mz_cloud_resources/crd/generated/cert_manager/issuers.rs
1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10#![allow(rustdoc::all)]
11
12// WARNING: generated by kopium - manual changes will be overwritten
13// kopium command: kopium issuers.cert-manager.io --docs --smart-derive-elision --derive Default
14// kopium version: 0.21.1
15
16#[allow(unused_imports)]
17mod prelude {
18 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
19 pub use kube::CustomResource;
20 pub use serde::{Deserialize, Serialize};
21 pub use std::collections::BTreeMap;
22}
23use self::prelude::*;
24
25/// Desired state of the Issuer resource.
26#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default)]
27#[kube(
28 group = "cert-manager.io",
29 version = "v1",
30 kind = "Issuer",
31 plural = "issuers"
32)]
33#[kube(namespaced)]
34#[kube(status = "IssuerStatus")]
35#[kube(schema = "disabled")]
36#[kube(derive = "Default")]
37pub struct IssuerSpec {
38 /// ACME configures this issuer to communicate with a RFC8555 (ACME) server
39 /// to obtain signed x509 certificates.
40 #[serde(default, skip_serializing_if = "Option::is_none")]
41 pub acme: Option<IssuerAcme>,
42 /// CA configures this issuer to sign certificates using a signing CA keypair
43 /// stored in a Secret resource.
44 /// This is used to build internal PKIs that are managed by cert-manager.
45 #[serde(default, skip_serializing_if = "Option::is_none")]
46 pub ca: Option<IssuerCa>,
47 /// SelfSigned configures this issuer to 'self sign' certificates using the
48 /// private key used to create the CertificateRequest object.
49 #[serde(
50 default,
51 skip_serializing_if = "Option::is_none",
52 rename = "selfSigned"
53 )]
54 pub self_signed: Option<IssuerSelfSigned>,
55 /// Vault configures this issuer to sign certificates using a HashiCorp Vault
56 /// PKI backend.
57 #[serde(default, skip_serializing_if = "Option::is_none")]
58 pub vault: Option<IssuerVault>,
59 /// Venafi configures this issuer to sign certificates using a Venafi TPP
60 /// or Venafi Cloud policy zone.
61 #[serde(default, skip_serializing_if = "Option::is_none")]
62 pub venafi: Option<IssuerVenafi>,
63}
64
65/// ACME configures this issuer to communicate with a RFC8555 (ACME) server
66/// to obtain signed x509 certificates.
67#[derive(Serialize, Deserialize, Clone, Debug, Default)]
68pub struct IssuerAcme {
69 /// Base64-encoded bundle of PEM CAs which can be used to validate the certificate
70 /// chain presented by the ACME server.
71 /// Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
72 /// kinds of security vulnerabilities.
73 /// If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
74 /// the container is used to validate the TLS connection.
75 #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
76 pub ca_bundle: Option<String>,
77 /// Enables or disables generating a new ACME account key.
78 /// If true, the Issuer resource will *not* request a new account but will expect
79 /// the account key to be supplied via an existing secret.
80 /// If false, the cert-manager system will generate a new ACME account key
81 /// for the Issuer.
82 /// Defaults to false.
83 #[serde(
84 default,
85 skip_serializing_if = "Option::is_none",
86 rename = "disableAccountKeyGeneration"
87 )]
88 pub disable_account_key_generation: Option<bool>,
89 /// Email is the email address to be associated with the ACME account.
90 /// This field is optional, but it is strongly recommended to be set.
91 /// It will be used to contact you in case of issues with your account or
92 /// certificates, including expiry notification emails.
93 /// This field may be updated after the account is initially registered.
94 #[serde(default, skip_serializing_if = "Option::is_none")]
95 pub email: Option<String>,
96 /// Enables requesting a Not After date on certificates that matches the
97 /// duration of the certificate. This is not supported by all ACME servers
98 /// like Let's Encrypt. If set to true when the ACME server does not support
99 /// it, it will create an error on the Order.
100 /// Defaults to false.
101 #[serde(
102 default,
103 skip_serializing_if = "Option::is_none",
104 rename = "enableDurationFeature"
105 )]
106 pub enable_duration_feature: Option<bool>,
107 /// ExternalAccountBinding is a reference to a CA external account of the ACME
108 /// server.
109 /// If set, upon registration cert-manager will attempt to associate the given
110 /// external account credentials with the registered ACME account.
111 #[serde(
112 default,
113 skip_serializing_if = "Option::is_none",
114 rename = "externalAccountBinding"
115 )]
116 pub external_account_binding: Option<IssuerAcmeExternalAccountBinding>,
117 /// PreferredChain is the chain to use if the ACME server outputs multiple.
118 /// PreferredChain is no guarantee that this one gets delivered by the ACME
119 /// endpoint.
120 /// For example, for Let's Encrypt's DST crosssign you would use:
121 /// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
122 /// This value picks the first certificate bundle in the combined set of
123 /// ACME default and alternative chains that has a root-most certificate with
124 /// this value as its issuer's commonname.
125 #[serde(
126 default,
127 skip_serializing_if = "Option::is_none",
128 rename = "preferredChain"
129 )]
130 pub preferred_chain: Option<String>,
131 /// PrivateKey is the name of a Kubernetes Secret resource that will be used to
132 /// store the automatically generated ACME account private key.
133 /// Optionally, a `key` may be specified to select a specific entry within
134 /// the named Secret resource.
135 /// If `key` is not specified, a default of `tls.key` will be used.
136 #[serde(rename = "privateKeySecretRef")]
137 pub private_key_secret_ref: IssuerAcmePrivateKeySecretRef,
138 /// Server is the URL used to access the ACME server's 'directory' endpoint.
139 /// For example, for Let's Encrypt's staging endpoint, you would use:
140 /// "https://acme-staging-v02.api.letsencrypt.org/directory".
141 /// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
142 pub server: String,
143 /// INSECURE: Enables or disables validation of the ACME server TLS certificate.
144 /// If true, requests to the ACME server will not have the TLS certificate chain
145 /// validated.
146 /// Mutually exclusive with CABundle; prefer using CABundle to prevent various
147 /// kinds of security vulnerabilities.
148 /// Only enable this option in development environments.
149 /// If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
150 /// the container is used to validate the TLS connection.
151 /// Defaults to false.
152 #[serde(
153 default,
154 skip_serializing_if = "Option::is_none",
155 rename = "skipTLSVerify"
156 )]
157 pub skip_tls_verify: Option<bool>,
158 /// Solvers is a list of challenge solvers that will be used to solve
159 /// ACME challenges for the matching domains.
160 /// Solver configurations must be provided in order to obtain certificates
161 /// from an ACME server.
162 /// For more information, see: https://cert-manager.io/docs/configuration/acme/
163 #[serde(default, skip_serializing_if = "Option::is_none")]
164 pub solvers: Option<Vec<IssuerAcmeSolvers>>,
165}
166
167/// ExternalAccountBinding is a reference to a CA external account of the ACME
168/// server.
169/// If set, upon registration cert-manager will attempt to associate the given
170/// external account credentials with the registered ACME account.
171#[derive(Serialize, Deserialize, Clone, Debug, Default)]
172pub struct IssuerAcmeExternalAccountBinding {
173 /// Deprecated: keyAlgorithm field exists for historical compatibility
174 /// reasons and should not be used. The algorithm is now hardcoded to HS256
175 /// in golang/x/crypto/acme.
176 #[serde(
177 default,
178 skip_serializing_if = "Option::is_none",
179 rename = "keyAlgorithm"
180 )]
181 pub key_algorithm: Option<IssuerAcmeExternalAccountBindingKeyAlgorithm>,
182 /// keyID is the ID of the CA key that the External Account is bound to.
183 #[serde(rename = "keyID")]
184 pub key_id: String,
185 /// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
186 /// Secret which holds the symmetric MAC key of the External Account Binding.
187 /// The `key` is the index string that is paired with the key data in the
188 /// Secret and should not be confused with the key data itself, or indeed with
189 /// the External Account Binding keyID above.
190 /// The secret key stored in the Secret **must** be un-padded, base64 URL
191 /// encoded data.
192 #[serde(rename = "keySecretRef")]
193 pub key_secret_ref: IssuerAcmeExternalAccountBindingKeySecretRef,
194}
195
196/// ExternalAccountBinding is a reference to a CA external account of the ACME
197/// server.
198/// If set, upon registration cert-manager will attempt to associate the given
199/// external account credentials with the registered ACME account.
200#[derive(Serialize, Deserialize, Clone, Debug)]
201pub enum IssuerAcmeExternalAccountBindingKeyAlgorithm {
202 #[serde(rename = "HS256")]
203 Hs256,
204 #[serde(rename = "HS384")]
205 Hs384,
206 #[serde(rename = "HS512")]
207 Hs512,
208}
209
210/// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
211/// Secret which holds the symmetric MAC key of the External Account Binding.
212/// The `key` is the index string that is paired with the key data in the
213/// Secret and should not be confused with the key data itself, or indeed with
214/// the External Account Binding keyID above.
215/// The secret key stored in the Secret **must** be un-padded, base64 URL
216/// encoded data.
217#[derive(Serialize, Deserialize, Clone, Debug, Default)]
218pub struct IssuerAcmeExternalAccountBindingKeySecretRef {
219 /// The key of the entry in the Secret resource's `data` field to be used.
220 /// Some instances of this field may be defaulted, in others it may be
221 /// required.
222 #[serde(default, skip_serializing_if = "Option::is_none")]
223 pub key: Option<String>,
224 /// Name of the resource being referred to.
225 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
226 pub name: String,
227}
228
229/// PrivateKey is the name of a Kubernetes Secret resource that will be used to
230/// store the automatically generated ACME account private key.
231/// Optionally, a `key` may be specified to select a specific entry within
232/// the named Secret resource.
233/// If `key` is not specified, a default of `tls.key` will be used.
234#[derive(Serialize, Deserialize, Clone, Debug, Default)]
235pub struct IssuerAcmePrivateKeySecretRef {
236 /// The key of the entry in the Secret resource's `data` field to be used.
237 /// Some instances of this field may be defaulted, in others it may be
238 /// required.
239 #[serde(default, skip_serializing_if = "Option::is_none")]
240 pub key: Option<String>,
241 /// Name of the resource being referred to.
242 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
243 pub name: String,
244}
245
246/// An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
247/// A selector may be provided to use different solving strategies for different DNS names.
248/// Only one of HTTP01 or DNS01 must be provided.
249#[derive(Serialize, Deserialize, Clone, Debug, Default)]
250pub struct IssuerAcmeSolvers {
251 /// Configures cert-manager to attempt to complete authorizations by
252 /// performing the DNS01 challenge flow.
253 #[serde(default, skip_serializing_if = "Option::is_none")]
254 pub dns01: Option<IssuerAcmeSolversDns01>,
255 /// Configures cert-manager to attempt to complete authorizations by
256 /// performing the HTTP01 challenge flow.
257 /// It is not possible to obtain certificates for wildcard domain names
258 /// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
259 #[serde(default, skip_serializing_if = "Option::is_none")]
260 pub http01: Option<IssuerAcmeSolversHttp01>,
261 /// Selector selects a set of DNSNames on the Certificate resource that
262 /// should be solved using this challenge solver.
263 /// If not specified, the solver will be treated as the 'default' solver
264 /// with the lowest priority, i.e. if any other solver has a more specific
265 /// match, it will be used instead.
266 #[serde(default, skip_serializing_if = "Option::is_none")]
267 pub selector: Option<IssuerAcmeSolversSelector>,
268}
269
270/// Configures cert-manager to attempt to complete authorizations by
271/// performing the DNS01 challenge flow.
272#[derive(Serialize, Deserialize, Clone, Debug, Default)]
273pub struct IssuerAcmeSolversDns01 {
274 /// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
275 /// DNS01 challenge records.
276 #[serde(default, skip_serializing_if = "Option::is_none", rename = "acmeDNS")]
277 pub acme_dns: Option<IssuerAcmeSolversDns01AcmeDns>,
278 /// Use the Akamai DNS zone management API to manage DNS01 challenge records.
279 #[serde(default, skip_serializing_if = "Option::is_none")]
280 pub akamai: Option<IssuerAcmeSolversDns01Akamai>,
281 /// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
282 #[serde(default, skip_serializing_if = "Option::is_none", rename = "azureDNS")]
283 pub azure_dns: Option<IssuerAcmeSolversDns01AzureDns>,
284 /// Use the Google Cloud DNS API to manage DNS01 challenge records.
285 #[serde(default, skip_serializing_if = "Option::is_none", rename = "cloudDNS")]
286 pub cloud_dns: Option<IssuerAcmeSolversDns01CloudDns>,
287 /// Use the Cloudflare API to manage DNS01 challenge records.
288 #[serde(default, skip_serializing_if = "Option::is_none")]
289 pub cloudflare: Option<IssuerAcmeSolversDns01Cloudflare>,
290 /// CNAMEStrategy configures how the DNS01 provider should handle CNAME
291 /// records when found in DNS zones.
292 #[serde(
293 default,
294 skip_serializing_if = "Option::is_none",
295 rename = "cnameStrategy"
296 )]
297 pub cname_strategy: Option<IssuerAcmeSolversDns01CnameStrategy>,
298 /// Use the DigitalOcean DNS API to manage DNS01 challenge records.
299 #[serde(default, skip_serializing_if = "Option::is_none")]
300 pub digitalocean: Option<IssuerAcmeSolversDns01Digitalocean>,
301 /// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
302 /// to manage DNS01 challenge records.
303 #[serde(default, skip_serializing_if = "Option::is_none")]
304 pub rfc2136: Option<IssuerAcmeSolversDns01Rfc2136>,
305 /// Use the AWS Route53 API to manage DNS01 challenge records.
306 #[serde(default, skip_serializing_if = "Option::is_none")]
307 pub route53: Option<IssuerAcmeSolversDns01Route53>,
308 /// Configure an external webhook based DNS01 challenge solver to manage
309 /// DNS01 challenge records.
310 #[serde(default, skip_serializing_if = "Option::is_none")]
311 pub webhook: Option<IssuerAcmeSolversDns01Webhook>,
312}
313
314/// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
315/// DNS01 challenge records.
316#[derive(Serialize, Deserialize, Clone, Debug, Default)]
317pub struct IssuerAcmeSolversDns01AcmeDns {
318 /// A reference to a specific 'key' within a Secret resource.
319 /// In some instances, `key` is a required field.
320 #[serde(rename = "accountSecretRef")]
321 pub account_secret_ref: IssuerAcmeSolversDns01AcmeDnsAccountSecretRef,
322 pub host: String,
323}
324
325/// A reference to a specific 'key' within a Secret resource.
326/// In some instances, `key` is a required field.
327#[derive(Serialize, Deserialize, Clone, Debug, Default)]
328pub struct IssuerAcmeSolversDns01AcmeDnsAccountSecretRef {
329 /// The key of the entry in the Secret resource's `data` field to be used.
330 /// Some instances of this field may be defaulted, in others it may be
331 /// required.
332 #[serde(default, skip_serializing_if = "Option::is_none")]
333 pub key: Option<String>,
334 /// Name of the resource being referred to.
335 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
336 pub name: String,
337}
338
339/// Use the Akamai DNS zone management API to manage DNS01 challenge records.
340#[derive(Serialize, Deserialize, Clone, Debug, Default)]
341pub struct IssuerAcmeSolversDns01Akamai {
342 /// A reference to a specific 'key' within a Secret resource.
343 /// In some instances, `key` is a required field.
344 #[serde(rename = "accessTokenSecretRef")]
345 pub access_token_secret_ref: IssuerAcmeSolversDns01AkamaiAccessTokenSecretRef,
346 /// A reference to a specific 'key' within a Secret resource.
347 /// In some instances, `key` is a required field.
348 #[serde(rename = "clientSecretSecretRef")]
349 pub client_secret_secret_ref: IssuerAcmeSolversDns01AkamaiClientSecretSecretRef,
350 /// A reference to a specific 'key' within a Secret resource.
351 /// In some instances, `key` is a required field.
352 #[serde(rename = "clientTokenSecretRef")]
353 pub client_token_secret_ref: IssuerAcmeSolversDns01AkamaiClientTokenSecretRef,
354 #[serde(rename = "serviceConsumerDomain")]
355 pub service_consumer_domain: String,
356}
357
358/// A reference to a specific 'key' within a Secret resource.
359/// In some instances, `key` is a required field.
360#[derive(Serialize, Deserialize, Clone, Debug, Default)]
361pub struct IssuerAcmeSolversDns01AkamaiAccessTokenSecretRef {
362 /// The key of the entry in the Secret resource's `data` field to be used.
363 /// Some instances of this field may be defaulted, in others it may be
364 /// required.
365 #[serde(default, skip_serializing_if = "Option::is_none")]
366 pub key: Option<String>,
367 /// Name of the resource being referred to.
