time as resourceID
+ type: string
+ resourceID:
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
+ type: string
+ resourceGroupName:
+ description: resource group the DNS zone is located in
+ type: string
+ subscriptionID:
+ description: ID of the Azure subscription
+ type: string
+ tenantID:
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
+ type: string
+ cloudDNS:
+ description: Use the Google Cloud DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - project
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge records.
+ type: object
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ email:
+ description: Email of the account, only required when using API key based authentication.
+ type: string
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
+ type: string
+ enum:
+ - None
+ - Follow
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - tokenSecretRef
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
+ type: object
+ required:
+ - nameserver
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+ type: string
+ tsigKeyName:
+ description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
+ type: string
+ tsigSecretSecretRef:
+ description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ route53:
+ description: Use the AWS Route53 API to manage DNS01 challenge records.
+ type: object
+ required:
+ - region
+ properties:
+ accessKeyID:
+ description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: string
+ accessKeyIDSecretRef:
+ description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ hostedZoneID:
+ description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
+ type: string
+ region:
+ description: Always set the region when using AccessKeyID and SecretAccessKey
+ type: string
+ role:
+ description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+ type: string
+ secretAccessKeySecretRef:
+ description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ webhook:
+ description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
+ type: object
+ required:
+ - groupName
+ - solverName
+ properties:
+ config:
+ description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ groupName:
+ description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
+ type: string
+ solverName:
+ description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
+ type: string
+ http01:
+ description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
+ type: object
+ properties:
+ gatewayHTTPRoute:
+ description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
+ type: object
+ properties:
+ labels:
+ description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
+ type: object
+ additionalProperties:
+ type: string
+ parentRefs:
+ description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
+ type: array
+ items:
+ description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
+ type: string
+ default: gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ kind:
+ description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific."
+ type: string
+ default: Gateway
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ name:
+ description: "Name is the name of the referent. \n Support: Core"
+ type: string
+ maxLength: 253
+ minLength: 1
+ namespace:
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ type: string
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ port:
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ type: integer
+ format: int32
+ maximum: 65535
+ minimum: 1
+ sectionName:
+ description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
+ type: string
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ serviceType:
+ description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
+ type: string
+ ingress:
+ description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
+ type: object
+ properties:
+ class:
+ description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ ingressClassName:
+ description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ ingressTemplate:
+ description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ name:
+ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ podTemplate:
+ description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to the create ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the created ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
+ type: object
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints
+ type: object
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules for the pod.
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ type: object
+ required:
+ - preference
+ - weight
+ properties:
+ preference:
+ description: A node selector term, associated with the corresponding weight.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements by node's labels.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector requirements by node's fields.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
+ type: object
+ required:
+ - nodeSelectorTerms
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms. The terms are ORed.
+ type: array
+ items:
+ description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements by node's labels.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector requirements by node's fields.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-map-type: atomic
+ podAffinity:
+ description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term, associated with the corresponding weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ weight:
+ description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term, associated with the corresponding weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ weight:
+ description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ imagePullSecrets:
+ description: If specified, the pod's imagePullSecrets
+ type: array
+ items:
+ description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ x-kubernetes-map-type: atomic
+ nodeSelector:
+ description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: If specified, the pod's priorityClassName.
+ type: string
+ serviceAccountName:
+ description: If specified, the pod's service account
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
+ type: object
+ properties:
+ effect:
+ description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ serviceType:
+ description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
+ type: string
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
+ type: object
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ dnsZones:
+ description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
+ type: object
+ additionalProperties:
+ type: string
+ ca:
+ description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
+ type: object
+ required:
+ - secretName
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
+ type: array
+ items:
+ type: string
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ type: array
+ items:
+ type: string
+ ocspServers:
+ description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+ type: array
+ items:
+ type: string
+ secretName:
+ description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
+ type: string
+ selfSigned:
+ description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
+ type: object
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
+ type: array
+ items:
+ type: string
+ vault:
+ description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
+ type: object
+ required:
+ - auth
+ - path
+ - server
+ properties:
+ auth:
+ description: Auth configures how cert-manager authenticates with the Vault server.
