Auto-generated derived type for IssuerSpec via CustomResource
ACME configures this issuer to communicate with a RFC8555 (ACME) server
to obtain signed x509 certificates.
ExternalAccountBinding is a reference to a CA external account of the ACME
server.
If set, upon registration cert-manager will attempt to associate the given
external account credentials with the registered ACME account.
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
Secret which holds the symmetric MAC key of the External Account Binding.
The key is the index string that is paired with the key data in the
Secret and should not be confused with the key data itself, or indeed with
the External Account Binding keyID above.
The secret key stored in the Secret must be un-padded, base64 URL
encoded data.
PrivateKey is the name of a Kubernetes Secret resource that will be used to
store the automatically generated ACME account private key.
Optionally, a key may be specified to select a specific entry within
the named Secret resource.
If key is not specified, a default of tls.key will be used.
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
A selector may be provided to use different solving strategies for different DNS names.
Only one of HTTP01 or DNS01 must be provided.
Configures cert-manager to attempt to complete authorizations by
performing the DNS01 challenge flow.
Use the ‘ACME DNS’ (https://github.com/joohoi/acme-dns) API to manage
DNS01 challenge records.
A reference to a specific ‘key’ within a Secret resource.
In some instances, key is a required field.
Use the Akamai DNS zone management API to manage DNS01 challenge records.
A reference to a specific ‘key’ within a Secret resource.
In some instances, key is a required field.
A reference to a specific ‘key’ within a Secret resource.
In some instances, key is a required field.
A reference to a specific ‘key’ within a Secret resource.
In some instances, key is a required field.
Use the Microsoft Azure DNS API to manage DNS01 challenge records.
Auth: Azure Service Principal:
A reference to a Secret containing the password associated with the Service Principal.
If set, ClientID and TenantID must also be set.
Auth: Azure Workload Identity or Azure Managed Service Identity:
Settings to enable Azure Workload Identity or Azure Managed Service Identity
If set, ClientID, ClientSecret and TenantID must not be set.
Use the Google Cloud DNS API to manage DNS01 challenge records.
A reference to a specific ‘key’ within a Secret resource.
In some instances, key is a required field.
Use the Cloudflare API to manage DNS01 challenge records.
API key to use to authenticate with Cloudflare.
Note: using an API token to authenticate is now the recommended method
as it allows greater control of permissions.
API token used to authenticate with Cloudflare.
Use the DigitalOcean DNS API to manage DNS01 challenge records.
A reference to a specific ‘key’ within a Secret resource.
In some instances, key is a required field.
Use RFC2136 (“Dynamic Updates in the Domain Name System”) (https://datatracker.ietf.org/doc/rfc2136/)
to manage DNS01 challenge records.
The name of the secret containing the TSIG value.
If tsigKeyName is defined, this field is required.
Use the AWS Route53 API to manage DNS01 challenge records.
The SecretAccessKey is used for authentication. If set, pull the AWS
access key ID from a key within a Kubernetes Secret.
Cannot be set when AccessKeyID is set.
If neither the Access Key nor Key ID are set, we fall-back to using env
vars, shared credentials file or AWS Instance metadata,
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
Auth configures how cert-manager authenticates.
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
by passing a bound ServiceAccount token.
A reference to a service account that will be used to request a bound
token (also known as “projected token”). To use this field, you must
configure an RBAC rule to let cert-manager request a token.
The SecretAccessKey is used for authentication.
If neither the Access Key nor Key ID are set, we fall-back to using env
vars, shared credentials file or AWS Instance metadata,
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
Configure an external webhook based DNS01 challenge solver to manage
DNS01 challenge records.
Configures cert-manager to attempt to complete authorizations by
performing the HTTP01 challenge flow.
It is not possible to obtain certificates for wildcard domain names
(e.g. *.example.com) using the HTTP01 challenge mechanism.
The Gateway API is a sig-network community API that models service networking
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
create HTTPRoutes with the specified labels in the same namespace as the challenge.
This solver is experimental, and fields / behaviour may change in the future.
ParentReference identifies an API object (usually a Gateway) that can be considered
a parent of this resource (usually a route). There are two kinds of parent resources
with “Core” support:
Optional pod template used to configure the ACME challenge solver pods
used for HTTP01 challenges.
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
Only the ‘labels’ and ‘annotations’ fields may be set.
If labels or annotations overlap with in-built values, the values here
will override the in-built values.
PodSpec defines overrides for the HTTP01 challenge solver pod.
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
All other fields will be ignored.
If specified, the pod’s scheduling constraints
Describes node affinity scheduling rules for the pod.
An empty preferred scheduling term matches all objects with implicit weight 0
(i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
A node selector term, associated with the corresponding weight.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from its node.