368 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
369 pub name: String,
370}
371
372/// A reference to a specific 'key' within a Secret resource.
373/// In some instances, `key` is a required field.
374#[derive(Serialize, Deserialize, Clone, Debug, Default)]
375pub struct IssuerAcmeSolversDns01AkamaiClientSecretSecretRef {
376 /// The key of the entry in the Secret resource's `data` field to be used.
377 /// Some instances of this field may be defaulted, in others it may be
378 /// required.
379 #[serde(default, skip_serializing_if = "Option::is_none")]
380 pub key: Option<String>,
381 /// Name of the resource being referred to.
382 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
383 pub name: String,
384}
385
386/// A reference to a specific 'key' within a Secret resource.
387/// In some instances, `key` is a required field.
388#[derive(Serialize, Deserialize, Clone, Debug, Default)]
389pub struct IssuerAcmeSolversDns01AkamaiClientTokenSecretRef {
390 /// The key of the entry in the Secret resource's `data` field to be used.
391 /// Some instances of this field may be defaulted, in others it may be
392 /// required.
393 #[serde(default, skip_serializing_if = "Option::is_none")]
394 pub key: Option<String>,
395 /// Name of the resource being referred to.
396 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
397 pub name: String,
398}
399
400/// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
401#[derive(Serialize, Deserialize, Clone, Debug, Default)]
402pub struct IssuerAcmeSolversDns01AzureDns {
403 /// Auth: Azure Service Principal:
404 /// The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
405 /// If set, ClientSecret and TenantID must also be set.
406 #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientID")]
407 pub client_id: Option<String>,
408 /// Auth: Azure Service Principal:
409 /// A reference to a Secret containing the password associated with the Service Principal.
410 /// If set, ClientID and TenantID must also be set.
411 #[serde(
412 default,
413 skip_serializing_if = "Option::is_none",
414 rename = "clientSecretSecretRef"
415 )]
416 pub client_secret_secret_ref: Option<IssuerAcmeSolversDns01AzureDnsClientSecretSecretRef>,
417 /// name of the Azure environment (default AzurePublicCloud)
418 #[serde(default, skip_serializing_if = "Option::is_none")]
419 pub environment: Option<IssuerAcmeSolversDns01AzureDnsEnvironment>,
420 /// name of the DNS zone that should be used
421 #[serde(
422 default,
423 skip_serializing_if = "Option::is_none",
424 rename = "hostedZoneName"
425 )]
426 pub hosted_zone_name: Option<String>,
427 /// Auth: Azure Workload Identity or Azure Managed Service Identity:
428 /// Settings to enable Azure Workload Identity or Azure Managed Service Identity
429 /// If set, ClientID, ClientSecret and TenantID must not be set.
430 #[serde(
431 default,
432 skip_serializing_if = "Option::is_none",
433 rename = "managedIdentity"
434 )]
435 pub managed_identity: Option<IssuerAcmeSolversDns01AzureDnsManagedIdentity>,
436 /// resource group the DNS zone is located in
437 #[serde(rename = "resourceGroupName")]
438 pub resource_group_name: String,
439 /// ID of the Azure subscription
440 #[serde(rename = "subscriptionID")]
441 pub subscription_id: String,
442 /// Auth: Azure Service Principal:
443 /// The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
444 /// If set, ClientID and ClientSecret must also be set.
445 #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantID")]
446 pub tenant_id: Option<String>,
447}
448
449/// Auth: Azure Service Principal:
450/// A reference to a Secret containing the password associated with the Service Principal.
451/// If set, ClientID and TenantID must also be set.
452#[derive(Serialize, Deserialize, Clone, Debug, Default)]
453pub struct IssuerAcmeSolversDns01AzureDnsClientSecretSecretRef {
454 /// The key of the entry in the Secret resource's `data` field to be used.
455 /// Some instances of this field may be defaulted, in others it may be
456 /// required.
457 #[serde(default, skip_serializing_if = "Option::is_none")]
458 pub key: Option<String>,
459 /// Name of the resource being referred to.
460 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
461 pub name: String,
462}
463
464/// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
465#[derive(Serialize, Deserialize, Clone, Debug)]
466pub enum IssuerAcmeSolversDns01AzureDnsEnvironment {
467 AzurePublicCloud,
468 AzureChinaCloud,
469 AzureGermanCloud,
470 #[serde(rename = "AzureUSGovernmentCloud")]
471 AzureUsGovernmentCloud,
472}
473
474/// Auth: Azure Workload Identity or Azure Managed Service Identity:
475/// Settings to enable Azure Workload Identity or Azure Managed Service Identity
476/// If set, ClientID, ClientSecret and TenantID must not be set.
477#[derive(Serialize, Deserialize, Clone, Debug, Default)]
478pub struct IssuerAcmeSolversDns01AzureDnsManagedIdentity {
479 /// client ID of the managed identity, can not be used at the same time as resourceID
480 #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientID")]
481 pub client_id: Option<String>,
482 /// resource ID of the managed identity, can not be used at the same time as clientID
483 /// Cannot be used for Azure Managed Service Identity
484 #[serde(
485 default,
486 skip_serializing_if = "Option::is_none",
487 rename = "resourceID"
488 )]
489 pub resource_id: Option<String>,
490}
491
492/// Use the Google Cloud DNS API to manage DNS01 challenge records.
493#[derive(Serialize, Deserialize, Clone, Debug, Default)]
494pub struct IssuerAcmeSolversDns01CloudDns {
495 /// HostedZoneName is an optional field that tells cert-manager in which
496 /// Cloud DNS zone the challenge record has to be created.
497 /// If left empty cert-manager will automatically choose a zone.
498 #[serde(
499 default,
500 skip_serializing_if = "Option::is_none",
501 rename = "hostedZoneName"
502 )]
503 pub hosted_zone_name: Option<String>,
504 pub project: String,
505 /// A reference to a specific 'key' within a Secret resource.
506 /// In some instances, `key` is a required field.
507 #[serde(
508 default,
509 skip_serializing_if = "Option::is_none",
510 rename = "serviceAccountSecretRef"
511 )]
512 pub service_account_secret_ref: Option<IssuerAcmeSolversDns01CloudDnsServiceAccountSecretRef>,
513}
514
515/// A reference to a specific 'key' within a Secret resource.
516/// In some instances, `key` is a required field.
517#[derive(Serialize, Deserialize, Clone, Debug, Default)]
518pub struct IssuerAcmeSolversDns01CloudDnsServiceAccountSecretRef {
519 /// The key of the entry in the Secret resource's `data` field to be used.
520 /// Some instances of this field may be defaulted, in others it may be
521 /// required.
522 #[serde(default, skip_serializing_if = "Option::is_none")]
523 pub key: Option<String>,
524 /// Name of the resource being referred to.
525 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
526 pub name: String,
527}
528
529/// Use the Cloudflare API to manage DNS01 challenge records.
530#[derive(Serialize, Deserialize, Clone, Debug, Default)]
531pub struct IssuerAcmeSolversDns01Cloudflare {
532 /// API key to use to authenticate with Cloudflare.
533 /// Note: using an API token to authenticate is now the recommended method
534 /// as it allows greater control of permissions.
535 #[serde(
536 default,
537 skip_serializing_if = "Option::is_none",
538 rename = "apiKeySecretRef"
539 )]
540 pub api_key_secret_ref: Option<IssuerAcmeSolversDns01CloudflareApiKeySecretRef>,
541 /// API token used to authenticate with Cloudflare.
542 #[serde(
543 default,
544 skip_serializing_if = "Option::is_none",
545 rename = "apiTokenSecretRef"
546 )]
547 pub api_token_secret_ref: Option<IssuerAcmeSolversDns01CloudflareApiTokenSecretRef>,
548 /// Email of the account, only required when using API key based authentication.
549 #[serde(default, skip_serializing_if = "Option::is_none")]
550 pub email: Option<String>,
551}
552
553/// API key to use to authenticate with Cloudflare.
554/// Note: using an API token to authenticate is now the recommended method
555/// as it allows greater control of permissions.
556#[derive(Serialize, Deserialize, Clone, Debug, Default)]
557pub struct IssuerAcmeSolversDns01CloudflareApiKeySecretRef {
558 /// The key of the entry in the Secret resource's `data` field to be used.
559 /// Some instances of this field may be defaulted, in others it may be
560 /// required.
561 #[serde(default, skip_serializing_if = "Option::is_none")]
562 pub key: Option<String>,
563 /// Name of the resource being referred to.
564 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
565 pub name: String,
566}
567
568/// API token used to authenticate with Cloudflare.
569#[derive(Serialize, Deserialize, Clone, Debug, Default)]
570pub struct IssuerAcmeSolversDns01CloudflareApiTokenSecretRef {
571 /// The key of the entry in the Secret resource's `data` field to be used.
572 /// Some instances of this field may be defaulted, in others it may be
573 /// required.
574 #[serde(default, skip_serializing_if = "Option::is_none")]
575 pub key: Option<String>,
576 /// Name of the resource being referred to.
577 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
578 pub name: String,
579}
580
581/// Configures cert-manager to attempt to complete authorizations by
582/// performing the DNS01 challenge flow.
583#[derive(Serialize, Deserialize, Clone, Debug)]
584pub enum IssuerAcmeSolversDns01CnameStrategy {
585 None,
586 Follow,
587}
588
589/// Use the DigitalOcean DNS API to manage DNS01 challenge records.
590#[derive(Serialize, Deserialize, Clone, Debug, Default)]
591pub struct IssuerAcmeSolversDns01Digitalocean {
592 /// A reference to a specific 'key' within a Secret resource.
593 /// In some instances, `key` is a required field.
594 #[serde(rename = "tokenSecretRef")]
595 pub token_secret_ref: IssuerAcmeSolversDns01DigitaloceanTokenSecretRef,
596}
597
598/// A reference to a specific 'key' within a Secret resource.
599/// In some instances, `key` is a required field.
600#[derive(Serialize, Deserialize, Clone, Debug, Default)]
601pub struct IssuerAcmeSolversDns01DigitaloceanTokenSecretRef {
602 /// The key of the entry in the Secret resource's `data` field to be used.
603 /// Some instances of this field may be defaulted, in others it may be
604 /// required.
605 #[serde(default, skip_serializing_if = "Option::is_none")]
606 pub key: Option<String>,
607 /// Name of the resource being referred to.
608 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
609 pub name: String,
610}
611
612/// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
613/// to manage DNS01 challenge records.
614#[derive(Serialize, Deserialize, Clone, Debug, Default)]
615pub struct IssuerAcmeSolversDns01Rfc2136 {
616 /// The IP address or hostname of an authoritative DNS server supporting
617 /// RFC2136 in the form host:port. If the host is an IPv6 address it must be
618 /// enclosed in square brackets (e.g [2001:db8::1])Â ; port is optional.
619 /// This field is required.
620 pub nameserver: String,
621 /// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
622 /// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
623 /// Supported values are (case-insensitive): ``HMACMD5`` (default),
624 /// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
625 #[serde(
626 default,
627 skip_serializing_if = "Option::is_none",
628 rename = "tsigAlgorithm"
629 )]
630 pub tsig_algorithm: Option<String>,
631 /// The TSIG Key name configured in the DNS.
632 /// If ``tsigSecretSecretRef`` is defined, this field is required.
633 #[serde(
634 default,
635 skip_serializing_if = "Option::is_none",
636 rename = "tsigKeyName"
637 )]
638 pub tsig_key_name: Option<String>,
639 /// The name of the secret containing the TSIG value.
640 /// If ``tsigKeyName`` is defined, this field is required.
641 #[serde(
642 default,
643 skip_serializing_if = "Option::is_none",
644 rename = "tsigSecretSecretRef"
645 )]
646 pub tsig_secret_secret_ref: Option<IssuerAcmeSolversDns01Rfc2136TsigSecretSecretRef>,
647}
648
649/// The name of the secret containing the TSIG value.
650/// If ``tsigKeyName`` is defined, this field is required.
651#[derive(Serialize, Deserialize, Clone, Debug, Default)]
652pub struct IssuerAcmeSolversDns01Rfc2136TsigSecretSecretRef {
653 /// The key of the entry in the Secret resource's `data` field to be used.
654 /// Some instances of this field may be defaulted, in others it may be
655 /// required.
656 #[serde(default, skip_serializing_if = "Option::is_none")]
657 pub key: Option<String>,
658 /// Name of the resource being referred to.
659 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
660 pub name: String,
661}
662
663/// Use the AWS Route53 API to manage DNS01 challenge records.
664#[derive(Serialize, Deserialize, Clone, Debug, Default)]
665pub struct IssuerAcmeSolversDns01Route53 {
666 /// The AccessKeyID is used for authentication.
667 /// Cannot be set when SecretAccessKeyID is set.
668 /// If neither the Access Key nor Key ID are set, we fall-back to using env
669 /// vars, shared credentials file or AWS Instance metadata,
670 /// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
671 #[serde(
672 default,
673 skip_serializing_if = "Option::is_none",
674 rename = "accessKeyID"
675 )]
676 pub access_key_id: Option<String>,
677 /// The SecretAccessKey is used for authentication. If set, pull the AWS
678 /// access key ID from a key within a Kubernetes Secret.
679 /// Cannot be set when AccessKeyID is set.
680 /// If neither the Access Key nor Key ID are set, we fall-back to using env
681 /// vars, shared credentials file or AWS Instance metadata,
682 /// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
683 #[serde(
684 default,
685 skip_serializing_if = "Option::is_none",
686 rename = "accessKeyIDSecretRef"
687 )]
688 pub access_key_id_secret_ref: Option<IssuerAcmeSolversDns01Route53AccessKeyIdSecretRef>,
689 /// Auth configures how cert-manager authenticates.
690 #[serde(default, skip_serializing_if = "Option::is_none")]
691 pub auth: Option<IssuerAcmeSolversDns01Route53Auth>,
692 /// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
693 #[serde(
694 default,
695 skip_serializing_if = "Option::is_none",
696 rename = "hostedZoneID"
697 )]
698 pub hosted_zone_id: Option<String>,
699 /// Override the AWS region.
700 ///
701 /// Route53 is a global service and does not have regional endpoints but the
702 /// region specified here (or via environment variables) is used as a hint to
703 /// help compute the correct AWS credential scope and partition when it
704 /// connects to Route53. See:
705 /// - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
706 /// - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
707 ///
708 /// If you omit this region field, cert-manager will use the region from
709 /// AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
710 /// in the cert-manager controller Pod.
711 ///
712 /// The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
713 /// Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
714 /// [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
715 /// In this case this `region` field value is ignored.
716 ///
717 /// The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
718 /// Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
719 /// [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
720 /// In this case this `region` field value is ignored.
721 #[serde(default, skip_serializing_if = "Option::is_none")]
722 pub region: Option<String>,
723 /// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
724 /// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
725 #[serde(default, skip_serializing_if = "Option::is_none")]
726 pub role: Option<String>,
727 /// The SecretAccessKey is used for authentication.
728 /// If neither the Access Key nor Key ID are set, we fall-back to using env
729 /// vars, shared credentials file or AWS Instance metadata,
730 /// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
731 #[serde(
732 default,
733 skip_serializing_if = "Option::is_none",
734 rename = "secretAccessKeySecretRef"
735 )]
736 pub secret_access_key_secret_ref: Option<IssuerAcmeSolversDns01Route53SecretAccessKeySecretRef>,
737}
738
739/// The SecretAccessKey is used for authentication. If set, pull the AWS
740/// access key ID from a key within a Kubernetes Secret.
741/// Cannot be set when AccessKeyID is set.
742/// If neither the Access Key nor Key ID are set, we fall-back to using env
743/// vars, shared credentials file or AWS Instance metadata,
744/// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
745#[derive(Serialize, Deserialize, Clone, Debug, Default)]
746pub struct IssuerAcmeSolversDns01Route53AccessKeyIdSecretRef {
747 /// The key of the entry in the Secret resource's `data` field to be used.
748 /// Some instances of this field may be defaulted, in others it may be
749 /// required.
750 #[serde(default, skip_serializing_if = "Option::is_none")]
751 pub key: Option<String>,
752 /// Name of the resource being referred to.
753 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
754 pub name: String,
755}
756
757/// Auth configures how cert-manager authenticates.
758#[derive(Serialize, Deserialize, Clone, Debug, Default)]
759pub struct IssuerAcmeSolversDns01Route53Auth {
760 /// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
761 /// by passing a bound ServiceAccount token.
762 pub kubernetes: IssuerAcmeSolversDns01Route53AuthKubernetes,
763}
764
765/// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
766/// by passing a bound ServiceAccount token.
767#[derive(Serialize, Deserialize, Clone, Debug, Default)]
768pub struct IssuerAcmeSolversDns01Route53AuthKubernetes {
769 /// A reference to a service account that will be used to request a bound
770 /// token (also known as "projected token"). To use this field, you must
771 /// configure an RBAC rule to let cert-manager request a token.