+ type: object
+ properties:
+ appRole:
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ properties:
+ path:
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+ type: string
+ roleId:
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ kubernetes:
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+ type: object
+ required:
+ - role
+ properties:
+ mountPath:
+ description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
+ type: string
+ role:
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ serviceAccountRef:
+ description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the ServiceAccount used to request a token.
+ type: string
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ caBundle:
+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
+ type: string
+ format: byte
+ caBundleSecretRef:
+ description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+ type: string
+ path:
+ description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+ type: string
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ venafi:
+ description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
+ type: object
+ required:
+ - zone
+ properties:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
+ type: object
+ required:
+ - apiTokenSecretRef
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ url:
+ description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
+ type: string
+ tpp:
+ description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
+ type: object
+ required:
+ - credentialsRef
+ - url
+ properties:
+ caBundle:
+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
+ type: string
+ format: byte
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ url:
+ description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+ type: string
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
+ type: string
+ status:
+ description: Status of the ClusterIssuer. This is set and managed automatically.
+ type: object
+ properties:
+ acme:
+ description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
+ type: object
+ properties:
+ lastPrivateKeyHash:
+ description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
+ type: string
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
+ type: string
+ conditions:
+ description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
+ type: array
+ items:
+ description: IssuerCondition contains condition information for an Issuer.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details of the last transition, complementing reason.
+ type: string
+ observedGeneration:
+ description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
+ type: integer
+ format: int64
+ reason:
+ description: Reason is a brief machine readable explanation for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of (`True`, `False`, `Unknown`).
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, known values are (`Ready`).
+ type: string
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ served: true
+ storage: true
+---
+# Source: cert-manager/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: issuers.cert-manager.io
+ labels:
+ app: 'cert-manager'
+ app.kubernetes.io/name: 'cert-manager'
+ app.kubernetes.io/instance: "cert-manager"
+ # Generated labels
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ group: cert-manager.io
+ names:
+ kind: Issuer
+ listKind: IssuerList
+ plural: issuers
+ singular: issuer
+ categories:
+ - cert-manager
+ scope: Namespaced
+ versions:
+ - name: v1
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].message
+ name: Status
+ priority: 1
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
+ type: object
+ required:
+ - spec
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Desired state of the Issuer resource.
+ type: object
+ properties:
+ acme:
+ description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
+ type: object
+ required:
+ - privateKeySecretRef
+ - server
+ properties:
+ caBundle:
+ description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection.
+ type: string
+ format: byte
+ disableAccountKeyGeneration:
+ description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
+ type: boolean
+ email:
+ description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
+ type: string
+ enableDurationFeature:
+ description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
+ type: boolean
+ externalAccountBinding:
+ description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
+ type: object
+ required:
+ - keyID
+ - keySecretRef
+ properties:
+ keyAlgorithm:
+ description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.'
+ type: string
+ enum:
+ - HS256
+ - HS384
+ - HS512
+ keyID:
+ description: keyID is the ID of the CA key that the External Account is bound to.
+ type: string
+ keySecretRef:
+ description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ preferredChain:
+ description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN'
+ type: string
+ maxLength: 64
+ privateKeySecretRef:
+ description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ server:
+ description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.'
+ type: string
+ skipTLSVerify:
+ description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.'
+ type: boolean
+ solvers:
+ description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/'
+ type: array
+ items:
+ description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
+ type: object
+ properties:
+ dns01:
+ description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
+ type: object
+ properties:
+ acmeDNS:
+ description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
+ type: object
+ required:
+ - accountSecretRef
+ - host
+ properties:
+ accountSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ host:
+ type: string
+ akamai:
+ description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
+ type: object
+ required:
+ - accessTokenSecretRef
+ - clientSecretSecretRef
+ - clientTokenSecretRef
+ - serviceConsumerDomain
+ properties:
+ accessTokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ clientSecretSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ clientTokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ serviceConsumerDomain:
+ type: string
+ azureDNS:
+ description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - resourceGroupName
+ - subscriptionID
+ properties:
+ clientID:
+ description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.'
