Module issuers

Source

Modules§

prelude 🔒

Structs§

Issuer
Auto-generated derived type for IssuerSpec via CustomResource
IssuerAcme
ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
IssuerAcmeExternalAccountBinding
ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
IssuerAcmeExternalAccountBindingKeySecretRef
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The key is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret must be un-padded, base64 URL encoded data.
IssuerAcmePrivateKeySecretRef
PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a key may be specified to select a specific entry within the named Secret resource. If key is not specified, a default of tls.key will be used.
IssuerAcmeSolvers
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.
IssuerAcmeSolversDns01
Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.
IssuerAcmeSolversDns01AcmeDns
Use the ‘ACME DNS’ (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.
IssuerAcmeSolversDns01AcmeDnsAccountSecretRef
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
IssuerAcmeSolversDns01Akamai
Use the Akamai DNS zone management API to manage DNS01 challenge records.
IssuerAcmeSolversDns01AkamaiAccessTokenSecretRef
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
IssuerAcmeSolversDns01AkamaiClientSecretSecretRef
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
IssuerAcmeSolversDns01AkamaiClientTokenSecretRef
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
IssuerAcmeSolversDns01AzureDns
Use the Microsoft Azure DNS API to manage DNS01 challenge records.
IssuerAcmeSolversDns01AzureDnsClientSecretSecretRef
Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.
IssuerAcmeSolversDns01AzureDnsManagedIdentity
Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.
IssuerAcmeSolversDns01CloudDns
Use the Google Cloud DNS API to manage DNS01 challenge records.
IssuerAcmeSolversDns01CloudDnsServiceAccountSecretRef
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
IssuerAcmeSolversDns01Cloudflare
Use the Cloudflare API to manage DNS01 challenge records.
IssuerAcmeSolversDns01CloudflareApiKeySecretRef
API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.
IssuerAcmeSolversDns01CloudflareApiTokenSecretRef
API token used to authenticate with Cloudflare.
IssuerAcmeSolversDns01Digitalocean
Use the DigitalOcean DNS API to manage DNS01 challenge records.
IssuerAcmeSolversDns01DigitaloceanTokenSecretRef
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
IssuerAcmeSolversDns01Rfc2136
Use RFC2136 (“Dynamic Updates in the Domain Name System”) (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.
IssuerAcmeSolversDns01Rfc2136TsigSecretSecretRef
The name of the secret containing the TSIG value. If tsigKeyName is defined, this field is required.
IssuerAcmeSolversDns01Route53
Use the AWS Route53 API to manage DNS01 challenge records.
IssuerAcmeSolversDns01Route53AccessKeyIdSecretRef
The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
IssuerAcmeSolversDns01Route53Auth
Auth configures how cert-manager authenticates.
IssuerAcmeSolversDns01Route53AuthKubernetes
Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity by passing a bound ServiceAccount token.
IssuerAcmeSolversDns01Route53AuthKubernetesServiceAccountRef
A reference to a service account that will be used to request a bound token (also known as “projected token”). To use this field, you must configure an RBAC rule to let cert-manager request a token.
IssuerAcmeSolversDns01Route53SecretAccessKeySecretRef
The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
IssuerAcmeSolversDns01Webhook
Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.
IssuerAcmeSolversHttp01
Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. *.example.com) using the HTTP01 challenge mechanism.
IssuerAcmeSolversHttp01GatewayHttpRoute
The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.
IssuerAcmeSolversHttp01GatewayHttpRouteParentRefs
ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with “Core” support:
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplate
Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateMetadata
ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the ‘labels’ and ‘annotations’ fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpec
PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinity
If specified, the pod’s scheduling constraints
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinity
Describes node affinity scheduling rules for the pod.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution
An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference
A node selector term, associated with the corresponding weight.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution
If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms
A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinity
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm
Required. A pod affinity term, associated with the corresponding weight.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinity
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm
Required. A pod affinity term, associated with the corresponding weight.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecImagePullSecrets
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContext
If specified, the pod’s security context
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeLinuxOptions
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeccompProfile
The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSysctls
Sysctl defines a kernel parameter to be set
IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecTolerations
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .
