ExternalAccountBinding is a reference to a CA external account of the ACME
server.
If set, upon registration cert-manager will attempt to associate the given
external account credentials with the registered ACME account.
keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
Secret which holds the symmetric MAC key of the External Account Binding.
The key is the index string that is paired with the key data in the
Secret and should not be confused with the key data itself, or indeed with
the External Account Binding keyID above.
The secret key stored in the Secret must be un-padded, base64 URL
encoded data.
PrivateKey is the name of a Kubernetes Secret resource that will be used to
store the automatically generated ACME account private key.
Optionally, a key may be specified to select a specific entry within
the named Secret resource.
If key is not specified, a default of tls.key will be used.
An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
A selector may be provided to use different solving strategies for different DNS names.
Only one of HTTP01 or DNS01 must be provided.
Auth: Azure Service Principal:
A reference to a Secret containing the password associated with the Service Principal.
If set, ClientID and TenantID must also be set.
Auth: Azure Workload Identity or Azure Managed Service Identity:
Settings to enable Azure Workload Identity or Azure Managed Service Identity
If set, ClientID, ClientSecret and TenantID must not be set.
API key to use to authenticate with Cloudflare.
Note: using an API token to authenticate is now the recommended method
as it allows greater control of permissions.
The SecretAccessKey is used for authentication. If set, pull the AWS
access key ID from a key within a Kubernetes Secret.
Cannot be set when AccessKeyID is set.
If neither the Access Key nor Key ID are set, we fall-back to using env
vars, shared credentials file or AWS Instance metadata,
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
A reference to a service account that will be used to request a bound
token (also known as “projected token”). To use this field, you must
configure an RBAC rule to let cert-manager request a token.
The SecretAccessKey is used for authentication.
If neither the Access Key nor Key ID are set, we fall-back to using env
vars, shared credentials file or AWS Instance metadata,
see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
Configures cert-manager to attempt to complete authorizations by
performing the HTTP01 challenge flow.
It is not possible to obtain certificates for wildcard domain names
(e.g. *.example.com) using the HTTP01 challenge mechanism.
The Gateway API is a sig-network community API that models service networking
in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
create HTTPRoutes with the specified labels in the same namespace as the challenge.
This solver is experimental, and fields / behaviour may change in the future.
ParentReference identifies an API object (usually a Gateway) that can be considered
a parent of this resource (usually a route). There are two kinds of parent resources
with “Core” support:
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
Only the ‘labels’ and ‘annotations’ fields may be set.
If labels or annotations overlap with in-built values, the values here
will override the in-built values.
PodSpec defines overrides for the HTTP01 challenge solver pod.
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
All other fields will be ignored.
An empty preferred scheduling term matches all objects with implicit weight 0
(i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from its node.
A null or empty node selector term matches no objects. The requirements of
them are ANDed.
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
The ingress based HTTP01 challenge solver will solve challenges by
creating or modifying Ingress resources in order to route requests for
‘/.well-known/acme-challenge/XYZ’ to ‘challenge solver’ pods that are
provisioned by cert-manager for each Challenge to be completed.
ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
Only the ‘labels’ and ‘annotations’ fields may be set.
If labels or annotations overlap with in-built values, the values here
will override the in-built values.
ObjectMeta overrides for the pod used to solve HTTP01 challenges.
Only the ‘labels’ and ‘annotations’ fields may be set.
If labels or annotations overlap with in-built values, the values here
will override the in-built values.
PodSpec defines overrides for the HTTP01 challenge solver pod.
Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
All other fields will be ignored.
An empty preferred scheduling term matches all objects with implicit weight 0
(i.e. it’s a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from its node.
A null or empty node selector term matches no objects. The requirements of
them are ANDed.
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key matches that of any node on which
a pod of the set of pods is running
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means “this pod’s namespace”.
An empty selector ({}) matches all namespaces.
The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
Selector selects a set of DNSNames on the Certificate resource that
should be solved using this challenge solver.
If not specified, the solver will be treated as the ‘default’ solver
with the lowest priority, i.e. if any other solver has a more specific
match, it will be used instead.
CA configures this issuer to sign certificates using a signing CA keypair
stored in a Secret resource.
This is used to build internal PKIs that are managed by cert-manager.
Reference to a key in a Secret that contains the App Role secret used
to authenticate with Vault.
The key field must be specified and denotes which entry within the Secret
resource is used as the app role secret.
ClientCertificate authenticates with Vault by presenting a client
certificate during the request’s TLS handshake.
Works only when using HTTPS protocol.
The required Secret field containing a Kubernetes ServiceAccount JWT used
for authenticating with Vault. Use of ‘ambient credentials’ is not
supported.
A reference to a service account that will be used to request a bound
token (also known as “projected token”). Compared to using “secretRef”,
using this field means that you don’t rely on statically bound tokens. To
use this field, you must configure an RBAC rule to let cert-manager
request a token.
Reference to a Secret containing a bundle of PEM-encoded CAs to use when
verifying the certificate chain presented by Vault when using HTTPS.
Mutually exclusive with CABundle.
If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
the cert-manager controller container is used to validate the TLS connection.
If no key for the Secret is specified, cert-manager will default to ‘ca.crt’.
Reference to a Secret containing a base64-encoded bundle of PEM CAs
which will be used to validate the certificate chain presented by the TPP server.
Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
the cert-manager controller container is used to validate the TLS connection.
CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
The secret must contain the key ‘access-token’ for the Access Token Authentication,
or two keys, ‘username’ and ‘password’ for the API Keys Authentication.
ExternalAccountBinding is a reference to a CA external account of the ACME
server.
If set, upon registration cert-manager will attempt to associate the given
external account credentials with the registered ACME account.