+ type: string
+ clientSecretSecretRef:
+ description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ environment:
+ description: name of the Azure environment (default AzurePublicCloud)
+ type: string
+ enum:
+ - AzurePublicCloud
+ - AzureChinaCloud
+ - AzureGermanCloud
+ - AzureUSGovernmentCloud
+ hostedZoneName:
+ description: name of the DNS zone that should be used
+ type: string
+ managedIdentity:
+ description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.'
+ type: object
+ properties:
+ clientID:
+ description: client ID of the managed identity, can not be used at the same time as resourceID
+ type: string
+ resourceID:
+ description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
+ type: string
+ resourceGroupName:
+ description: resource group the DNS zone is located in
+ type: string
+ subscriptionID:
+ description: ID of the Azure subscription
+ type: string
+ tenantID:
+ description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.'
+ type: string
+ cloudDNS:
+ description: Use the Google Cloud DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - project
+ properties:
+ hostedZoneName:
+ description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.
+ type: string
+ project:
+ type: string
+ serviceAccountSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ cloudflare:
+ description: Use the Cloudflare API to manage DNS01 challenge records.
+ type: object
+ properties:
+ apiKeySecretRef:
+ description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ apiTokenSecretRef:
+ description: API token used to authenticate with Cloudflare.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ email:
+ description: Email of the account, only required when using API key based authentication.
+ type: string
+ cnameStrategy:
+ description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.
+ type: string
+ enum:
+ - None
+ - Follow
+ digitalocean:
+ description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
+ type: object
+ required:
+ - tokenSecretRef
+ properties:
+ tokenSecretRef:
+ description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ rfc2136:
+ description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
+ type: object
+ required:
+ - nameserver
+ properties:
+ nameserver:
+ description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.
+ type: string
+ tsigAlgorithm:
+ description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.'
+ type: string
+ tsigKeyName:
+ description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.
+ type: string
+ tsigSecretSecretRef:
+ description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ route53:
+ description: Use the AWS Route53 API to manage DNS01 challenge records.
+ type: object
+ required:
+ - region
+ properties:
+ accessKeyID:
+ description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: string
+ accessKeyIDSecretRef:
+ description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ hostedZoneID:
+ description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
+ type: string
+ region:
+ description: Always set the region when using AccessKeyID and SecretAccessKey
+ type: string
+ role:
+ description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+ type: string
+ secretAccessKeySecretRef:
+ description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ webhook:
+ description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
+ type: object
+ required:
+ - groupName
+ - solverName
+ properties:
+ config:
+ description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ groupName:
+ description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.
+ type: string
+ solverName:
+ description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.
+ type: string
+ http01:
+ description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
+ type: object
+ properties:
+ gatewayHTTPRoute:
+ description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
+ type: object
+ properties:
+ labels:
+ description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.
+ type: object
+ additionalProperties:
+ type: string
+ parentRefs:
+ description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways'
+ type: array
+ items:
+ description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid."
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core"
+ type: string
+ default: gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ kind:
+ description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific."
+ type: string
+ default: Gateway
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ name:
+ description: "Name is the name of the referent. \n Support: Core"
+ type: string
+ maxLength: 253
+ minLength: 1
+ namespace:
+ description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core"
+ type: string
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ port:
+ description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n "
+ type: integer
+ format: int32
+ maximum: 65535
+ minimum: 1
+ sectionName:
+ description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core"
+ type: string
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ serviceType:
+ description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
+ type: string
+ ingress:
+ description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.
+ type: object
+ properties:
+ class:
+ description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ ingressClassName:
+ description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ ingressTemplate:
+ description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the created ACME HTTP01 solver ingress.
+ type: object
+ additionalProperties:
+ type: string
+ name:
+ description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.
+ type: string
+ podTemplate:
+ description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
+ type: object
+ properties:
+ metadata:
+ description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
+ type: object
+ properties:
+ annotations:
+ description: Annotations that should be added to the create ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ labels:
+ description: Labels that should be added to the created ACME HTTP01 solver pods.
+ type: object
+ additionalProperties:
+ type: string
+ spec:
+ description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
+ type: object
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints
+ type: object
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules for the pod.