IssuerAcmeSolversHttp01Ingress
The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for ‘/.well-known/acme-challenge/XYZ’ to ‘challenge solver’ pods that are provisioned by cert-manager for each Challenge to be completed.
IssuerAcmeSolversHttp01IngressIngressTemplate
Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.
IssuerAcmeSolversHttp01IngressIngressTemplateMetadata
ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the ‘labels’ and ‘annotations’ fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
IssuerAcmeSolversHttp01IngressPodTemplate
Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
IssuerAcmeSolversHttp01IngressPodTemplateMetadata
ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the ‘labels’ and ‘annotations’ fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.
IssuerAcmeSolversHttp01IngressPodTemplateSpec
PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinity
If specified, the pod’s scheduling constraints
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity
Describes node affinity scheduling rules for the pod.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution
An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference
A node selector term, associated with the corresponding weight.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution
If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms
A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields
A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm
Required. A pod affinity term, associated with the corresponding weight.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm
Required. A pod affinity term, associated with the corresponding weight.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution
Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector
A label query over a set of resources, in this case pods. If it’s null, this PodAffinityTerm matches with no Pods.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector
A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means “this pod’s namespace”. An empty selector ({}) matches all namespaces.
IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
IssuerAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContext
If specified, the pod’s security context
IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions
The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile
The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls
Sysctl defines a kernel parameter to be set
IssuerAcmeSolversHttp01IngressPodTemplateSpecTolerations
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator .
IssuerAcmeSolversSelector
Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the ‘default’ solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.
IssuerCa
CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
IssuerSelfSigned
SelfSigned configures this issuer to ‘self sign’ certificates using the private key used to create the CertificateRequest object.
IssuerSpec
Desired state of the Issuer resource.
IssuerStatus
Status of the Issuer. This is set and managed automatically.
IssuerStatusAcme
ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
IssuerVault
Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
IssuerVaultAuth
Auth configures how cert-manager authenticates with the Vault server.
IssuerVaultAuthAppRole
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
IssuerVaultAuthAppRoleSecretRef
Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The key field must be specified and denotes which entry within the Secret resource is used as the app role secret.
IssuerVaultAuthClientCertificate
ClientCertificate authenticates with Vault by presenting a client certificate during the request’s TLS handshake. Works only when using HTTPS protocol.
IssuerVaultAuthKubernetes
Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
IssuerVaultAuthKubernetesSecretRef
The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of ‘ambient credentials’ is not supported.
IssuerVaultAuthKubernetesServiceAccountRef
A reference to a service account that will be used to request a bound token (also known as “projected token”). Compared to using “secretRef”, using this field means that you don’t rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.
IssuerVaultAuthTokenSecretRef
TokenSecretRef authenticates with Vault by presenting a token.
IssuerVaultCaBundleSecretRef
Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to ‘ca.crt’.
IssuerVaultClientCertSecretRef
Reference to a Secret containing a PEM-encoded Client Certificate to use when the Vault server requires mTLS.
IssuerVaultClientKeySecretRef
Reference to a Secret containing a PEM-encoded Client Private Key to use when the Vault server requires mTLS.
IssuerVenafi
Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
IssuerVenafiCloud
Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
IssuerVenafiCloudApiTokenSecretRef
APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
IssuerVenafiTpp
TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
IssuerVenafiTppCaBundleSecretRef
Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
IssuerVenafiTppCredentialsRef
CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. The secret must contain the key ‘access-token’ for the Access Token Authentication, or two keys, ‘username’ and ‘password’ for the API Keys Authentication.

Enums§

IssuerAcmeExternalAccountBindingKeyAlgorithm
ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
IssuerAcmeSolversDns01AzureDnsEnvironment
Use the Microsoft Azure DNS API to manage DNS01 challenge records.
IssuerAcmeSolversDns01CnameStrategy
Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.