772 #[serde(rename = "serviceAccountRef")]
773 pub service_account_ref: IssuerAcmeSolversDns01Route53AuthKubernetesServiceAccountRef,
774}
775
776/// A reference to a service account that will be used to request a bound
777/// token (also known as "projected token"). To use this field, you must
778/// configure an RBAC rule to let cert-manager request a token.
779#[derive(Serialize, Deserialize, Clone, Debug, Default)]
780pub struct IssuerAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
781 /// TokenAudiences is an optional list of audiences to include in the
782 /// token passed to AWS. The default token consisting of the issuer's namespace
783 /// and name is always included.
784 /// If unset the audience defaults to `sts.amazonaws.com`.
785 #[serde(default, skip_serializing_if = "Option::is_none")]
786 pub audiences: Option<Vec<String>>,
787 /// Name of the ServiceAccount used to request a token.
788 pub name: String,
789}
790
791/// The SecretAccessKey is used for authentication.
792/// If neither the Access Key nor Key ID are set, we fall-back to using env
793/// vars, shared credentials file or AWS Instance metadata,
794/// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
795#[derive(Serialize, Deserialize, Clone, Debug, Default)]
796pub struct IssuerAcmeSolversDns01Route53SecretAccessKeySecretRef {
797 /// The key of the entry in the Secret resource's `data` field to be used.
798 /// Some instances of this field may be defaulted, in others it may be
799 /// required.
800 #[serde(default, skip_serializing_if = "Option::is_none")]
801 pub key: Option<String>,
802 /// Name of the resource being referred to.
803 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
804 pub name: String,
805}
806
807/// Configure an external webhook based DNS01 challenge solver to manage
808/// DNS01 challenge records.
809#[derive(Serialize, Deserialize, Clone, Debug, Default)]
810pub struct IssuerAcmeSolversDns01Webhook {
811 /// Additional configuration that should be passed to the webhook apiserver
812 /// when challenges are processed.
813 /// This can contain arbitrary JSON data.
814 /// Secret values should not be specified in this stanza.
815 /// If secret values are needed (e.g. credentials for a DNS service), you
816 /// should use a SecretKeySelector to reference a Secret resource.
817 /// For details on the schema of this field, consult the webhook provider
818 /// implementation's documentation.
819 #[serde(default, skip_serializing_if = "Option::is_none")]
820 pub config: Option<serde_json::Value>,
821 /// The API group name that should be used when POSTing ChallengePayload
822 /// resources to the webhook apiserver.
823 /// This should be the same as the GroupName specified in the webhook
824 /// provider implementation.
825 #[serde(rename = "groupName")]
826 pub group_name: String,
827 /// The name of the solver to use, as defined in the webhook provider
828 /// implementation.
829 /// This will typically be the name of the provider, e.g. 'cloudflare'.
830 #[serde(rename = "solverName")]
831 pub solver_name: String,
832}
833
834/// Configures cert-manager to attempt to complete authorizations by
835/// performing the HTTP01 challenge flow.
836/// It is not possible to obtain certificates for wildcard domain names
837/// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
838#[derive(Serialize, Deserialize, Clone, Debug, Default)]
839pub struct IssuerAcmeSolversHttp01 {
840 /// The Gateway API is a sig-network community API that models service networking
841 /// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
842 /// create HTTPRoutes with the specified labels in the same namespace as the challenge.
843 /// This solver is experimental, and fields / behaviour may change in the future.
844 #[serde(
845 default,
846 skip_serializing_if = "Option::is_none",
847 rename = "gatewayHTTPRoute"
848 )]
849 pub gateway_http_route: Option<IssuerAcmeSolversHttp01GatewayHttpRoute>,
850 /// The ingress based HTTP01 challenge solver will solve challenges by
851 /// creating or modifying Ingress resources in order to route requests for
852 /// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
853 /// provisioned by cert-manager for each Challenge to be completed.
854 #[serde(default, skip_serializing_if = "Option::is_none")]
855 pub ingress: Option<IssuerAcmeSolversHttp01Ingress>,
856}
857
858/// The Gateway API is a sig-network community API that models service networking
859/// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
860/// create HTTPRoutes with the specified labels in the same namespace as the challenge.
861/// This solver is experimental, and fields / behaviour may change in the future.
862#[derive(Serialize, Deserialize, Clone, Debug, Default)]
863pub struct IssuerAcmeSolversHttp01GatewayHttpRoute {
864 /// Custom labels that will be applied to HTTPRoutes created by cert-manager
865 /// while solving HTTP-01 challenges.
866 #[serde(default, skip_serializing_if = "Option::is_none")]
867 pub labels: Option<BTreeMap<String, String>>,
868 /// When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
869 /// cert-manager needs to know which parentRefs should be used when creating
870 /// the HTTPRoute. Usually, the parentRef references a Gateway. See:
871 /// https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
872 #[serde(
873 default,
874 skip_serializing_if = "Option::is_none",
875 rename = "parentRefs"
876 )]
877 pub parent_refs: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRouteParentRefs>>,
878 /// Optional pod template used to configure the ACME challenge solver pods
879 /// used for HTTP01 challenges.
880 #[serde(
881 default,
882 skip_serializing_if = "Option::is_none",
883 rename = "podTemplate"
884 )]
885 pub pod_template: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplate>,
886 /// Optional service type for Kubernetes solver service. Supported values
887 /// are NodePort or ClusterIP. If unset, defaults to NodePort.
888 #[serde(
889 default,
890 skip_serializing_if = "Option::is_none",
891 rename = "serviceType"
892 )]
893 pub service_type: Option<String>,
894}
895
896/// ParentReference identifies an API object (usually a Gateway) that can be considered
897/// a parent of this resource (usually a route). There are two kinds of parent resources
898/// with "Core" support:
899///
900/// * Gateway (Gateway conformance profile)
901/// * Service (Mesh conformance profile, ClusterIP Services only)
902///
903/// This API may be extended in the future to support additional kinds of parent
904/// resources.
905///
906/// The API object must be valid in the cluster; the Group and Kind must
907/// be registered in the cluster for this reference to be valid.
908#[derive(Serialize, Deserialize, Clone, Debug, Default)]
909pub struct IssuerAcmeSolversHttp01GatewayHttpRouteParentRefs {
910 /// Group is the group of the referent.
911 /// When unspecified, "gateway.networking.k8s.io" is inferred.
912 /// To set the core API group (such as for a "Service" kind referent),
913 /// Group must be explicitly set to "" (empty string).
914 ///
915 /// Support: Core
916 #[serde(default, skip_serializing_if = "Option::is_none")]
917 pub group: Option<String>,
918 /// Kind is kind of the referent.
919 ///
920 /// There are two kinds of parent resources with "Core" support:
921 ///
922 /// * Gateway (Gateway conformance profile)
923 /// * Service (Mesh conformance profile, ClusterIP Services only)
924 ///
925 /// Support for other resources is Implementation-Specific.
926 #[serde(default, skip_serializing_if = "Option::is_none")]
927 pub kind: Option<String>,
928 /// Name is the name of the referent.
929 ///
930 /// Support: Core
931 pub name: String,
932 /// Namespace is the namespace of the referent. When unspecified, this refers
933 /// to the local namespace of the Route.
934 ///
935 /// Note that there are specific rules for ParentRefs which cross namespace
936 /// boundaries. Cross-namespace references are only valid if they are explicitly
937 /// allowed by something in the namespace they are referring to. For example:
938 /// Gateway has the AllowedRoutes field, and ReferenceGrant provides a
939 /// generic way to enable any other kind of cross-namespace reference.
940 ///
941 /// <gateway:experimental:description>
942 /// ParentRefs from a Route to a Service in the same namespace are "producer"
943 /// routes, which apply default routing rules to inbound connections from
944 /// any namespace to the Service.
945 ///
946 /// ParentRefs from a Route to a Service in a different namespace are
947 /// "consumer" routes, and these routing rules are only applied to outbound
948 /// connections originating from the same namespace as the Route, for which
949 /// the intended destination of the connections are a Service targeted as a
950 /// ParentRef of the Route.
951 /// </gateway:experimental:description>
952 ///
953 /// Support: Core
954 #[serde(default, skip_serializing_if = "Option::is_none")]
955 pub namespace: Option<String>,
956 /// Port is the network port this Route targets. It can be interpreted
957 /// differently based on the type of parent resource.
958 ///
959 /// When the parent resource is a Gateway, this targets all listeners
960 /// listening on the specified port that also support this kind of Route(and
961 /// select this Route). It's not recommended to set `Port` unless the
962 /// networking behaviors specified in a Route must apply to a specific port
963 /// as opposed to a listener(s) whose port(s) may be changed. When both Port
964 /// and SectionName are specified, the name and port of the selected listener
965 /// must match both specified values.
966 ///
967 /// <gateway:experimental:description>
968 /// When the parent resource is a Service, this targets a specific port in the
969 /// Service spec. When both Port (experimental) and SectionName are specified,
970 /// the name and port of the selected port must match both specified values.
971 /// </gateway:experimental:description>
972 ///
973 /// Implementations MAY choose to support other parent resources.
974 /// Implementations supporting other types of parent resources MUST clearly
975 /// document how/if Port is interpreted.
976 ///
977 /// For the purpose of status, an attachment is considered successful as
978 /// long as the parent resource accepts it partially. For example, Gateway
979 /// listeners can restrict which Routes can attach to them by Route kind,
980 /// namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
981 /// from the referencing Route, the Route MUST be considered successfully
982 /// attached. If no Gateway listeners accept attachment from this Route,
983 /// the Route MUST be considered detached from the Gateway.
984 ///
985 /// Support: Extended
986 #[serde(default, skip_serializing_if = "Option::is_none")]
987 pub port: Option<i32>,
988 /// SectionName is the name of a section within the target resource. In the
989 /// following resources, SectionName is interpreted as the following:
990 ///
991 /// * Gateway: Listener name. When both Port (experimental) and SectionName
992 /// are specified, the name and port of the selected listener must match
993 /// both specified values.
994 /// * Service: Port name. When both Port (experimental) and SectionName
995 /// are specified, the name and port of the selected listener must match
996 /// both specified values.
997 ///
998 /// Implementations MAY choose to support attaching Routes to other resources.
999 /// If that is the case, they MUST clearly document how SectionName is
1000 /// interpreted.
1001 ///
1002 /// When unspecified (empty string), this will reference the entire resource.
1003 /// For the purpose of status, an attachment is considered successful if at
1004 /// least one section in the parent resource accepts it. For example, Gateway
1005 /// listeners can restrict which Routes can attach to them by Route kind,
1006 /// namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
1007 /// the referencing Route, the Route MUST be considered successfully
1008 /// attached. If no Gateway listeners accept attachment from this Route, the
1009 /// Route MUST be considered detached from the Gateway.
1010 ///
1011 /// Support: Core
1012 #[serde(
1013 default,
1014 skip_serializing_if = "Option::is_none",
1015 rename = "sectionName"
1016 )]
1017 pub section_name: Option<String>,
1018}
1019
1020/// Optional pod template used to configure the ACME challenge solver pods
1021/// used for HTTP01 challenges.
1022#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1023pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplate {
1024 /// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
1025 /// Only the 'labels' and 'annotations' fields may be set.
1026 /// If labels or annotations overlap with in-built values, the values here
1027 /// will override the in-built values.
1028 #[serde(default, skip_serializing_if = "Option::is_none")]
1029 pub metadata: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateMetadata>,
1030 /// PodSpec defines overrides for the HTTP01 challenge solver pod.
1031 /// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
1032 /// All other fields will be ignored.
1033 #[serde(default, skip_serializing_if = "Option::is_none")]
1034 pub spec: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpec>,
1035}
1036
1037/// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
1038/// Only the 'labels' and 'annotations' fields may be set.
1039/// If labels or annotations overlap with in-built values, the values here
1040/// will override the in-built values.
1041#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1042pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateMetadata {
1043 /// Annotations that should be added to the created ACME HTTP01 solver pods.
1044 #[serde(default, skip_serializing_if = "Option::is_none")]
1045 pub annotations: Option<BTreeMap<String, String>>,
1046 /// Labels that should be added to the created ACME HTTP01 solver pods.
1047 #[serde(default, skip_serializing_if = "Option::is_none")]
1048 pub labels: Option<BTreeMap<String, String>>,
1049}
1050
1051/// PodSpec defines overrides for the HTTP01 challenge solver pod.
1052/// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
1053/// All other fields will be ignored.
1054#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1055pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpec {
1056 /// If specified, the pod's scheduling constraints
1057 #[serde(default, skip_serializing_if = "Option::is_none")]
1058 pub affinity: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinity>,
1059 /// If specified, the pod's imagePullSecrets
1060 #[serde(
1061 default,
1062 skip_serializing_if = "Option::is_none",
1063 rename = "imagePullSecrets"
1064 )]
1065 pub image_pull_secrets:
1066 Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecImagePullSecrets>>,
1067 /// NodeSelector is a selector which must be true for the pod to fit on a node.
1068 /// Selector which must match a node's labels for the pod to be scheduled on that node.
1069 /// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
1070 #[serde(
1071 default,
1072 skip_serializing_if = "Option::is_none",
1073 rename = "nodeSelector"
1074 )]
1075 pub node_selector: Option<BTreeMap<String, String>>,
1076 /// If specified, the pod's priorityClassName.
1077 #[serde(
1078 default,
1079 skip_serializing_if = "Option::is_none",
1080 rename = "priorityClassName"
1081 )]
1082 pub priority_class_name: Option<String>,
1083 /// If specified, the pod's security context
1084 #[serde(
1085 default,
1086 skip_serializing_if = "Option::is_none",
1087 rename = "securityContext"
1088 )]
1089 pub security_context:
1090 Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContext>,
1091 /// If specified, the pod's service account
1092 #[serde(
1093 default,
1094 skip_serializing_if = "Option::is_none",
1095 rename = "serviceAccountName"
1096 )]
1097 pub service_account_name: Option<String>,
1098 /// If specified, the pod's tolerations.
1099 #[serde(default, skip_serializing_if = "Option::is_none")]
1100 pub tolerations: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecTolerations>>,
1101}
1102
1103/// If specified, the pod's scheduling constraints
1104#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1105pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinity {
1106 /// Describes node affinity scheduling rules for the pod.
1107 #[serde(
1108 default,
1109 skip_serializing_if = "Option::is_none",
1110 rename = "nodeAffinity"
1111 )]
1112 pub node_affinity:
1113 Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinity>,
1114 /// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1115 #[serde(
1116 default,
1117 skip_serializing_if = "Option::is_none",
1118 rename = "podAffinity"
1119 )]
1120 pub pod_affinity:
1121 Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinity>,
1122 /// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1123 #[serde(
1124 default,
1125 skip_serializing_if = "Option::is_none",
1126 rename = "podAntiAffinity"
1127 )]
1128 pub pod_anti_affinity:
1129 Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinity>,
1130}
1131
1132/// Describes node affinity scheduling rules for the pod.
1133#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1134pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinity {
1135 /// The scheduler will prefer to schedule pods to nodes that satisfy
1136 /// the affinity expressions specified by this field, but it may choose
1137 /// a node that violates one or more of the expressions. The node that is
1138 /// most preferred is the one with the greatest sum of weights, i.e.
1139 /// for each node that meets all of the scheduling requirements (resource
1140 /// request, requiredDuringScheduling affinity expressions, etc.),
1141 /// compute a sum by iterating through the elements of this field and adding
1142 /// "weight" to the sum if the node matches the corresponding matchExpressions; the
1143 /// node(s) with the highest sum are the most preferred.
1144 #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
1145 pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
1146 /// If the affinity requirements specified by this field are not met at
1147 /// scheduling time, the pod will not be scheduled onto the node.
1148 /// If the affinity requirements specified by this field cease to be met
1149 /// at some point during pod execution (e.g. due to an update), the system
1150 /// may or may not try to eventually evict the pod from its node.
1151 #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
1152 pub required_during_scheduling_ignored_during_execution: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>,
1153}
1154
1155/// An empty preferred scheduling term matches all objects with implicit weight 0
1156/// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1157#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1158pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
1159 /// A node selector term, associated with the corresponding weight.
1160 pub preference: IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference,
1161 /// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
1162 pub weight: i32,
1163}
1164
1165/// A node selector term, associated with the corresponding weight.
1166#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1167pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
1168 /// A list of node selector requirements by node's labels.
1169 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1170 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>>,
1171 /// A list of node selector requirements by node's fields.
1172 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
1173 pub match_fields: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>>,
1174}
1175
1176/// A node selector requirement is a selector that contains values, a key, and an operator
1177/// that relates the key and values.
1178#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1179pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions
1180{
1181 /// The label key that the selector applies to.