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ type: object
+ required:
+ - preference
+ - weight
+ properties:
+ preference:
+ description: A node selector term, associated with the corresponding weight.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements by node's labels.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector requirements by node's fields.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
+ type: object
+ required:
+ - nodeSelectorTerms
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms. The terms are ORed.
+ type: array
+ items:
+ description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ type: object
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements by node's labels.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchFields:
+ description: A list of node selector requirements by node's fields.
+ type: array
+ items:
+ description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: The label key that the selector applies to.
+ type: string
+ operator:
+ description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ x-kubernetes-map-type: atomic
+ x-kubernetes-map-type: atomic
+ podAffinity:
+ description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term, associated with the corresponding weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ weight:
+ description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+ type: object
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.
+ type: array
+ items:
+ description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+ type: object
+ required:
+ - podAffinityTerm
+ - weight
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term, associated with the corresponding weight.
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ weight:
+ description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100.
+ type: integer
+ format: int32
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ type: array
+ items:
+ description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
+ type: object
+ required:
+ - topologyKey
+ properties:
+ labelSelector:
+ description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ type: array
+ items:
+ type: string
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
+ type: object
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ type: array
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ additionalProperties:
+ type: string
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ type: array
+ items:
+ type: string
+ topologyKey:
+ description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.
+ type: string
+ imagePullSecrets:
+ description: If specified, the pod's imagePullSecrets
+ type: array
+ items:
+ description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+ type: object
+ properties:
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ x-kubernetes-map-type: atomic
+ nodeSelector:
+ description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ type: object
+ additionalProperties:
+ type: string
+ priorityClassName:
+ description: If specified, the pod's priorityClassName.
+ type: string
+ serviceAccountName:
+ description: If specified, the pod's service account
+ type: string
+ tolerations:
+ description: If specified, the pod's tolerations.
+ type: array
+ items:
+ description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .
+ type: object
+ properties:
+ effect:
+ description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+ type: integer
+ format: int64
+ value:
+ description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ serviceType:
+ description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.
+ type: string
+ selector:
+ description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
+ type: object
+ properties:
+ dnsNames:
+ description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ dnsZones:
+ description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.
+ type: array
+ items:
+ type: string
+ matchLabels:
+ description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to.
+ type: object
+ additionalProperties:
+ type: string
+ ca:
+ description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
+ type: object
+ required:
+ - secretName
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
+ type: array
+ items:
+ type: string
+ issuingCertificateURLs:
+ description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt".
+ type: array
+ items:
+ type: string
+ ocspServers:
+ description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+ type: array
+ items:
+ type: string
+ secretName:
+ description: SecretName is the name of the secret used to sign Certificates issued by this Issuer.
+ type: string
+ selfSigned:
+ description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
+ type: object
+ properties:
+ crlDistributionPoints:
+ description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
+ type: array
+ items:
+ type: string
+ vault:
+ description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
+ type: object
+ required:
+ - auth
+ - path
+ - server
+ properties:
+ auth:
+ description: Auth configures how cert-manager authenticates with the Vault server.
+ type: object
+ properties:
+ appRole:
+ description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ properties:
+ path:
+ description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+ type: string
+ roleId:
+ description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ kubernetes:
+ description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+ type: object
+ required:
+ - role
+ properties:
+ mountPath:
+ description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
+ type: string
+ role:
+ description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ serviceAccountRef:
+ description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: Name of the ServiceAccount used to request a token.
+ type: string
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ caBundle:
+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
+ type: string
+ format: byte
+ caBundleSecretRef:
+ description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+ type: string
+ path:
+ description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".'
+ type: string
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ venafi:
+ description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
+ type: object
+ required:
+ - zone
+ properties:
+ cloud:
+ description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
+ type: object
+ required:
+ - apiTokenSecretRef
+ properties:
+ apiTokenSecretRef:
+ description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+ type: object
+ required:
+ - name
+ properties:
+ key:
+ description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+ type: string
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ url:
+ description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
+ type: string
+ tpp:
+ description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
+ type: object
+ required:
+ - credentialsRef
+ - url
+ properties:
+ caBundle:
+ description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
+ type: string
+ format: byte
+ credentialsRef:
+ description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
+ type: object
+ required:
+ - name
+ properties:
+ name:
+ description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ url:
+ description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".'