A null or empty node selector term matches no objects. The requirements of
them are ANDed.
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
If specified, the pod’s security context
The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
The seccomp options to use by the containers in this pod.
Note that this field cannot be set when spec.os.name is windows.
Sysctl defines a kernel parameter to be set
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator .
The ingress based HTTP01 challenge solver will solve challenges by
creating or modifying Ingress resources in order to route requests for
‘/.well-known/acme-challenge/XYZ’ to ‘challenge solver’ pods that are
provisioned by cert-manager for each Challenge to be completed.
Optional ingress template used to configure the ACME challenge solver
ingress used for HTTP01 challenges.
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
Only the ‘labels’ and ‘annotations’ fields may be set.
If labels or annotations overlap with in-built values, the values here
will override the in-built values.
Optional pod template used to configure the ACME challenge solver pods
used for HTTP01 challenges.
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
Only the ‘labels’ and ‘annotations’ fields may be set.
If labels or annotations overlap with in-built values, the values here
will override the in-built values.
PodSpec defines overrides for the HTTP01 challenge solver pod.
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
All other fields will be ignored.
If specified, the pod’s scheduling constraints
Describes node affinity scheduling rules for the pod.
An empty preferred scheduling term matches all objects with implicit weight 0
(i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
A node selector term, associated with the corresponding weight.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from its node.
A null or empty node selector term matches no objects. The requirements of
them are ANDed.
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
Required. A pod affinity term, associated with the corresponding weight.
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over a set of resources, in this case pods.
If it’s null, this PodAffinityTerm matches with no Pods.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
If specified, the pod’s security context
The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
The seccomp options to use by the containers in this pod.
Note that this field cannot be set when spec.os.name is windows.
Sysctl defines a kernel parameter to be set
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator .
Selector selects a set of DNSNames on the Certificate resource that
should be solved using this challenge solver.
If not specified, the solver will be treated as the ‘default’ solver
with the lowest priority, i.e. if any other solver has a more specific
match, it will be used instead.
CA configures this issuer to sign certificates using a signing CA keypair
stored in a Secret resource.
This is used to build internal PKIs that are managed by cert-manager.
SelfSigned configures this issuer to ‘self sign’ certificates using the
private key used to create the CertificateRequest object.
Desired state of the Issuer resource.
Status of the Issuer. This is set and managed automatically.
ACME specific status options.
This field should only be set if the Issuer is configured to use an ACME
server to issue certificates.
Vault configures this issuer to sign certificates using a HashiCorp Vault
PKI backend.
Auth configures how cert-manager authenticates with the Vault server.
AppRole authenticates with Vault using the App Role auth mechanism,
with the role and secret stored in a Kubernetes Secret resource.
Reference to a key in a Secret that contains the App Role secret used
to authenticate with Vault.
The key field must be specified and denotes which entry within the Secret
resource is used as the app role secret.
ClientCertificate authenticates with Vault by presenting a client
certificate during the request’s TLS handshake.
Works only when using HTTPS protocol.
Kubernetes authenticates with Vault by passing the ServiceAccount
token stored in the named Secret resource to the Vault server.
The required Secret field containing a Kubernetes ServiceAccount JWT used
for authenticating with Vault. Use of ‘ambient credentials’ is not
supported.
A reference to a service account that will be used to request a bound
token (also known as “projected token”). Compared to using “secretRef”,
using this field means that you don’t rely on statically bound tokens. To
use this field, you must configure an RBAC rule to let cert-manager
request a token.
TokenSecretRef authenticates with Vault by presenting a token.
Reference to a Secret containing a bundle of PEM-encoded CAs to use when
verifying the certificate chain presented by Vault when using HTTPS.
Mutually exclusive with CABundle.
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
the cert-manager controller container is used to validate the TLS connection.
If no key for the Secret is specified, cert-manager will default to ‘ca.crt’.
Reference to a Secret containing a PEM-encoded Client Certificate to use when the
Vault server requires mTLS.
Reference to a Secret containing a PEM-encoded Client Private Key to use when the
Vault server requires mTLS.
Venafi configures this issuer to sign certificates using a Venafi TPP
or Venafi Cloud policy zone.
Cloud specifies the Venafi cloud configuration settings.
Only one of TPP or Cloud may be specified.
APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
TPP specifies Trust Protection Platform configuration settings.
Only one of TPP or Cloud may be specified.
Reference to a Secret containing a base64-encoded bundle of PEM CAs
which will be used to validate the certificate chain presented by the TPP server.
Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
the cert-manager controller container is used to validate the TLS connection.
CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
The secret must contain the key ‘access-token’ for the Access Token Authentication,
or two keys, ‘username’ and ‘password’ for the API Keys Authentication.