1182 pub key: String,
1183 /// Represents a key's relationship to a set of values.
1184 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1185 pub operator: String,
1186 /// An array of string values. If the operator is In or NotIn,
1187 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1188 /// the values array must be empty. If the operator is Gt or Lt, the values
1189 /// array must have a single element, which will be interpreted as an integer.
1190 /// This array is replaced during a strategic merge patch.
1191 #[serde(default, skip_serializing_if = "Option::is_none")]
1192 pub values: Option<Vec<String>>,
1193}
1194
1195/// A node selector requirement is a selector that contains values, a key, and an operator
1196/// that relates the key and values.
1197#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1198pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields
1199{
1200 /// The label key that the selector applies to.
1201 pub key: String,
1202 /// Represents a key's relationship to a set of values.
1203 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1204 pub operator: String,
1205 /// An array of string values. If the operator is In or NotIn,
1206 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1207 /// the values array must be empty. If the operator is Gt or Lt, the values
1208 /// array must have a single element, which will be interpreted as an integer.
1209 /// This array is replaced during a strategic merge patch.
1210 #[serde(default, skip_serializing_if = "Option::is_none")]
1211 pub values: Option<Vec<String>>,
1212}
1213
1214/// If the affinity requirements specified by this field are not met at
1215/// scheduling time, the pod will not be scheduled onto the node.
1216/// If the affinity requirements specified by this field cease to be met
1217/// at some point during pod execution (e.g. due to an update), the system
1218/// may or may not try to eventually evict the pod from its node.
1219#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1220pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
1221 /// Required. A list of node selector terms. The terms are ORed.
1222 #[serde(rename = "nodeSelectorTerms")]
1223 pub node_selector_terms: Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>,
1224}
1225
1226/// A null or empty node selector term matches no objects. The requirements of
1227/// them are ANDed.
1228/// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
1229#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1230pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
1231 /// A list of node selector requirements by node's labels.
1232 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1233 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>>,
1234 /// A list of node selector requirements by node's fields.
1235 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
1236 pub match_fields: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>>,
1237}
1238
1239/// A node selector requirement is a selector that contains values, a key, and an operator
1240/// that relates the key and values.
1241#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1242pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions
1243{
1244 /// The label key that the selector applies to.
1245 pub key: String,
1246 /// Represents a key's relationship to a set of values.
1247 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1248 pub operator: String,
1249 /// An array of string values. If the operator is In or NotIn,
1250 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1251 /// the values array must be empty. If the operator is Gt or Lt, the values
1252 /// array must have a single element, which will be interpreted as an integer.
1253 /// This array is replaced during a strategic merge patch.
1254 #[serde(default, skip_serializing_if = "Option::is_none")]
1255 pub values: Option<Vec<String>>,
1256}
1257
1258/// A node selector requirement is a selector that contains values, a key, and an operator
1259/// that relates the key and values.
1260#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1261pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields
1262{
1263 /// The label key that the selector applies to.
1264 pub key: String,
1265 /// Represents a key's relationship to a set of values.
1266 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1267 pub operator: String,
1268 /// An array of string values. If the operator is In or NotIn,
1269 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1270 /// the values array must be empty. If the operator is Gt or Lt, the values
1271 /// array must have a single element, which will be interpreted as an integer.
1272 /// This array is replaced during a strategic merge patch.
1273 #[serde(default, skip_serializing_if = "Option::is_none")]
1274 pub values: Option<Vec<String>>,
1275}
1276
1277/// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1278#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1279pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinity {
1280 /// The scheduler will prefer to schedule pods to nodes that satisfy
1281 /// the affinity expressions specified by this field, but it may choose
1282 /// a node that violates one or more of the expressions. The node that is
1283 /// most preferred is the one with the greatest sum of weights, i.e.
1284 /// for each node that meets all of the scheduling requirements (resource
1285 /// request, requiredDuringScheduling affinity expressions, etc.),
1286 /// compute a sum by iterating through the elements of this field and adding
1287 /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
1288 /// node(s) with the highest sum are the most preferred.
1289 #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
1290 pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
1291 /// If the affinity requirements specified by this field are not met at
1292 /// scheduling time, the pod will not be scheduled onto the node.
1293 /// If the affinity requirements specified by this field cease to be met
1294 /// at some point during pod execution (e.g. due to a pod label update), the
1295 /// system may or may not try to eventually evict the pod from its node.
1296 /// When there are multiple elements, the lists of nodes corresponding to each
1297 /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
1298 #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
1299 pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
1300}
1301
1302/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1303#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1304pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
1305 /// Required. A pod affinity term, associated with the corresponding weight.
1306 #[serde(rename = "podAffinityTerm")]
1307 pub pod_affinity_term: IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
1308 /// weight associated with matching the corresponding podAffinityTerm,
1309 /// in the range 1-100.
1310 pub weight: i32,
1311}
1312
1313/// Required. A pod affinity term, associated with the corresponding weight.
1314#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1315pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
1316 /// A label query over a set of resources, in this case pods.
1317 /// If it's null, this PodAffinityTerm matches with no Pods.
1318 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1319 pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
1320 /// MatchLabelKeys is a set of pod label keys to select which pods will
1321 /// be taken into consideration. The keys are used to lookup values from the
1322 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1323 /// to select the group of existing pods which pods will be taken into consideration
1324 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1325 /// pod labels will be ignored. The default value is empty.
1326 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1327 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1328 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1329 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1330 pub match_label_keys: Option<Vec<String>>,
1331 /// MismatchLabelKeys is a set of pod label keys to select which pods will
1332 /// be taken into consideration. The keys are used to lookup values from the
1333 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1334 /// to select the group of existing pods which pods will be taken into consideration
1335 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1336 /// pod labels will be ignored. The default value is empty.
1337 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1338 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1339 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1340 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1341 pub mismatch_label_keys: Option<Vec<String>>,
1342 /// A label query over the set of namespaces that the term applies to.
1343 /// The term is applied to the union of the namespaces selected by this field
1344 /// and the ones listed in the namespaces field.
1345 /// null selector and null or empty namespaces list means "this pod's namespace".
1346 /// An empty selector ({}) matches all namespaces.
1347 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1348 pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
1349 /// namespaces specifies a static list of namespace names that the term applies to.
1350 /// The term is applied to the union of the namespaces listed in this field
1351 /// and the ones selected by namespaceSelector.
1352 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1353 #[serde(default, skip_serializing_if = "Option::is_none")]
1354 pub namespaces: Option<Vec<String>>,
1355 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1356 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1357 /// whose value of the label with key topologyKey matches that of any node on which any of the
1358 /// selected pods is running.
1359 /// Empty topologyKey is not allowed.
1360 #[serde(rename = "topologyKey")]
1361 pub topology_key: String,
1362}
1363
1364/// A label query over a set of resources, in this case pods.
1365/// If it's null, this PodAffinityTerm matches with no Pods.
1366#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1367pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
1368 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1369 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1370 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
1371 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1372 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1373 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1374 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1375 pub match_labels: Option<BTreeMap<String, String>>,
1376}
1377
1378/// A label selector requirement is a selector that contains values, a key, and an operator that
1379/// relates the key and values.
1380#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1381pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
1382{
1383 /// key is the label key that the selector applies to.
1384 pub key: String,
1385 /// operator represents a key's relationship to a set of values.
1386 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1387 pub operator: String,
1388 /// values is an array of string values. If the operator is In or NotIn,
1389 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1390 /// the values array must be empty. This array is replaced during a strategic
1391 /// merge patch.
1392 #[serde(default, skip_serializing_if = "Option::is_none")]
1393 pub values: Option<Vec<String>>,
1394}
1395
1396/// A label query over the set of namespaces that the term applies to.
1397/// The term is applied to the union of the namespaces selected by this field
1398/// and the ones listed in the namespaces field.
1399/// null selector and null or empty namespaces list means "this pod's namespace".
1400/// An empty selector ({}) matches all namespaces.
1401#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1402pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
1403 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1404 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1405 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
1406 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1407 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1408 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1409 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1410 pub match_labels: Option<BTreeMap<String, String>>,
1411}
1412
1413/// A label selector requirement is a selector that contains values, a key, and an operator that
1414/// relates the key and values.
1415#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1416pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
1417{
1418 /// key is the label key that the selector applies to.
1419 pub key: String,
1420 /// operator represents a key's relationship to a set of values.
1421 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1422 pub operator: String,
1423 /// values is an array of string values. If the operator is In or NotIn,
1424 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1425 /// the values array must be empty. This array is replaced during a strategic
1426 /// merge patch.
1427 #[serde(default, skip_serializing_if = "Option::is_none")]
1428 pub values: Option<Vec<String>>,
1429}
1430
1431/// Defines a set of pods (namely those matching the labelSelector
1432/// relative to the given namespace(s)) that this pod should be
1433/// co-located (affinity) or not co-located (anti-affinity) with,
1434/// where co-located is defined as running on a node whose value of
1435/// the label with key <topologyKey> matches that of any node on which
1436/// a pod of the set of pods is running
1437#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1438pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
1439 /// A label query over a set of resources, in this case pods.
1440 /// If it's null, this PodAffinityTerm matches with no Pods.
1441 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1442 pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
1443 /// MatchLabelKeys is a set of pod label keys to select which pods will
1444 /// be taken into consideration. The keys are used to lookup values from the
1445 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1446 /// to select the group of existing pods which pods will be taken into consideration
1447 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1448 /// pod labels will be ignored. The default value is empty.
1449 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1450 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1451 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1452 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1453 pub match_label_keys: Option<Vec<String>>,
1454 /// MismatchLabelKeys is a set of pod label keys to select which pods will
1455 /// be taken into consideration. The keys are used to lookup values from the
1456 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1457 /// to select the group of existing pods which pods will be taken into consideration
1458 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1459 /// pod labels will be ignored. The default value is empty.
1460 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1461 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1462 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1463 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1464 pub mismatch_label_keys: Option<Vec<String>>,
1465 /// A label query over the set of namespaces that the term applies to.
1466 /// The term is applied to the union of the namespaces selected by this field
1467 /// and the ones listed in the namespaces field.
1468 /// null selector and null or empty namespaces list means "this pod's namespace".
1469 /// An empty selector ({}) matches all namespaces.
1470 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1471 pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
1472 /// namespaces specifies a static list of namespace names that the term applies to.
1473 /// The term is applied to the union of the namespaces listed in this field
1474 /// and the ones selected by namespaceSelector.
1475 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1476 #[serde(default, skip_serializing_if = "Option::is_none")]
1477 pub namespaces: Option<Vec<String>>,
1478 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1479 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1480 /// whose value of the label with key topologyKey matches that of any node on which any of the
1481 /// selected pods is running.
1482 /// Empty topologyKey is not allowed.
1483 #[serde(rename = "topologyKey")]
1484 pub topology_key: String,
1485}
1486
1487/// A label query over a set of resources, in this case pods.
1488/// If it's null, this PodAffinityTerm matches with no Pods.
1489#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1490pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
1491 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1492 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1493 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
1494 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1495 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1496 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1497 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1498 pub match_labels: Option<BTreeMap<String, String>>,
1499}
1500
1501/// A label selector requirement is a selector that contains values, a key, and an operator that
1502/// relates the key and values.
1503#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1504pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
1505{
1506 /// key is the label key that the selector applies to.
1507 pub key: String,
1508 /// operator represents a key's relationship to a set of values.
1509 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1510 pub operator: String,
1511 /// values is an array of string values. If the operator is In or NotIn,
1512 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1513 /// the values array must be empty. This array is replaced during a strategic
1514 /// merge patch.
1515 #[serde(default, skip_serializing_if = "Option::is_none")]
1516 pub values: Option<Vec<String>>,
1517}
1518
1519/// A label query over the set of namespaces that the term applies to.
1520/// The term is applied to the union of the namespaces selected by this field
1521/// and the ones listed in the namespaces field.
1522/// null selector and null or empty namespaces list means "this pod's namespace".
1523/// An empty selector ({}) matches all namespaces.
1524#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1525pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
1526 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1527 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1528 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
1529 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1530 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1531 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1532 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1533 pub match_labels: Option<BTreeMap<String, String>>,
1534}
1535
1536/// A label selector requirement is a selector that contains values, a key, and an operator that
1537/// relates the key and values.
1538#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1539pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
1540{
1541 /// key is the label key that the selector applies to.
1542 pub key: String,
1543 /// operator represents a key's relationship to a set of values.
1544 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1545 pub operator: String,
1546 /// values is an array of string values. If the operator is In or NotIn,
1547 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1548 /// the values array must be empty. This array is replaced during a strategic
1549 /// merge patch.
1550 #[serde(default, skip_serializing_if = "Option::is_none")]
1551 pub values: Option<Vec<String>>,
1552}
1553
1554/// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1555#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1556pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinity {
1557 /// The scheduler will prefer to schedule pods to nodes that satisfy
1558 /// the anti-affinity expressions specified by this field, but it may choose
1559 /// a node that violates one or more of the expressions. The node that is
1560 /// most preferred is the one with the greatest sum of weights, i.e.
1561 /// for each node that meets all of the scheduling requirements (resource
1562 /// request, requiredDuringScheduling anti-affinity expressions, etc.),
1563 /// compute a sum by iterating through the elements of this field and adding
1564 /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
1565 /// node(s) with the highest sum are the most preferred.
1566 #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
1567 pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
1568 /// If the anti-affinity requirements specified by this field are not met at
1569 /// scheduling time, the pod will not be scheduled onto the node.
1570 /// If the anti-affinity requirements specified by this field cease to be met
1571 /// at some point during pod execution (e.g. due to a pod label update), the
1572 /// system may or may not try to eventually evict the pod from its node.
1573 /// When there are multiple elements, the lists of nodes corresponding to each
1574 /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
1575 #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
1576 pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
1577}
1578
1579/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1580#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1581pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
1582 /// Required. A pod affinity term, associated with the corresponding weight.
1583 #[serde(rename = "podAffinityTerm")]
1584 pub pod_affinity_term: IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
1585 /// weight associated with matching the corresponding podAffinityTerm,
1586 /// in the range 1-100.
1587 pub weight: i32,
1588}
1589
1590/// Required. A pod affinity term, associated with the corresponding weight.
1591#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1592pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
1593 /// A label query over a set of resources, in this case pods.
1594 /// If it's null, this PodAffinityTerm matches with no Pods.
1595 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1596 pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
1597 /// MatchLabelKeys is a set of pod label keys to select which pods will
1598 /// be taken into consideration. The keys are used to lookup values from the
1599 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1600 /// to select the group of existing pods which pods will be taken into consideration
1601 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1602 /// pod labels will be ignored. The default value is empty.
1603 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1604 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1605 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1606 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1607 pub match_label_keys: Option<Vec<String>>,
1608 /// MismatchLabelKeys is a set of pod label keys to select which pods will
1609 /// be taken into consideration. The keys are used to lookup values from the
1610 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1611 /// to select the group of existing pods which pods will be taken into consideration
1612 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1613 /// pod labels will be ignored. The default value is empty.
1614 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1615 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1616 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1617 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1618 pub mismatch_label_keys: Option<Vec<String>>,
1619 /// A label query over the set of namespaces that the term applies to.
1620 /// The term is applied to the union of the namespaces selected by this field
1621 /// and the ones listed in the namespaces field.
1622 /// null selector and null or empty namespaces list means "this pod's namespace".
1623 /// An empty selector ({}) matches all namespaces.
1624 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1625 pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
1626 /// namespaces specifies a static list of namespace names that the term applies to.
1627 /// The term is applied to the union of the namespaces listed in this field
1628 /// and the ones selected by namespaceSelector.
1629 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1630 #[serde(default, skip_serializing_if = "Option::is_none")]
1631 pub namespaces: Option<Vec<String>>,
1632 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1633 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1634 /// whose value of the label with key topologyKey matches that of any node on which any of the
1635 /// selected pods is running.
1636 /// Empty topologyKey is not allowed.
1637 #[serde(rename = "topologyKey")]
1638 pub topology_key: String,
1639}
1640
1641/// A label query over a set of resources, in this case pods.
1642/// If it's null, this PodAffinityTerm matches with no Pods.
1643#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1644pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
1645 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1646 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1647 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
1648 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1649 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1650 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1651 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1652 pub match_labels: Option<BTreeMap<String, String>>,
1653}
1654
1655/// A label selector requirement is a selector that contains values, a key, and an operator that
1656/// relates the key and values.
1657#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1658pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
1659{
1660 /// key is the label key that the selector applies to.
1661 pub key: String,
1662 /// operator represents a key's relationship to a set of values.
1663 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1664 pub operator: String,
1665 /// values is an array of string values. If the operator is In or NotIn,
1666 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1667 /// the values array must be empty. This array is replaced during a strategic
1668 /// merge patch.