+ type: string
+ zone:
+ description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.
+ type: string
+ status:
+ description: Status of the Issuer. This is set and managed automatically.
+ type: object
+ properties:
+ acme:
+ description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
+ type: object
+ properties:
+ lastPrivateKeyHash:
+ description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
+ type: string
+ lastRegisteredEmail:
+ description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
+ type: string
+ uri:
+ description: URI is the unique account identifier, which can also be used to retrieve account details from the CA
+ type: string
+ conditions:
+ description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`.
+ type: array
+ items:
+ description: IssuerCondition contains condition information for an Issuer.
+ type: object
+ required:
+ - status
+ - type
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+ type: string
+ format: date-time
+ message:
+ description: Message is a human readable description of the details of the last transition, complementing reason.
+ type: string
+ observedGeneration:
+ description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer.
+ type: integer
+ format: int64
+ reason:
+ description: Reason is a brief machine readable explanation for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of (`True`, `False`, `Unknown`).
+ type: string
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type:
+ description: Type of the condition, known values are (`Ready`).
+ type: string
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ served: true
+ storage: true
+---
+# Source: cert-manager/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: orders.acme.cert-manager.io
+ labels:
+ app: 'cert-manager'
+ app.kubernetes.io/name: 'cert-manager'
+ app.kubernetes.io/instance: 'cert-manager'
+ # Generated labels
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ group: acme.cert-manager.io
+ names:
+ kind: Order
+ listKind: OrderList
+ plural: orders
+ singular: order
+ categories:
+ - cert-manager
+ - cert-manager-acme
+ scope: Namespaced
+ versions:
+ - name: v1
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - jsonPath: .status.state
+ name: State
+ type: string
+ - jsonPath: .spec.issuerRef.name
+ name: Issuer
+ priority: 1
+ type: string
+ - jsonPath: .status.reason
+ name: Reason
+ priority: 1
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+ name: Age
+ type: date
+ schema:
+ openAPIV3Schema:
+ description: Order is a type to represent an Order with an ACME server
+ type: object
+ required:
+ - metadata
+ - spec
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ type: object
+ required:
+ - issuerRef
+ - request
+ properties:
+ commonName:
+ description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR.
+ type: string
+ dnsNames:
+ description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
+ type: array
+ items:
+ type: string
+ duration:
+ description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec.
+ type: string
+ ipAddresses:
+ description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR.
+ type: array
+ items:
+ type: string
+ issuerRef:
+ description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed.
+ type: object
+ required:
+ - name
+ properties:
+ group:
+ description: Group of the resource being referred to.
+ type: string
+ kind:
+ description: Kind of the resource being referred to.
+ type: string
+ name:
+ description: Name of the resource being referred to.
+ type: string
+ request:
+ description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order.
+ type: string
+ format: byte
+ status:
+ type: object
+ properties:
+ authorizations:
+ description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order.
+ type: array
+ items:
+ description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.
+ type: object
+ required:
+ - url
+ properties:
+ challenges:
+ description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process.
+ type: array
+ items:
+ description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.
+ type: object
+ required:
+ - token
+ - type
+ - url
+ properties:
+ token:
+ description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented.
+ type: string
+ type:
+ description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored.
+ type: string
+ url:
+ description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server.
+ type: string
+ identifier:
+ description: Identifier is the DNS name to be validated as part of this authorization
+ type: string
+ initialState:
+ description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created.
+ type: string
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ url:
+ description: URL is the URL of the Authorization that must be completed
+ type: string
+ wildcard:
+ description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'.
+ type: boolean
+ certificate:
+ description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state.
+ type: string
+ format: byte
+ failureTime:
+ description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off.
+ type: string
+ format: date-time
+ finalizeURL:
+ description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed.
+ type: string
+ reason:
+ description: Reason optionally provides more information about a why the order is in the current state.
+ type: string
+ state:
+ description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final'
+ type: string
+ enum:
+ - valid
+ - ready
+ - pending
+ - processing
+ - invalid
+ - expired
+ - errored
+ url:
+ description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set.
+ type: string
+ served: true
+ storage: true
+---
+# Source: cert-manager/templates/cainjector-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+ name: cert-manager-cainjector
+ namespace: cert-manager
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+---
+# Source: cert-manager/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+ name: cert-manager
+ namespace: cert-manager
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+---
+# Source: cert-manager/templates/webhook-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: true
+metadata:
+ name: cert-manager-webhook
+ namespace: cert-manager
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-cainjector
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["get", "create", "update", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["apiregistration.k8s.io"]
+ resources: ["apiservices"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Issuer controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-issuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["issuers", "issuers/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["issuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# ClusterIssuer controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-clusterissuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers", "clusterissuers/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Certificates controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-certificates
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+ verbs: ["get", "list", "watch"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+ verbs: ["update"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders"]
+ verbs: ["create", "delete", "get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Orders controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-orders
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders", "orders/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders", "challenges"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers", "issuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges"]
+ verbs: ["create", "delete"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["orders/finalizers"]
+ verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Challenges controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-challenges
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ # Use to update challenge resource status
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges", "challenges/status"]
+ verbs: ["update", "patch"]
+ # Used to watch challenge resources
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges"]
+ verbs: ["get", "list", "watch"]
+ # Used to watch challenges, issuer and clusterissuer resources
+ - apiGroups: ["cert-manager.io"]
+ resources: ["issuers", "clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ # Need to be able to retrieve ACME account private key to complete challenges
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+ # Used to create events
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+ # HTTP01 rules
+ - apiGroups: [""]
+ resources: ["pods", "services"]
+ verbs: ["get", "list", "watch", "create", "delete"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
+ - apiGroups: [ "gateway.networking.k8s.io" ]
+ resources: [ "httproutes" ]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
+ # We require the ability to specify a custom hostname when we are creating
+ # new ingress resources.
+ # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
+ - apiGroups: ["route.openshift.io"]
+ resources: ["routes/custom-host"]
+ verbs: ["create"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges/finalizers"]
+ verbs: ["update"]
+ # DNS01 rules (duplicated above)
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# ingress-shim controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-ingress-shim
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests"]
+ verbs: ["create", "update", "delete"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+ # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+ # admission controller enabled:
+ # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses/finalizers"]
+ verbs: ["update"]
+ - apiGroups: ["gateway.networking.k8s.io"]
+ resources: ["gateways", "httproutes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["gateway.networking.k8s.io"]
+ resources: ["gateways/finalizers", "httproutes/finalizers"]
+ verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-cluster-view
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+ rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["clusterissuers"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-view
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges", "orders"]
+ verbs: ["get", "list", "watch"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-edit
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates", "certificaterequests", "issuers"]
+ verbs: ["create", "delete", "deletecollection", "patch", "update"]
+ - apiGroups: ["cert-manager.io"]
+ resources: ["certificates/status"]
+ verbs: ["update"]
+ - apiGroups: ["acme.cert-manager.io"]
+ resources: ["challenges", "orders"]
+ verbs: ["create", "delete", "deletecollection", "patch", "update"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-approve:cert-manager-io
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cert-manager"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["cert-manager.io"]
+ resources: ["signers"]
+ verbs: ["approve"]
+ resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+---