1669 #[serde(default, skip_serializing_if = "Option::is_none")]
1670 pub values: Option<Vec<String>>,
1671}
1672
1673/// A label query over the set of namespaces that the term applies to.
1674/// The term is applied to the union of the namespaces selected by this field
1675/// and the ones listed in the namespaces field.
1676/// null selector and null or empty namespaces list means "this pod's namespace".
1677/// An empty selector ({}) matches all namespaces.
1678#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1679pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
1680 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1681 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1682 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
1683 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1684 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1685 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1686 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1687 pub match_labels: Option<BTreeMap<String, String>>,
1688}
1689
1690/// A label selector requirement is a selector that contains values, a key, and an operator that
1691/// relates the key and values.
1692#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1693pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
1694{
1695 /// key is the label key that the selector applies to.
1696 pub key: String,
1697 /// operator represents a key's relationship to a set of values.
1698 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1699 pub operator: String,
1700 /// values is an array of string values. If the operator is In or NotIn,
1701 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1702 /// the values array must be empty. This array is replaced during a strategic
1703 /// merge patch.
1704 #[serde(default, skip_serializing_if = "Option::is_none")]
1705 pub values: Option<Vec<String>>,
1706}
1707
1708/// Defines a set of pods (namely those matching the labelSelector
1709/// relative to the given namespace(s)) that this pod should be
1710/// co-located (affinity) or not co-located (anti-affinity) with,
1711/// where co-located is defined as running on a node whose value of
1712/// the label with key <topologyKey> matches that of any node on which
1713/// a pod of the set of pods is running
1714#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1715pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
1716 /// A label query over a set of resources, in this case pods.
1717 /// If it's null, this PodAffinityTerm matches with no Pods.
1718 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1719 pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
1720 /// MatchLabelKeys is a set of pod label keys to select which pods will
1721 /// be taken into consideration. The keys are used to lookup values from the
1722 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1723 /// to select the group of existing pods which pods will be taken into consideration
1724 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1725 /// pod labels will be ignored. The default value is empty.
1726 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1727 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1728 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1729 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1730 pub match_label_keys: Option<Vec<String>>,
1731 /// MismatchLabelKeys is a set of pod label keys to select which pods will
1732 /// be taken into consideration. The keys are used to lookup values from the
1733 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1734 /// to select the group of existing pods which pods will be taken into consideration
1735 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1736 /// pod labels will be ignored. The default value is empty.
1737 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1738 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1739 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1740 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1741 pub mismatch_label_keys: Option<Vec<String>>,
1742 /// A label query over the set of namespaces that the term applies to.
1743 /// The term is applied to the union of the namespaces selected by this field
1744 /// and the ones listed in the namespaces field.
1745 /// null selector and null or empty namespaces list means "this pod's namespace".
1746 /// An empty selector ({}) matches all namespaces.
1747 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1748 pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
1749 /// namespaces specifies a static list of namespace names that the term applies to.
1750 /// The term is applied to the union of the namespaces listed in this field
1751 /// and the ones selected by namespaceSelector.
1752 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1753 #[serde(default, skip_serializing_if = "Option::is_none")]
1754 pub namespaces: Option<Vec<String>>,
1755 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1756 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1757 /// whose value of the label with key topologyKey matches that of any node on which any of the
1758 /// selected pods is running.
1759 /// Empty topologyKey is not allowed.
1760 #[serde(rename = "topologyKey")]
1761 pub topology_key: String,
1762}
1763
1764/// A label query over a set of resources, in this case pods.
1765/// If it's null, this PodAffinityTerm matches with no Pods.
1766#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1767pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
1768 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1769 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1770 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
1771 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1772 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1773 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1774 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1775 pub match_labels: Option<BTreeMap<String, String>>,
1776}
1777
1778/// A label selector requirement is a selector that contains values, a key, and an operator that
1779/// relates the key and values.
1780#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1781pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
1782{
1783 /// key is the label key that the selector applies to.
1784 pub key: String,
1785 /// operator represents a key's relationship to a set of values.
1786 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1787 pub operator: String,
1788 /// values is an array of string values. If the operator is In or NotIn,
1789 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1790 /// the values array must be empty. This array is replaced during a strategic
1791 /// merge patch.
1792 #[serde(default, skip_serializing_if = "Option::is_none")]
1793 pub values: Option<Vec<String>>,
1794}
1795
1796/// A label query over the set of namespaces that the term applies to.
1797/// The term is applied to the union of the namespaces selected by this field
1798/// and the ones listed in the namespaces field.
1799/// null selector and null or empty namespaces list means "this pod's namespace".
1800/// An empty selector ({}) matches all namespaces.
1801#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1802pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
1803 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1804 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1805 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
1806 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1807 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1808 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1809 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1810 pub match_labels: Option<BTreeMap<String, String>>,
1811}
1812
1813/// A label selector requirement is a selector that contains values, a key, and an operator that
1814/// relates the key and values.
1815#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1816pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
1817{
1818 /// key is the label key that the selector applies to.
1819 pub key: String,
1820 /// operator represents a key's relationship to a set of values.
1821 /// Valid operators are In, NotIn, Exists and DoesNotExist.
1822 pub operator: String,
1823 /// values is an array of string values. If the operator is In or NotIn,
1824 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1825 /// the values array must be empty. This array is replaced during a strategic
1826 /// merge patch.
1827 #[serde(default, skip_serializing_if = "Option::is_none")]
1828 pub values: Option<Vec<String>>,
1829}
1830
1831/// LocalObjectReference contains enough information to let you locate the
1832/// referenced object inside the same namespace.
1833#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1834pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecImagePullSecrets {
1835 /// Name of the referent.
1836 /// This field is effectively required, but due to backwards compatibility is
1837 /// allowed to be empty. Instances of this type with an empty value here are
1838 /// almost certainly wrong.
1839 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1840 #[serde(default, skip_serializing_if = "Option::is_none")]
1841 pub name: Option<String>,
1842}
1843
1844/// If specified, the pod's security context
1845#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1846pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContext {
1847 /// A special supplemental group that applies to all containers in a pod.
1848 /// Some volume types allow the Kubelet to change the ownership of that volume
1849 /// to be owned by the pod:
1850 ///
1851 /// 1. The owning GID will be the FSGroup
1852 /// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
1853 /// 3. The permission bits are OR'd with rw-rw----
1854 ///
1855 /// If unset, the Kubelet will not modify the ownership and permissions of any volume.
1856 /// Note that this field cannot be set when spec.os.name is windows.
1857 #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsGroup")]
1858 pub fs_group: Option<i64>,
1859 /// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
1860 /// before being exposed inside Pod. This field will only apply to
1861 /// volume types which support fsGroup based ownership(and permissions).
1862 /// It will have no effect on ephemeral volume types such as: secret, configmaps
1863 /// and emptydir.
1864 /// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
1865 /// Note that this field cannot be set when spec.os.name is windows.
1866 #[serde(
1867 default,
1868 skip_serializing_if = "Option::is_none",
1869 rename = "fsGroupChangePolicy"
1870 )]
1871 pub fs_group_change_policy: Option<String>,
1872 /// The GID to run the entrypoint of the container process.
1873 /// Uses runtime default if unset.
1874 /// May also be set in SecurityContext. If set in both SecurityContext and
1875 /// PodSecurityContext, the value specified in SecurityContext takes precedence
1876 /// for that container.
1877 /// Note that this field cannot be set when spec.os.name is windows.
1878 #[serde(
1879 default,
1880 skip_serializing_if = "Option::is_none",
1881 rename = "runAsGroup"
1882 )]
1883 pub run_as_group: Option<i64>,
1884 /// Indicates that the container must run as a non-root user.
1885 /// If true, the Kubelet will validate the image at runtime to ensure that it
1886 /// does not run as UID 0 (root) and fail to start the container if it does.
1887 /// If unset or false, no such validation will be performed.
1888 /// May also be set in SecurityContext. If set in both SecurityContext and
1889 /// PodSecurityContext, the value specified in SecurityContext takes precedence.
1890 #[serde(
1891 default,
1892 skip_serializing_if = "Option::is_none",
1893 rename = "runAsNonRoot"
1894 )]
1895 pub run_as_non_root: Option<bool>,
1896 /// The UID to run the entrypoint of the container process.
1897 /// Defaults to user specified in image metadata if unspecified.
1898 /// May also be set in SecurityContext. If set in both SecurityContext and
1899 /// PodSecurityContext, the value specified in SecurityContext takes precedence
1900 /// for that container.
1901 /// Note that this field cannot be set when spec.os.name is windows.
1902 #[serde(default, skip_serializing_if = "Option::is_none", rename = "runAsUser")]
1903 pub run_as_user: Option<i64>,
1904 /// The SELinux context to be applied to all containers.
1905 /// If unspecified, the container runtime will allocate a random SELinux context for each
1906 /// container. May also be set in SecurityContext. If set in
1907 /// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
1908 /// takes precedence for that container.
1909 /// Note that this field cannot be set when spec.os.name is windows.
1910 #[serde(
1911 default,
1912 skip_serializing_if = "Option::is_none",
1913 rename = "seLinuxOptions"
1914 )]
1915 pub se_linux_options:
1916 Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeLinuxOptions>,
1917 /// The seccomp options to use by the containers in this pod.
1918 /// Note that this field cannot be set when spec.os.name is windows.
1919 #[serde(
1920 default,
1921 skip_serializing_if = "Option::is_none",
1922 rename = "seccompProfile"
1923 )]
1924 pub seccomp_profile:
1925 Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeccompProfile>,
1926 /// A list of groups applied to the first process run in each container, in addition
1927 /// to the container's primary GID, the fsGroup (if specified), and group memberships
1928 /// defined in the container image for the uid of the container process. If unspecified,
1929 /// no additional groups are added to any container. Note that group memberships
1930 /// defined in the container image for the uid of the container process are still effective,
1931 /// even if they are not included in this list.
1932 /// Note that this field cannot be set when spec.os.name is windows.
1933 #[serde(
1934 default,
1935 skip_serializing_if = "Option::is_none",
1936 rename = "supplementalGroups"
1937 )]
1938 pub supplemental_groups: Option<Vec<i64>>,
1939 /// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
1940 /// sysctls (by the container runtime) might fail to launch.
1941 /// Note that this field cannot be set when spec.os.name is windows.
1942 #[serde(default, skip_serializing_if = "Option::is_none")]
1943 pub sysctls:
1944 Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSysctls>>,
1945}
1946
1947/// The SELinux context to be applied to all containers.
1948/// If unspecified, the container runtime will allocate a random SELinux context for each
1949/// container. May also be set in SecurityContext. If set in
1950/// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
1951/// takes precedence for that container.
1952/// Note that this field cannot be set when spec.os.name is windows.
1953#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1954pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeLinuxOptions {
1955 /// Level is SELinux level label that applies to the container.
1956 #[serde(default, skip_serializing_if = "Option::is_none")]
1957 pub level: Option<String>,
1958 /// Role is a SELinux role label that applies to the container.
1959 #[serde(default, skip_serializing_if = "Option::is_none")]
1960 pub role: Option<String>,
1961 /// Type is a SELinux type label that applies to the container.
1962 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
1963 pub r#type: Option<String>,
1964 /// User is a SELinux user label that applies to the container.
1965 #[serde(default, skip_serializing_if = "Option::is_none")]
1966 pub user: Option<String>,
1967}
1968
1969/// The seccomp options to use by the containers in this pod.
1970/// Note that this field cannot be set when spec.os.name is windows.
1971#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1972pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeccompProfile {
1973 /// localhostProfile indicates a profile defined in a file on the node should be used.
1974 /// The profile must be preconfigured on the node to work.
1975 /// Must be a descending path, relative to the kubelet's configured seccomp profile location.
1976 /// Must be set if type is "Localhost". Must NOT be set for any other type.
1977 #[serde(
1978 default,
1979 skip_serializing_if = "Option::is_none",
1980 rename = "localhostProfile"
1981 )]
1982 pub localhost_profile: Option<String>,
1983 /// type indicates which kind of seccomp profile will be applied.
1984 /// Valid options are:
1985 ///
1986 /// Localhost - a profile defined in a file on the node should be used.
1987 /// RuntimeDefault - the container runtime default profile should be used.
1988 /// Unconfined - no profile should be applied.
1989 #[serde(rename = "type")]
1990 pub r#type: String,
1991}
1992
1993/// Sysctl defines a kernel parameter to be set
1994#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1995pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSysctls {
1996 /// Name of a property to set
1997 pub name: String,
1998 /// Value of a property to set
1999 pub value: String,
2000}
2001
2002/// The pod this Toleration is attached to tolerates any taint that matches
2003/// the triple <key,value,effect> using the matching operator <operator>.
2004#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2005pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecTolerations {
2006 /// Effect indicates the taint effect to match. Empty means match all taint effects.
2007 /// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2008 #[serde(default, skip_serializing_if = "Option::is_none")]
2009 pub effect: Option<String>,
2010 /// Key is the taint key that the toleration applies to. Empty means match all taint keys.
2011 /// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2012 #[serde(default, skip_serializing_if = "Option::is_none")]
2013 pub key: Option<String>,
2014 /// Operator represents a key's relationship to the value.
2015 /// Valid operators are Exists and Equal. Defaults to Equal.
2016 /// Exists is equivalent to wildcard for value, so that a pod can
2017 /// tolerate all taints of a particular category.
2018 #[serde(default, skip_serializing_if = "Option::is_none")]
2019 pub operator: Option<String>,
2020 /// TolerationSeconds represents the period of time the toleration (which must be
2021 /// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
2022 /// it is not set, which means tolerate the taint forever (do not evict). Zero and
2023 /// negative values will be treated as 0 (evict immediately) by the system.
2024 #[serde(
2025 default,
2026 skip_serializing_if = "Option::is_none",
2027 rename = "tolerationSeconds"
2028 )]
2029 pub toleration_seconds: Option<i64>,
2030 /// Value is the taint value the toleration matches to.
2031 /// If the operator is Exists, the value should be empty, otherwise just a regular string.
2032 #[serde(default, skip_serializing_if = "Option::is_none")]
2033 pub value: Option<String>,
2034}
2035
2036/// The ingress based HTTP01 challenge solver will solve challenges by
2037/// creating or modifying Ingress resources in order to route requests for
2038/// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
2039/// provisioned by cert-manager for each Challenge to be completed.
2040#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2041pub struct IssuerAcmeSolversHttp01Ingress {
2042 /// This field configures the annotation `kubernetes.io/ingress.class` when
2043 /// creating Ingress resources to solve ACME challenges that use this
2044 /// challenge solver. Only one of `class`, `name` or `ingressClassName` may
2045 /// be specified.
2046 #[serde(default, skip_serializing_if = "Option::is_none")]
2047 pub class: Option<String>,
2048 /// This field configures the field `ingressClassName` on the created Ingress
2049 /// resources used to solve ACME challenges that use this challenge solver.
2050 /// This is the recommended way of configuring the ingress class. Only one of
2051 /// `class`, `name` or `ingressClassName` may be specified.
2052 #[serde(
2053 default,
2054 skip_serializing_if = "Option::is_none",
2055 rename = "ingressClassName"
2056 )]
2057 pub ingress_class_name: Option<String>,
2058 /// Optional ingress template used to configure the ACME challenge solver
2059 /// ingress used for HTTP01 challenges.
2060 #[serde(
2061 default,
2062 skip_serializing_if = "Option::is_none",
2063 rename = "ingressTemplate"
2064 )]
2065 pub ingress_template: Option<IssuerAcmeSolversHttp01IngressIngressTemplate>,
2066 /// The name of the ingress resource that should have ACME challenge solving
2067 /// routes inserted into it in order to solve HTTP01 challenges.
2068 /// This is typically used in conjunction with ingress controllers like
2069 /// ingress-gce, which maintains a 1:1 mapping between external IPs and
2070 /// ingress resources. Only one of `class`, `name` or `ingressClassName` may
2071 /// be specified.
2072 #[serde(default, skip_serializing_if = "Option::is_none")]
2073 pub name: Option<String>,
2074 /// Optional pod template used to configure the ACME challenge solver pods
2075 /// used for HTTP01 challenges.
2076 #[serde(
2077 default,
2078 skip_serializing_if = "Option::is_none",
2079 rename = "podTemplate"
2080 )]
2081 pub pod_template: Option<IssuerAcmeSolversHttp01IngressPodTemplate>,
2082 /// Optional service type for Kubernetes solver service. Supported values
2083 /// are NodePort or ClusterIP. If unset, defaults to NodePort.
2084 #[serde(
2085 default,
2086 skip_serializing_if = "Option::is_none",
2087 rename = "serviceType"
2088 )]
2089 pub service_type: Option<String>,
2090}
2091
2092/// Optional ingress template used to configure the ACME challenge solver
2093/// ingress used for HTTP01 challenges.