+# Source: cert-manager/templates/rbac.yaml
+# Permission to:
+# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-controller-certificatesigningrequests
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cert-manager"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["certificates.k8s.io"]
+ resources: ["certificatesigningrequests"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["certificates.k8s.io"]
+ resources: ["certificatesigningrequests/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: ["certificates.k8s.io"]
+ resources: ["signers"]
+ resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+ verbs: ["sign"]
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cert-manager-webhook:subjectaccessreviews
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+- apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-cainjector
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-cainjector
+subjects:
+ - name: cert-manager-cainjector
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-issuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-issuers
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-clusterissuers
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-clusterissuers
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-certificates
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-certificates
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-orders
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-orders
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-challenges
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-challenges
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-ingress-shim
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-ingress-shim
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-approve:cert-manager-io
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cert-manager"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-approve:cert-manager-io
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-controller-certificatesigningrequests
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cert-manager"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-controller-certificatesigningrequests
+subjects:
+ - name: cert-manager
+ namespace: cert-manager
+ kind: ServiceAccount
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cert-manager-webhook:subjectaccessreviews
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cert-manager-webhook:subjectaccessreviews
+subjects:
+- apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager-webhook
+ namespace: cert-manager
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+# leader election rules
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cert-manager-cainjector:leaderelection
+ namespace: kube-system
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ # Used for leader election by the controller
+ # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
+ # see cmd/cainjector/start.go#L113
+ # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
+ # see cmd/cainjector/start.go#L137
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
+ verbs: ["get", "update", "patch"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["create"]
+---
+# Source: cert-manager/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cert-manager:leaderelection
+ namespace: kube-system
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ resourceNames: ["cert-manager-controller"]
+ verbs: ["get", "update", "patch"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["create"]
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cert-manager-webhook:dynamic-serving
+ namespace: cert-manager
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ resourceNames:
+ - 'cert-manager-webhook-ca'
+ verbs: ["get", "list", "watch", "update"]
+# It's not possible to grant CREATE permission on a single resourceName.
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create"]
+---
+# Source: cert-manager/templates/cainjector-rbac.yaml
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cert-manager-cainjector:leaderelection
+ namespace: kube-system
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager-cainjector:leaderelection
+subjects:
+ - kind: ServiceAccount
+ name: cert-manager-cainjector
+ namespace: cert-manager
+---
+# Source: cert-manager/templates/rbac.yaml
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cert-manager:leaderelection
+ namespace: kube-system
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager:leaderelection
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager
+ namespace: cert-manager
+---
+# Source: cert-manager/templates/webhook-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cert-manager-webhook:dynamic-serving
+ namespace: cert-manager
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cert-manager-webhook:dynamic-serving
+subjects:
+- apiGroup: ""
+ kind: ServiceAccount
+ name: cert-manager-webhook
+ namespace: cert-manager
+---
+# Source: cert-manager/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: cert-manager
+ namespace: cert-manager
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ type: ClusterIP
+ ports:
+ - protocol: TCP
+ port: 9402
+ name: tcp-prometheus-servicemonitor
+ targetPort: 9402
+ selector:
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+---
+# Source: cert-manager/templates/webhook-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+ name: cert-manager-webhook
+ namespace: cert-manager
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ type: ClusterIP
+ ports:
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: "https"
+ selector:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+---
+# Source: cert-manager/templates/cainjector-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager-cainjector
+ namespace: cert-manager
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ replicas: 1