2094#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2095pub struct IssuerAcmeSolversHttp01IngressIngressTemplate {
2096 /// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
2097 /// Only the 'labels' and 'annotations' fields may be set.
2098 /// If labels or annotations overlap with in-built values, the values here
2099 /// will override the in-built values.
2100 #[serde(default, skip_serializing_if = "Option::is_none")]
2101 pub metadata: Option<IssuerAcmeSolversHttp01IngressIngressTemplateMetadata>,
2102}
2103
2104/// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
2105/// Only the 'labels' and 'annotations' fields may be set.
2106/// If labels or annotations overlap with in-built values, the values here
2107/// will override the in-built values.
2108#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2109pub struct IssuerAcmeSolversHttp01IngressIngressTemplateMetadata {
2110 /// Annotations that should be added to the created ACME HTTP01 solver ingress.
2111 #[serde(default, skip_serializing_if = "Option::is_none")]
2112 pub annotations: Option<BTreeMap<String, String>>,
2113 /// Labels that should be added to the created ACME HTTP01 solver ingress.
2114 #[serde(default, skip_serializing_if = "Option::is_none")]
2115 pub labels: Option<BTreeMap<String, String>>,
2116}
2117
2118/// Optional pod template used to configure the ACME challenge solver pods
2119/// used for HTTP01 challenges.
2120#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2121pub struct IssuerAcmeSolversHttp01IngressPodTemplate {
2122 /// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
2123 /// Only the 'labels' and 'annotations' fields may be set.
2124 /// If labels or annotations overlap with in-built values, the values here
2125 /// will override the in-built values.
2126 #[serde(default, skip_serializing_if = "Option::is_none")]
2127 pub metadata: Option<IssuerAcmeSolversHttp01IngressPodTemplateMetadata>,
2128 /// PodSpec defines overrides for the HTTP01 challenge solver pod.
2129 /// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
2130 /// All other fields will be ignored.
2131 #[serde(default, skip_serializing_if = "Option::is_none")]
2132 pub spec: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpec>,
2133}
2134
2135/// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
2136/// Only the 'labels' and 'annotations' fields may be set.
2137/// If labels or annotations overlap with in-built values, the values here
2138/// will override the in-built values.
2139#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2140pub struct IssuerAcmeSolversHttp01IngressPodTemplateMetadata {
2141 /// Annotations that should be added to the created ACME HTTP01 solver pods.
2142 #[serde(default, skip_serializing_if = "Option::is_none")]
2143 pub annotations: Option<BTreeMap<String, String>>,
2144 /// Labels that should be added to the created ACME HTTP01 solver pods.
2145 #[serde(default, skip_serializing_if = "Option::is_none")]
2146 pub labels: Option<BTreeMap<String, String>>,
2147}
2148
2149/// PodSpec defines overrides for the HTTP01 challenge solver pod.
2150/// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
2151/// All other fields will be ignored.
2152#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2153pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpec {
2154 /// If specified, the pod's scheduling constraints
2155 #[serde(default, skip_serializing_if = "Option::is_none")]
2156 pub affinity: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinity>,
2157 /// If specified, the pod's imagePullSecrets
2158 #[serde(
2159 default,
2160 skip_serializing_if = "Option::is_none",
2161 rename = "imagePullSecrets"
2162 )]
2163 pub image_pull_secrets:
2164 Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets>>,
2165 /// NodeSelector is a selector which must be true for the pod to fit on a node.
2166 /// Selector which must match a node's labels for the pod to be scheduled on that node.
2167 /// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
2168 #[serde(
2169 default,
2170 skip_serializing_if = "Option::is_none",
2171 rename = "nodeSelector"
2172 )]
2173 pub node_selector: Option<BTreeMap<String, String>>,
2174 /// If specified, the pod's priorityClassName.
2175 #[serde(
2176 default,
2177 skip_serializing_if = "Option::is_none",
2178 rename = "priorityClassName"
2179 )]
2180 pub priority_class_name: Option<String>,
2181 /// If specified, the pod's security context
2182 #[serde(
2183 default,
2184 skip_serializing_if = "Option::is_none",
2185 rename = "securityContext"
2186 )]
2187 pub security_context: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContext>,
2188 /// If specified, the pod's service account
2189 #[serde(
2190 default,
2191 skip_serializing_if = "Option::is_none",
2192 rename = "serviceAccountName"
2193 )]
2194 pub service_account_name: Option<String>,
2195 /// If specified, the pod's tolerations.
2196 #[serde(default, skip_serializing_if = "Option::is_none")]
2197 pub tolerations: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecTolerations>>,
2198}
2199
2200/// If specified, the pod's scheduling constraints
2201#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2202pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinity {
2203 /// Describes node affinity scheduling rules for the pod.
2204 #[serde(
2205 default,
2206 skip_serializing_if = "Option::is_none",
2207 rename = "nodeAffinity"
2208 )]
2209 pub node_affinity: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity>,
2210 /// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2211 #[serde(
2212 default,
2213 skip_serializing_if = "Option::is_none",
2214 rename = "podAffinity"
2215 )]
2216 pub pod_affinity: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity>,
2217 /// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2218 #[serde(
2219 default,
2220 skip_serializing_if = "Option::is_none",
2221 rename = "podAntiAffinity"
2222 )]
2223 pub pod_anti_affinity:
2224 Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>,
2225}
2226
2227/// Describes node affinity scheduling rules for the pod.
2228#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2229pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
2230 /// The scheduler will prefer to schedule pods to nodes that satisfy
2231 /// the affinity expressions specified by this field, but it may choose
2232 /// a node that violates one or more of the expressions. The node that is
2233 /// most preferred is the one with the greatest sum of weights, i.e.
2234 /// for each node that meets all of the scheduling requirements (resource
2235 /// request, requiredDuringScheduling affinity expressions, etc.),
2236 /// compute a sum by iterating through the elements of this field and adding
2237 /// "weight" to the sum if the node matches the corresponding matchExpressions; the
2238 /// node(s) with the highest sum are the most preferred.
2239 #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
2240 pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
2241 /// If the affinity requirements specified by this field are not met at
2242 /// scheduling time, the pod will not be scheduled onto the node.
2243 /// If the affinity requirements specified by this field cease to be met
2244 /// at some point during pod execution (e.g. due to an update), the system
2245 /// may or may not try to eventually evict the pod from its node.
2246 #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
2247 pub required_during_scheduling_ignored_during_execution: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>,
2248}
2249
2250/// An empty preferred scheduling term matches all objects with implicit weight 0
2251/// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2252#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2253pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
2254 /// A node selector term, associated with the corresponding weight.
2255 pub preference: IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference,
2256 /// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2257 pub weight: i32,
2258}
2259
2260/// A node selector term, associated with the corresponding weight.
2261#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2262pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
2263 /// A list of node selector requirements by node's labels.
2264 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2265 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>>,
2266 /// A list of node selector requirements by node's fields.
2267 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
2268 pub match_fields: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>>,
2269}
2270
2271/// A node selector requirement is a selector that contains values, a key, and an operator
2272/// that relates the key and values.
2273#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2274pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions
2275{
2276 /// The label key that the selector applies to.
2277 pub key: String,
2278 /// Represents a key's relationship to a set of values.
2279 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2280 pub operator: String,
2281 /// An array of string values. If the operator is In or NotIn,
2282 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2283 /// the values array must be empty. If the operator is Gt or Lt, the values
2284 /// array must have a single element, which will be interpreted as an integer.
2285 /// This array is replaced during a strategic merge patch.
2286 #[serde(default, skip_serializing_if = "Option::is_none")]
2287 pub values: Option<Vec<String>>,
2288}
2289
2290/// A node selector requirement is a selector that contains values, a key, and an operator
2291/// that relates the key and values.
2292#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2293pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields
2294{
2295 /// The label key that the selector applies to.
2296 pub key: String,
2297 /// Represents a key's relationship to a set of values.
2298 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2299 pub operator: String,
2300 /// An array of string values. If the operator is In or NotIn,
2301 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2302 /// the values array must be empty. If the operator is Gt or Lt, the values
2303 /// array must have a single element, which will be interpreted as an integer.
2304 /// This array is replaced during a strategic merge patch.
2305 #[serde(default, skip_serializing_if = "Option::is_none")]
2306 pub values: Option<Vec<String>>,
2307}
2308
2309/// If the affinity requirements specified by this field are not met at
2310/// scheduling time, the pod will not be scheduled onto the node.
2311/// If the affinity requirements specified by this field cease to be met
2312/// at some point during pod execution (e.g. due to an update), the system
2313/// may or may not try to eventually evict the pod from its node.
2314#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2315pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
2316 /// Required. A list of node selector terms. The terms are ORed.
2317 #[serde(rename = "nodeSelectorTerms")]
2318 pub node_selector_terms: Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>,
2319}
2320
2321/// A null or empty node selector term matches no objects. The requirements of
2322/// them are ANDed.
2323/// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2324#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2325pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
2326 /// A list of node selector requirements by node's labels.
2327 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2328 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>>,
2329 /// A list of node selector requirements by node's fields.
2330 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
2331 pub match_fields: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>>,
2332}
2333
2334/// A node selector requirement is a selector that contains values, a key, and an operator
2335/// that relates the key and values.
2336#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2337pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions
2338{
2339 /// The label key that the selector applies to.
2340 pub key: String,
2341 /// Represents a key's relationship to a set of values.
2342 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2343 pub operator: String,
2344 /// An array of string values. If the operator is In or NotIn,
2345 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2346 /// the values array must be empty. If the operator is Gt or Lt, the values
2347 /// array must have a single element, which will be interpreted as an integer.
2348 /// This array is replaced during a strategic merge patch.
2349 #[serde(default, skip_serializing_if = "Option::is_none")]
2350 pub values: Option<Vec<String>>,
2351}
2352
2353/// A node selector requirement is a selector that contains values, a key, and an operator
2354/// that relates the key and values.
2355#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2356pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields
2357{
2358 /// The label key that the selector applies to.
2359 pub key: String,
2360 /// Represents a key's relationship to a set of values.
2361 /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2362 pub operator: String,
2363 /// An array of string values. If the operator is In or NotIn,
2364 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2365 /// the values array must be empty. If the operator is Gt or Lt, the values
2366 /// array must have a single element, which will be interpreted as an integer.
2367 /// This array is replaced during a strategic merge patch.
2368 #[serde(default, skip_serializing_if = "Option::is_none")]
2369 pub values: Option<Vec<String>>,
2370}
2371
2372/// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2373#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2374pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
2375 /// The scheduler will prefer to schedule pods to nodes that satisfy
2376 /// the affinity expressions specified by this field, but it may choose
2377 /// a node that violates one or more of the expressions. The node that is
2378 /// most preferred is the one with the greatest sum of weights, i.e.
2379 /// for each node that meets all of the scheduling requirements (resource
2380 /// request, requiredDuringScheduling affinity expressions, etc.),
2381 /// compute a sum by iterating through the elements of this field and adding
2382 /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
2383 /// node(s) with the highest sum are the most preferred.
2384 #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
2385 pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
2386 /// If the affinity requirements specified by this field are not met at
2387 /// scheduling time, the pod will not be scheduled onto the node.
2388 /// If the affinity requirements specified by this field cease to be met
2389 /// at some point during pod execution (e.g. due to a pod label update), the
2390 /// system may or may not try to eventually evict the pod from its node.
2391 /// When there are multiple elements, the lists of nodes corresponding to each
2392 /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
2393 #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
2394 pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
2395}
2396
2397/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2398#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2399pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
2400 /// Required. A pod affinity term, associated with the corresponding weight.
2401 #[serde(rename = "podAffinityTerm")]
2402 pub pod_affinity_term: IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
2403 /// weight associated with matching the corresponding podAffinityTerm,
2404 /// in the range 1-100.
2405 pub weight: i32,
2406}
2407
2408/// Required. A pod affinity term, associated with the corresponding weight.
2409#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2410pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
2411 /// A label query over a set of resources, in this case pods.
2412 /// If it's null, this PodAffinityTerm matches with no Pods.
2413 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2414 pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
2415 /// MatchLabelKeys is a set of pod label keys to select which pods will
2416 /// be taken into consideration. The keys are used to lookup values from the
2417 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2418 /// to select the group of existing pods which pods will be taken into consideration
2419 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2420 /// pod labels will be ignored. The default value is empty.
2421 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2422 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2423 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2424 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2425 pub match_label_keys: Option<Vec<String>>,
2426 /// MismatchLabelKeys is a set of pod label keys to select which pods will
2427 /// be taken into consideration. The keys are used to lookup values from the
2428 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2429 /// to select the group of existing pods which pods will be taken into consideration
2430 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2431 /// pod labels will be ignored. The default value is empty.
2432 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2433 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2434 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2435 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2436 pub mismatch_label_keys: Option<Vec<String>>,
2437 /// A label query over the set of namespaces that the term applies to.
2438 /// The term is applied to the union of the namespaces selected by this field
2439 /// and the ones listed in the namespaces field.
2440 /// null selector and null or empty namespaces list means "this pod's namespace".
2441 /// An empty selector ({}) matches all namespaces.
2442 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2443 pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
2444 /// namespaces specifies a static list of namespace names that the term applies to.
2445 /// The term is applied to the union of the namespaces listed in this field
2446 /// and the ones selected by namespaceSelector.
2447 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2448 #[serde(default, skip_serializing_if = "Option::is_none")]
2449 pub namespaces: Option<Vec<String>>,
2450 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2451 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2452 /// whose value of the label with key topologyKey matches that of any node on which any of the
2453 /// selected pods is running.
2454 /// Empty topologyKey is not allowed.
2455 #[serde(rename = "topologyKey")]
2456 pub topology_key: String,
2457}
2458
2459/// A label query over a set of resources, in this case pods.
2460/// If it's null, this PodAffinityTerm matches with no Pods.
2461#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2462pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
2463 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2464 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2465 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
2466 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2467 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2468 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2469 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2470 pub match_labels: Option<BTreeMap<String, String>>,
2471}
2472
2473/// A label selector requirement is a selector that contains values, a key, and an operator that
2474/// relates the key and values.
2475#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2476pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
2477{
2478 /// key is the label key that the selector applies to.
2479 pub key: String,
2480 /// operator represents a key's relationship to a set of values.
2481 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2482 pub operator: String,
2483 /// values is an array of string values. If the operator is In or NotIn,
2484 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2485 /// the values array must be empty. This array is replaced during a strategic
2486 /// merge patch.
2487 #[serde(default, skip_serializing_if = "Option::is_none")]
2488 pub values: Option<Vec<String>>,
2489}
2490
2491/// A label query over the set of namespaces that the term applies to.
2492/// The term is applied to the union of the namespaces selected by this field
2493/// and the ones listed in the namespaces field.
2494/// null selector and null or empty namespaces list means "this pod's namespace".
2495/// An empty selector ({}) matches all namespaces.
2496#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2497pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
2498 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2499 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2500 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
2501 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2502 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2503 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2504 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2505 pub match_labels: Option<BTreeMap<String, String>>,
2506}
2507
2508/// A label selector requirement is a selector that contains values, a key, and an operator that
2509/// relates the key and values.
2510#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2511pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
2512{
2513 /// key is the label key that the selector applies to.
2514 pub key: String,
2515 /// operator represents a key's relationship to a set of values.
2516 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2517 pub operator: String,
2518 /// values is an array of string values. If the operator is In or NotIn,
2519 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2520 /// the values array must be empty. This array is replaced during a strategic
2521 /// merge patch.
2522 #[serde(default, skip_serializing_if = "Option::is_none")]
2523 pub values: Option<Vec<String>>,
2524}
2525
2526/// Defines a set of pods (namely those matching the labelSelector
2527/// relative to the given namespace(s)) that this pod should be
2528/// co-located (affinity) or not co-located (anti-affinity) with,
2529/// where co-located is defined as running on a node whose value of
2530/// the label with key <topologyKey> matches that of any node on which
2531/// a pod of the set of pods is running
2532#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2533pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
2534 /// A label query over a set of resources, in this case pods.
2535 /// If it's null, this PodAffinityTerm matches with no Pods.
2536 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2537 pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
2538 /// MatchLabelKeys is a set of pod label keys to select which pods will
2539 /// be taken into consideration. The keys are used to lookup values from the
2540 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2541 /// to select the group of existing pods which pods will be taken into consideration
2542 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2543 /// pod labels will be ignored. The default value is empty.
2544 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2545 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2546 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2547 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2548 pub match_label_keys: Option<Vec<String>>,
2549 /// MismatchLabelKeys is a set of pod label keys to select which pods will
2550 /// be taken into consideration. The keys are used to lookup values from the
2551 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2552 /// to select the group of existing pods which pods will be taken into consideration
2553 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2554 /// pod labels will be ignored. The default value is empty.
2555 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2556 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2557 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2558 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2559 pub mismatch_label_keys: Option<Vec<String>>,
2560 /// A label query over the set of namespaces that the term applies to.
2561 /// The term is applied to the union of the namespaces selected by this field
2562 /// and the ones listed in the namespaces field.
2563 /// null selector and null or empty namespaces list means "this pod's namespace".
2564 /// An empty selector ({}) matches all namespaces.
2565 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2566 pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
2567 /// namespaces specifies a static list of namespace names that the term applies to.
2568 /// The term is applied to the union of the namespaces listed in this field
2569 /// and the ones selected by namespaceSelector.
2570 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2571 #[serde(default, skip_serializing_if = "Option::is_none")]
2572 pub namespaces: Option<Vec<String>>,
2573 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2574 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2575 /// whose value of the label with key topologyKey matches that of any node on which any of the
2576 /// selected pods is running.
2577 /// Empty topologyKey is not allowed.
2578 #[serde(rename = "topologyKey")]
2579 pub topology_key: String,
2580}
2581
2582/// A label query over a set of resources, in this case pods.
2583/// If it's null, this PodAffinityTerm matches with no Pods.
2584#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2585pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
2586 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2587 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2588 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
2589 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2590 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2591 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2592 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2593 pub match_labels: Option<BTreeMap<String, String>>,
2594}
2595
2596/// A label selector requirement is a selector that contains values, a key, and an operator that
2597/// relates the key and values.
2598#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2599pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
2600{
2601 /// key is the label key that the selector applies to.
2602 pub key: String,
2603 /// operator represents a key's relationship to a set of values.
2604 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2605 pub operator: String,
2606 /// values is an array of string values. If the operator is In or NotIn,
2607 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2608 /// the values array must be empty. This array is replaced during a strategic
2609 /// merge patch.
2610 #[serde(default, skip_serializing_if = "Option::is_none")]
2611 pub values: Option<Vec<String>>,
2612}
2613
2614/// A label query over the set of namespaces that the term applies to.
2615/// The term is applied to the union of the namespaces selected by this field
2616/// and the ones listed in the namespaces field.
2617/// null selector and null or empty namespaces list means "this pod's namespace".
2618/// An empty selector ({}) matches all namespaces.
2619#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2620pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
2621 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2622 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2623 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
2624 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2625 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2626 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2627 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2628 pub match_labels: Option<BTreeMap<String, String>>,
2629}
2630
2631/// A label selector requirement is a selector that contains values, a key, and an operator that
2632/// relates the key and values.
2633#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2634pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
2635{
2636 /// key is the label key that the selector applies to.
2637 pub key: String,
2638 /// operator represents a key's relationship to a set of values.
2639 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2640 pub operator: String,
2641 /// values is an array of string values. If the operator is In or NotIn,
2642 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2643 /// the values array must be empty. This array is replaced during a strategic
2644 /// merge patch.
2645 #[serde(default, skip_serializing_if = "Option::is_none")]
2646 pub values: Option<Vec<String>>,
2647}
2648
2649/// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2650#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2651pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
2652 /// The scheduler will prefer to schedule pods to nodes that satisfy
2653 /// the anti-affinity expressions specified by this field, but it may choose
2654 /// a node that violates one or more of the expressions. The node that is
2655 /// most preferred is the one with the greatest sum of weights, i.e.
2656 /// for each node that meets all of the scheduling requirements (resource
2657 /// request, requiredDuringScheduling anti-affinity expressions, etc.),
2658 /// compute a sum by iterating through the elements of this field and adding
2659 /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
2660 /// node(s) with the highest sum are the most preferred.
2661 #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
2662 pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
2663 /// If the anti-affinity requirements specified by this field are not met at
2664 /// scheduling time, the pod will not be scheduled onto the node.
2665 /// If the anti-affinity requirements specified by this field cease to be met
2666 /// at some point during pod execution (e.g. due to a pod label update), the
2667 /// system may or may not try to eventually evict the pod from its node.
2668 /// When there are multiple elements, the lists of nodes corresponding to each
2669 /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
2670 #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
2671 pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
2672}
2673
2674/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2675#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2676pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
2677 /// Required. A pod affinity term, associated with the corresponding weight.
2678 #[serde(rename = "podAffinityTerm")]
2679 pub pod_affinity_term: IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
2680 /// weight associated with matching the corresponding podAffinityTerm,
2681 /// in the range 1-100.
2682 pub weight: i32,
2683}
2684
2685/// Required. A pod affinity term, associated with the corresponding weight.
2686#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2687pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
2688 /// A label query over a set of resources, in this case pods.
2689 /// If it's null, this PodAffinityTerm matches with no Pods.
2690 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2691 pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
2692 /// MatchLabelKeys is a set of pod label keys to select which pods will
2693 /// be taken into consideration. The keys are used to lookup values from the
2694 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2695 /// to select the group of existing pods which pods will be taken into consideration
2696 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2697 /// pod labels will be ignored. The default value is empty.
2698 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2699 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2700 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2701 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2702 pub match_label_keys: Option<Vec<String>>,
2703 /// MismatchLabelKeys is a set of pod label keys to select which pods will
2704 /// be taken into consideration. The keys are used to lookup values from the
2705 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2706 /// to select the group of existing pods which pods will be taken into consideration
2707 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2708 /// pod labels will be ignored. The default value is empty.
2709 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2710 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2711 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2712 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2713 pub mismatch_label_keys: Option<Vec<String>>,
2714 /// A label query over the set of namespaces that the term applies to.
2715 /// The term is applied to the union of the namespaces selected by this field
2716 /// and the ones listed in the namespaces field.
2717 /// null selector and null or empty namespaces list means "this pod's namespace".
2718 /// An empty selector ({}) matches all namespaces.
2719 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2720 pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
2721 /// namespaces specifies a static list of namespace names that the term applies to.
2722 /// The term is applied to the union of the namespaces listed in this field
2723 /// and the ones selected by namespaceSelector.
2724 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2725 #[serde(default, skip_serializing_if = "Option::is_none")]
2726 pub namespaces: Option<Vec<String>>,
2727 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2728 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2729 /// whose value of the label with key topologyKey matches that of any node on which any of the
2730 /// selected pods is running.
2731 /// Empty topologyKey is not allowed.
2732 #[serde(rename = "topologyKey")]
2733 pub topology_key: String,
2734}
2735
2736/// A label query over a set of resources, in this case pods.
2737/// If it's null, this PodAffinityTerm matches with no Pods.
2738#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2739pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
2740 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2741 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2742 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
2743 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2744 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2745 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2746 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2747 pub match_labels: Option<BTreeMap<String, String>>,
2748}
2749
2750/// A label selector requirement is a selector that contains values, a key, and an operator that
2751/// relates the key and values.
2752#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2753pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
2754{
2755 /// key is the label key that the selector applies to.
2756 pub key: String,
2757 /// operator represents a key's relationship to a set of values.
2758 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2759 pub operator: String,
2760 /// values is an array of string values. If the operator is In or NotIn,
2761 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2762 /// the values array must be empty. This array is replaced during a strategic
2763 /// merge patch.
2764 #[serde(default, skip_serializing_if = "Option::is_none")]
2765 pub values: Option<Vec<String>>,
2766}
2767
2768/// A label query over the set of namespaces that the term applies to.
2769/// The term is applied to the union of the namespaces selected by this field
2770/// and the ones listed in the namespaces field.
2771/// null selector and null or empty namespaces list means "this pod's namespace".
2772/// An empty selector ({}) matches all namespaces.
2773#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2774pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
2775 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2776 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2777 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
2778 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2779 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2780 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2781 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2782 pub match_labels: Option<BTreeMap<String, String>>,
2783}
2784
2785/// A label selector requirement is a selector that contains values, a key, and an operator that
2786/// relates the key and values.
2787#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2788pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
2789{
2790 /// key is the label key that the selector applies to.
2791 pub key: String,
2792 /// operator represents a key's relationship to a set of values.
2793 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2794 pub operator: String,
2795 /// values is an array of string values. If the operator is In or NotIn,
2796 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2797 /// the values array must be empty. This array is replaced during a strategic
2798 /// merge patch.
2799 #[serde(default, skip_serializing_if = "Option::is_none")]
2800 pub values: Option<Vec<String>>,
2801}
2802
2803/// Defines a set of pods (namely those matching the labelSelector
2804/// relative to the given namespace(s)) that this pod should be
2805/// co-located (affinity) or not co-located (anti-affinity) with,
2806/// where co-located is defined as running on a node whose value of
2807/// the label with key <topologyKey> matches that of any node on which
2808/// a pod of the set of pods is running
2809#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2810pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
2811 /// A label query over a set of resources, in this case pods.
2812 /// If it's null, this PodAffinityTerm matches with no Pods.
2813 #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2814 pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
2815 /// MatchLabelKeys is a set of pod label keys to select which pods will
2816 /// be taken into consideration. The keys are used to lookup values from the
2817 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2818 /// to select the group of existing pods which pods will be taken into consideration
2819 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2820 /// pod labels will be ignored. The default value is empty.
2821 /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2822 /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2823 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2824 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2825 pub match_label_keys: Option<Vec<String>>,
2826 /// MismatchLabelKeys is a set of pod label keys to select which pods will
2827 /// be taken into consideration. The keys are used to lookup values from the
2828 /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2829 /// to select the group of existing pods which pods will be taken into consideration
2830 /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2831 /// pod labels will be ignored. The default value is empty.
2832 /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2833 /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2834 /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2835 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2836 pub mismatch_label_keys: Option<Vec<String>>,
2837 /// A label query over the set of namespaces that the term applies to.
2838 /// The term is applied to the union of the namespaces selected by this field
2839 /// and the ones listed in the namespaces field.
2840 /// null selector and null or empty namespaces list means "this pod's namespace".
2841 /// An empty selector ({}) matches all namespaces.
2842 #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2843 pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
2844 /// namespaces specifies a static list of namespace names that the term applies to.
2845 /// The term is applied to the union of the namespaces listed in this field
2846 /// and the ones selected by namespaceSelector.
2847 /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2848 #[serde(default, skip_serializing_if = "Option::is_none")]
2849 pub namespaces: Option<Vec<String>>,
2850 /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2851 /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2852 /// whose value of the label with key topologyKey matches that of any node on which any of the
2853 /// selected pods is running.
2854 /// Empty topologyKey is not allowed.
2855 #[serde(rename = "topologyKey")]
2856 pub topology_key: String,
2857}
2858
2859/// A label query over a set of resources, in this case pods.
2860/// If it's null, this PodAffinityTerm matches with no Pods.
2861#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2862pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
2863 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2864 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2865 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
2866 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2867 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2868 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2869 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2870 pub match_labels: Option<BTreeMap<String, String>>,
2871}
2872
2873/// A label selector requirement is a selector that contains values, a key, and an operator that
2874/// relates the key and values.
2875#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2876pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
2877{
2878 /// key is the label key that the selector applies to.
2879 pub key: String,
2880 /// operator represents a key's relationship to a set of values.
2881 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2882 pub operator: String,
2883 /// values is an array of string values. If the operator is In or NotIn,
2884 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2885 /// the values array must be empty. This array is replaced during a strategic
2886 /// merge patch.
2887 #[serde(default, skip_serializing_if = "Option::is_none")]
2888 pub values: Option<Vec<String>>,
2889}
2890
2891/// A label query over the set of namespaces that the term applies to.
2892/// The term is applied to the union of the namespaces selected by this field
2893/// and the ones listed in the namespaces field.
2894/// null selector and null or empty namespaces list means "this pod's namespace".
2895/// An empty selector ({}) matches all namespaces.
2896#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2897pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
2898 /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2899 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2900 pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
2901 /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2902 /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2903 /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2904 #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2905 pub match_labels: Option<BTreeMap<String, String>>,
2906}
2907
2908/// A label selector requirement is a selector that contains values, a key, and an operator that
2909/// relates the key and values.
2910#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2911pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
2912{
2913 /// key is the label key that the selector applies to.
2914 pub key: String,
2915 /// operator represents a key's relationship to a set of values.
2916 /// Valid operators are In, NotIn, Exists and DoesNotExist.
2917 pub operator: String,
2918 /// values is an array of string values. If the operator is In or NotIn,
2919 /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2920 /// the values array must be empty. This array is replaced during a strategic
2921 /// merge patch.
2922 #[serde(default, skip_serializing_if = "Option::is_none")]
2923 pub values: Option<Vec<String>>,
2924}
2925
2926/// LocalObjectReference contains enough information to let you locate the
2927/// referenced object inside the same namespace.
2928#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2929pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
2930 /// Name of the referent.
2931 /// This field is effectively required, but due to backwards compatibility is
2932 /// allowed to be empty. Instances of this type with an empty value here are
2933 /// almost certainly wrong.
2934 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2935 #[serde(default, skip_serializing_if = "Option::is_none")]
2936 pub name: Option<String>,
2937}
2938
2939/// If specified, the pod's security context
2940#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2941pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
2942 /// A special supplemental group that applies to all containers in a pod.
2943 /// Some volume types allow the Kubelet to change the ownership of that volume
2944 /// to be owned by the pod:
2945 ///
2946 /// 1. The owning GID will be the FSGroup
2947 /// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
2948 /// 3. The permission bits are OR'd with rw-rw----
2949 ///
2950 /// If unset, the Kubelet will not modify the ownership and permissions of any volume.
2951 /// Note that this field cannot be set when spec.os.name is windows.
2952 #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsGroup")]
2953 pub fs_group: Option<i64>,
2954 /// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
2955 /// before being exposed inside Pod. This field will only apply to
2956 /// volume types which support fsGroup based ownership(and permissions).
2957 /// It will have no effect on ephemeral volume types such as: secret, configmaps
2958 /// and emptydir.
2959 /// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
2960 /// Note that this field cannot be set when spec.os.name is windows.
2961 #[serde(
2962 default,
2963 skip_serializing_if = "Option::is_none",
2964 rename = "fsGroupChangePolicy"
2965 )]
2966 pub fs_group_change_policy: Option<String>,
2967 /// The GID to run the entrypoint of the container process.
2968 /// Uses runtime default if unset.
2969 /// May also be set in SecurityContext. If set in both SecurityContext and
2970 /// PodSecurityContext, the value specified in SecurityContext takes precedence
2971 /// for that container.
2972 /// Note that this field cannot be set when spec.os.name is windows.
2973 #[serde(
2974 default,
2975 skip_serializing_if = "Option::is_none",
2976 rename = "runAsGroup"
2977 )]
2978 pub run_as_group: Option<i64>,
2979 /// Indicates that the container must run as a non-root user.
2980 /// If true, the Kubelet will validate the image at runtime to ensure that it
2981 /// does not run as UID 0 (root) and fail to start the container if it does.
2982 /// If unset or false, no such validation will be performed.
2983 /// May also be set in SecurityContext. If set in both SecurityContext and
2984 /// PodSecurityContext, the value specified in SecurityContext takes precedence.
2985 #[serde(
2986 default,
2987 skip_serializing_if = "Option::is_none",
2988 rename = "runAsNonRoot"
2989 )]
2990 pub run_as_non_root: Option<bool>,
2991 /// The UID to run the entrypoint of the container process.
2992 /// Defaults to user specified in image metadata if unspecified.
2993 /// May also be set in SecurityContext. If set in both SecurityContext and
2994 /// PodSecurityContext, the value specified in SecurityContext takes precedence
2995 /// for that container.
2996 /// Note that this field cannot be set when spec.os.name is windows.
2997 #[serde(default, skip_serializing_if = "Option::is_none", rename = "runAsUser")]
2998 pub run_as_user: Option<i64>,
2999 /// The SELinux context to be applied to all containers.
3000 /// If unspecified, the container runtime will allocate a random SELinux context for each
3001 /// container. May also be set in SecurityContext. If set in
3002 /// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
3003 /// takes precedence for that container.
3004 /// Note that this field cannot be set when spec.os.name is windows.
3005 #[serde(
3006 default,
3007 skip_serializing_if = "Option::is_none",
3008 rename = "seLinuxOptions"
3009 )]
3010 pub se_linux_options:
3011 Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>,
3012 /// The seccomp options to use by the containers in this pod.
3013 /// Note that this field cannot be set when spec.os.name is windows.
3014 #[serde(
3015 default,
3016 skip_serializing_if = "Option::is_none",
3017 rename = "seccompProfile"
3018 )]
3019 pub seccomp_profile:
3020 Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>,
3021 /// A list of groups applied to the first process run in each container, in addition
3022 /// to the container's primary GID, the fsGroup (if specified), and group memberships
3023 /// defined in the container image for the uid of the container process. If unspecified,
3024 /// no additional groups are added to any container. Note that group memberships
3025 /// defined in the container image for the uid of the container process are still effective,
3026 /// even if they are not included in this list.
3027 /// Note that this field cannot be set when spec.os.name is windows.