+ revisionHistoryLimit:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ template:
+ metadata:
+ labels:
+ app: cainjector
+ app.kubernetes.io/name: cainjector
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "cainjector"
+ app.kubernetes.io/version: "v1.14.0"
+ spec:
+ serviceAccountName: cert-manager-cainjector
+ enableServiceLinks: false
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: cert-manager-cainjector
+ image: "quay.io/jetstack/cert-manager-cainjector:v1.14.0"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --v=2
+ - --leader-election-namespace=kube-system
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ nodeSelector:
+ kubernetes.io/os: linux
+---
+# Source: cert-manager/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager
+ namespace: cert-manager
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ replicas: 1
+ revisionHistoryLimit:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ template:
+ metadata:
+ labels:
+ app: cert-manager
+ app.kubernetes.io/name: cert-manager
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "controller"
+ app.kubernetes.io/version: "v1.14.0"
+ annotations:
+ prometheus.io/path: "/metrics"
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9402'
+ spec:
+ serviceAccountName: cert-manager
+ enableServiceLinks: false
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: cert-manager-controller
+ image: "quay.io/jetstack/cert-manager-controller:v1.14.0"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --v=2
+ - --cluster-resource-namespace=$(POD_NAMESPACE)
+ - --leader-election-namespace=kube-system
+ - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.14.0
+ - --max-concurrent-challenges=60
+ ports:
+ - containerPort: 9402
+ name: http-metrics
+ protocol: TCP
+ - containerPort: 9403
+ name: http-healthz
+ protocol: TCP
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ # LivenessProbe settings are based on those used for the Kubernetes
+ # controller-manager. See:
+ # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
+ livenessProbe:
+ httpGet:
+ port: http-healthz
+ path: /livez
+ scheme: HTTP
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 8
+ nodeSelector:
+ kubernetes.io/os: linux
+---
+# Source: cert-manager/templates/webhook-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: cert-manager-webhook
+ namespace: cert-manager
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+spec:
+ replicas: 1
+ revisionHistoryLimit:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ template:
+ metadata:
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+ spec:
+ serviceAccountName: cert-manager-webhook
+ enableServiceLinks: false
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: cert-manager-webhook
+ image: "quay.io/jetstack/cert-manager-webhook:v1.14.0"
+ imagePullPolicy: IfNotPresent
+ args:
+ - --v=2
+ - --secure-port=10250
+ - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
+ - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
+ - --dynamic-serving-dns-names=cert-manager-webhook
+ - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
+ - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
+
+ ports:
+ - name: https
+ protocol: TCP
+ containerPort: 10250
+ - name: healthcheck
+ protocol: TCP
+ containerPort: 6080
+ livenessProbe:
+ httpGet:
+ path: /livez
+ port: 6080
+ scheme: HTTP
+ initialDelaySeconds: 60
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 6080
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ nodeSelector:
+ kubernetes.io/os: linux
+---
+# Source: cert-manager/templates/webhook-mutating-webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: cert-manager-webhook
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+ annotations:
+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+ - name: webhook.cert-manager.io
+ rules:
+ - apiGroups:
+ - "cert-manager.io"
+ apiVersions:
+ - "v1"
+ operations:
+ - CREATE
+ resources:
+ - "certificaterequests"
+ admissionReviewVersions: ["v1"]
+ # This webhook only accepts v1 cert-manager resources.
+ # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
+ # this webhook (after the resources have been converted to v1).
+ matchPolicy: Equivalent
+ timeoutSeconds: 30
+ failurePolicy: Fail
+ # Only include 'sideEffects' field in Kubernetes 1.12+
+ sideEffects: None
+ clientConfig:
+ service:
+ name: cert-manager-webhook
+ namespace: cert-manager
+ path: /mutate
+---
+# Source: cert-manager/templates/webhook-validating-webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: cert-manager-webhook
+ labels:
+ app: webhook
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: "webhook"
+ app.kubernetes.io/version: "v1.14.0"
+ annotations:
+ cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
+webhooks:
+ - name: webhook.cert-manager.io
+ namespaceSelector:
+ matchExpressions:
+ - key: cert-manager.io/disable-validation
+ operator: NotIn
+ values:
+ - "true"
+ rules:
+ - apiGroups:
+ - "cert-manager.io"
+ - "acme.cert-manager.io"
+ apiVersions:
+ - "v1"
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - "*/*"
+ admissionReviewVersions: ["v1"]
+ # This webhook only accepts v1 cert-manager resources.
+ # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
+ # this webhook (after the resources have been converted to v1).
+ matchPolicy: Equivalent
+ timeoutSeconds: 30
+ failurePolicy: Fail
+ sideEffects: None
+ clientConfig:
+ service:
+ name: cert-manager-webhook
+ namespace: cert-manager
+ path: /validate
diff --git a/helm/deploy/manager_prod.yaml b/helm/deploy/manager_prod.yaml
index 2b2e839bf3b..35f385dd4e6 100644
--- a/helm/deploy/manager_prod.yaml
+++ b/helm/deploy/manager_prod.yaml
@@ -40,3 +40,9 @@ scylla:
requests:
cpu: 1
memory: 200Mi
+ placement:
+ tolerations:
+ - key: scylla-operator.scylladb.com/dedicated
+ operator: Equal
+ value: scyllaclusters
+ effect: NoSchedule