3028 #[serde(
3029 default,
3030 skip_serializing_if = "Option::is_none",
3031 rename = "supplementalGroups"
3032 )]
3033 pub supplemental_groups: Option<Vec<i64>>,
3034 /// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
3035 /// sysctls (by the container runtime) might fail to launch.
3036 /// Note that this field cannot be set when spec.os.name is windows.
3037 #[serde(default, skip_serializing_if = "Option::is_none")]
3038 pub sysctls: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls>>,
3039}
3040
3041/// The SELinux context to be applied to all containers.
3042/// If unspecified, the container runtime will allocate a random SELinux context for each
3043/// container. May also be set in SecurityContext. If set in
3044/// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
3045/// takes precedence for that container.
3046/// Note that this field cannot be set when spec.os.name is windows.
3047#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3048pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
3049 /// Level is SELinux level label that applies to the container.
3050 #[serde(default, skip_serializing_if = "Option::is_none")]
3051 pub level: Option<String>,
3052 /// Role is a SELinux role label that applies to the container.
3053 #[serde(default, skip_serializing_if = "Option::is_none")]
3054 pub role: Option<String>,
3055 /// Type is a SELinux type label that applies to the container.
3056 #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
3057 pub r#type: Option<String>,
3058 /// User is a SELinux user label that applies to the container.
3059 #[serde(default, skip_serializing_if = "Option::is_none")]
3060 pub user: Option<String>,
3061}
3062
3063/// The seccomp options to use by the containers in this pod.
3064/// Note that this field cannot be set when spec.os.name is windows.
3065#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3066pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
3067 /// localhostProfile indicates a profile defined in a file on the node should be used.
3068 /// The profile must be preconfigured on the node to work.
3069 /// Must be a descending path, relative to the kubelet's configured seccomp profile location.
3070 /// Must be set if type is "Localhost". Must NOT be set for any other type.
3071 #[serde(
3072 default,
3073 skip_serializing_if = "Option::is_none",
3074 rename = "localhostProfile"
3075 )]
3076 pub localhost_profile: Option<String>,
3077 /// type indicates which kind of seccomp profile will be applied.
3078 /// Valid options are:
3079 ///
3080 /// Localhost - a profile defined in a file on the node should be used.
3081 /// RuntimeDefault - the container runtime default profile should be used.
3082 /// Unconfined - no profile should be applied.
3083 #[serde(rename = "type")]
3084 pub r#type: String,
3085}
3086
3087/// Sysctl defines a kernel parameter to be set
3088#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3089pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
3090 /// Name of a property to set
3091 pub name: String,
3092 /// Value of a property to set
3093 pub value: String,
3094}
3095
3096/// The pod this Toleration is attached to tolerates any taint that matches
3097/// the triple <key,value,effect> using the matching operator <operator>.
3098#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3099pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecTolerations {
3100 /// Effect indicates the taint effect to match. Empty means match all taint effects.
3101 /// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3102 #[serde(default, skip_serializing_if = "Option::is_none")]
3103 pub effect: Option<String>,
3104 /// Key is the taint key that the toleration applies to. Empty means match all taint keys.
3105 /// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3106 #[serde(default, skip_serializing_if = "Option::is_none")]
3107 pub key: Option<String>,
3108 /// Operator represents a key's relationship to the value.
3109 /// Valid operators are Exists and Equal. Defaults to Equal.
3110 /// Exists is equivalent to wildcard for value, so that a pod can
3111 /// tolerate all taints of a particular category.
3112 #[serde(default, skip_serializing_if = "Option::is_none")]
3113 pub operator: Option<String>,
3114 /// TolerationSeconds represents the period of time the toleration (which must be
3115 /// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
3116 /// it is not set, which means tolerate the taint forever (do not evict). Zero and
3117 /// negative values will be treated as 0 (evict immediately) by the system.
3118 #[serde(
3119 default,
3120 skip_serializing_if = "Option::is_none",
3121 rename = "tolerationSeconds"
3122 )]
3123 pub toleration_seconds: Option<i64>,
3124 /// Value is the taint value the toleration matches to.
3125 /// If the operator is Exists, the value should be empty, otherwise just a regular string.
3126 #[serde(default, skip_serializing_if = "Option::is_none")]
3127 pub value: Option<String>,
3128}
3129
3130/// Selector selects a set of DNSNames on the Certificate resource that
3131/// should be solved using this challenge solver.
3132/// If not specified, the solver will be treated as the 'default' solver
3133/// with the lowest priority, i.e. if any other solver has a more specific
3134/// match, it will be used instead.
3135#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3136pub struct IssuerAcmeSolversSelector {
3137 /// List of DNSNames that this solver will be used to solve.
3138 /// If specified and a match is found, a dnsNames selector will take
3139 /// precedence over a dnsZones selector.
3140 /// If multiple solvers match with the same dnsNames value, the solver
3141 /// with the most matching labels in matchLabels will be selected.
3142 /// If neither has more matches, the solver defined earlier in the list
3143 /// will be selected.
3144 #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsNames")]
3145 pub dns_names: Option<Vec<String>>,
3146 /// List of DNSZones that this solver will be used to solve.
3147 /// The most specific DNS zone match specified here will take precedence
3148 /// over other DNS zone matches, so a solver specifying sys.example.com
3149 /// will be selected over one specifying example.com for the domain
3150 /// www.sys.example.com.
3151 /// If multiple solvers match with the same dnsZones value, the solver
3152 /// with the most matching labels in matchLabels will be selected.
3153 /// If neither has more matches, the solver defined earlier in the list
3154 /// will be selected.
3155 #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsZones")]
3156 pub dns_zones: Option<Vec<String>>,
3157 /// A label selector that is used to refine the set of certificate's that
3158 /// this challenge solver will apply to.
3159 #[serde(
3160 default,
3161 skip_serializing_if = "Option::is_none",
3162 rename = "matchLabels"
3163 )]
3164 pub match_labels: Option<BTreeMap<String, String>>,
3165}
3166
3167/// CA configures this issuer to sign certificates using a signing CA keypair
3168/// stored in a Secret resource.
3169/// This is used to build internal PKIs that are managed by cert-manager.
3170#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3171pub struct IssuerCa {
3172 /// The CRL distribution points is an X.509 v3 certificate extension which identifies
3173 /// the location of the CRL from which the revocation of this certificate can be checked.
3174 /// If not set, certificates will be issued without distribution points set.
3175 #[serde(
3176 default,
3177 skip_serializing_if = "Option::is_none",
3178 rename = "crlDistributionPoints"
3179 )]
3180 pub crl_distribution_points: Option<Vec<String>>,
3181 /// IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
3182 /// it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
3183 /// As an example, such a URL might be "http://ca.domain.com/ca.crt".
3184 #[serde(
3185 default,
3186 skip_serializing_if = "Option::is_none",
3187 rename = "issuingCertificateURLs"
3188 )]
3189 pub issuing_certificate_ur_ls: Option<Vec<String>>,
3190 /// The OCSP server list is an X.509 v3 extension that defines a list of
3191 /// URLs of OCSP responders. The OCSP responders can be queried for the
3192 /// revocation status of an issued certificate. If not set, the
3193 /// certificate will be issued with no OCSP servers set. For example, an
3194 /// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
3195 #[serde(
3196 default,
3197 skip_serializing_if = "Option::is_none",
3198 rename = "ocspServers"
3199 )]
3200 pub ocsp_servers: Option<Vec<String>>,
3201 /// SecretName is the name of the secret used to sign Certificates issued
3202 /// by this Issuer.
3203 #[serde(rename = "secretName")]
3204 pub secret_name: String,
3205}
3206
3207/// SelfSigned configures this issuer to 'self sign' certificates using the
3208/// private key used to create the CertificateRequest object.
3209#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3210pub struct IssuerSelfSigned {
3211 /// The CRL distribution points is an X.509 v3 certificate extension which identifies
3212 /// the location of the CRL from which the revocation of this certificate can be checked.
3213 /// If not set certificate will be issued without CDP. Values are strings.
3214 #[serde(
3215 default,
3216 skip_serializing_if = "Option::is_none",
3217 rename = "crlDistributionPoints"
3218 )]
3219 pub crl_distribution_points: Option<Vec<String>>,
3220}
3221
3222/// Vault configures this issuer to sign certificates using a HashiCorp Vault
3223/// PKI backend.
3224#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3225pub struct IssuerVault {
3226 /// Auth configures how cert-manager authenticates with the Vault server.
3227 pub auth: IssuerVaultAuth,
3228 /// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
3229 /// chain presented by Vault. Only used if using HTTPS to connect to Vault and
3230 /// ignored for HTTP connections.
3231 /// Mutually exclusive with CABundleSecretRef.
3232 /// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
3233 /// the cert-manager controller container is used to validate the TLS connection.
3234 #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
3235 pub ca_bundle: Option<String>,
3236 /// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
3237 /// verifying the certificate chain presented by Vault when using HTTPS.
3238 /// Mutually exclusive with CABundle.
3239 /// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
3240 /// the cert-manager controller container is used to validate the TLS connection.
3241 /// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
3242 #[serde(
3243 default,
3244 skip_serializing_if = "Option::is_none",
3245 rename = "caBundleSecretRef"
3246 )]
3247 pub ca_bundle_secret_ref: Option<IssuerVaultCaBundleSecretRef>,
3248 /// Reference to a Secret containing a PEM-encoded Client Certificate to use when the
3249 /// Vault server requires mTLS.
3250 #[serde(
3251 default,
3252 skip_serializing_if = "Option::is_none",
3253 rename = "clientCertSecretRef"
3254 )]
3255 pub client_cert_secret_ref: Option<IssuerVaultClientCertSecretRef>,
3256 /// Reference to a Secret containing a PEM-encoded Client Private Key to use when the
3257 /// Vault server requires mTLS.
3258 #[serde(
3259 default,
3260 skip_serializing_if = "Option::is_none",
3261 rename = "clientKeySecretRef"
3262 )]
3263 pub client_key_secret_ref: Option<IssuerVaultClientKeySecretRef>,
3264 /// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
3265 /// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
3266 #[serde(default, skip_serializing_if = "Option::is_none")]
3267 pub namespace: Option<String>,
3268 /// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
3269 /// "my_pki_mount/sign/my-role-name".
3270 pub path: String,
3271 /// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
3272 pub server: String,
3273}
3274
3275/// Auth configures how cert-manager authenticates with the Vault server.
3276#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3277pub struct IssuerVaultAuth {
3278 /// AppRole authenticates with Vault using the App Role auth mechanism,
3279 /// with the role and secret stored in a Kubernetes Secret resource.
3280 #[serde(default, skip_serializing_if = "Option::is_none", rename = "appRole")]
3281 pub app_role: Option<IssuerVaultAuthAppRole>,
3282 /// ClientCertificate authenticates with Vault by presenting a client
3283 /// certificate during the request's TLS handshake.
3284 /// Works only when using HTTPS protocol.
3285 #[serde(
3286 default,
3287 skip_serializing_if = "Option::is_none",
3288 rename = "clientCertificate"
3289 )]
3290 pub client_certificate: Option<IssuerVaultAuthClientCertificate>,
3291 /// Kubernetes authenticates with Vault by passing the ServiceAccount
3292 /// token stored in the named Secret resource to the Vault server.
3293 #[serde(default, skip_serializing_if = "Option::is_none")]
3294 pub kubernetes: Option<IssuerVaultAuthKubernetes>,
3295 /// TokenSecretRef authenticates with Vault by presenting a token.
3296 #[serde(
3297 default,
3298 skip_serializing_if = "Option::is_none",
3299 rename = "tokenSecretRef"
3300 )]
3301 pub token_secret_ref: Option<IssuerVaultAuthTokenSecretRef>,
3302}
3303
3304/// AppRole authenticates with Vault using the App Role auth mechanism,
3305/// with the role and secret stored in a Kubernetes Secret resource.
3306#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3307pub struct IssuerVaultAuthAppRole {
3308 /// Path where the App Role authentication backend is mounted in Vault, e.g:
3309 /// "approle"
3310 pub path: String,
3311 /// RoleID configured in the App Role authentication backend when setting
3312 /// up the authentication backend in Vault.
3313 #[serde(rename = "roleId")]
3314 pub role_id: String,
3315 /// Reference to a key in a Secret that contains the App Role secret used
3316 /// to authenticate with Vault.
3317 /// The `key` field must be specified and denotes which entry within the Secret
3318 /// resource is used as the app role secret.
3319 #[serde(rename = "secretRef")]
3320 pub secret_ref: IssuerVaultAuthAppRoleSecretRef,
3321}
3322
3323/// Reference to a key in a Secret that contains the App Role secret used
3324/// to authenticate with Vault.
3325/// The `key` field must be specified and denotes which entry within the Secret
3326/// resource is used as the app role secret.
3327#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3328pub struct IssuerVaultAuthAppRoleSecretRef {
3329 /// The key of the entry in the Secret resource's `data` field to be used.
3330 /// Some instances of this field may be defaulted, in others it may be
3331 /// required.
3332 #[serde(default, skip_serializing_if = "Option::is_none")]
3333 pub key: Option<String>,
3334 /// Name of the resource being referred to.
3335 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3336 pub name: String,
3337}
3338
3339/// ClientCertificate authenticates with Vault by presenting a client
3340/// certificate during the request's TLS handshake.
3341/// Works only when using HTTPS protocol.
3342#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3343pub struct IssuerVaultAuthClientCertificate {
3344 /// The Vault mountPath here is the mount path to use when authenticating with
3345 /// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
3346 /// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
3347 /// default value "/v1/auth/cert" will be used.
3348 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mountPath")]
3349 pub mount_path: Option<String>,
3350 /// Name of the certificate role to authenticate against.
3351 /// If not set, matching any certificate role, if available.
3352 #[serde(default, skip_serializing_if = "Option::is_none")]
3353 pub name: Option<String>,
3354 /// Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
3355 /// tls.crt and tls.key) used to authenticate to Vault using TLS client
3356 /// authentication.
3357 #[serde(
3358 default,
3359 skip_serializing_if = "Option::is_none",
3360 rename = "secretName"
3361 )]
3362 pub secret_name: Option<String>,
3363}
3364
3365/// Kubernetes authenticates with Vault by passing the ServiceAccount
3366/// token stored in the named Secret resource to the Vault server.
3367#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3368pub struct IssuerVaultAuthKubernetes {
3369 /// The Vault mountPath here is the mount path to use when authenticating with
3370 /// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
3371 /// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
3372 /// default value "/v1/auth/kubernetes" will be used.
3373 #[serde(default, skip_serializing_if = "Option::is_none", rename = "mountPath")]
3374 pub mount_path: Option<String>,
3375 /// A required field containing the Vault Role to assume. A Role binds a
3376 /// Kubernetes ServiceAccount with a set of Vault policies.
3377 pub role: String,
3378 /// The required Secret field containing a Kubernetes ServiceAccount JWT used
3379 /// for authenticating with Vault. Use of 'ambient credentials' is not
3380 /// supported.
3381 #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
3382 pub secret_ref: Option<IssuerVaultAuthKubernetesSecretRef>,
3383 /// A reference to a service account that will be used to request a bound
3384 /// token (also known as "projected token"). Compared to using "secretRef",
3385 /// using this field means that you don't rely on statically bound tokens. To
3386 /// use this field, you must configure an RBAC rule to let cert-manager
3387 /// request a token.
3388 #[serde(
3389 default,
3390 skip_serializing_if = "Option::is_none",
3391 rename = "serviceAccountRef"
3392 )]
3393 pub service_account_ref: Option<IssuerVaultAuthKubernetesServiceAccountRef>,
3394}
3395
3396/// The required Secret field containing a Kubernetes ServiceAccount JWT used
3397/// for authenticating with Vault. Use of 'ambient credentials' is not
3398/// supported.
3399#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3400pub struct IssuerVaultAuthKubernetesSecretRef {
3401 /// The key of the entry in the Secret resource's `data` field to be used.
3402 /// Some instances of this field may be defaulted, in others it may be
3403 /// required.
3404 #[serde(default, skip_serializing_if = "Option::is_none")]
3405 pub key: Option<String>,
3406 /// Name of the resource being referred to.
3407 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3408 pub name: String,
3409}
3410
3411/// A reference to a service account that will be used to request a bound
3412/// token (also known as "projected token"). Compared to using "secretRef",
3413/// using this field means that you don't rely on statically bound tokens. To
3414/// use this field, you must configure an RBAC rule to let cert-manager
3415/// request a token.
3416#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3417pub struct IssuerVaultAuthKubernetesServiceAccountRef {
3418 /// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
3419 /// consisting of the issuer's namespace and name is always included.
3420 #[serde(default, skip_serializing_if = "Option::is_none")]
3421 pub audiences: Option<Vec<String>>,
3422 /// Name of the ServiceAccount used to request a token.
3423 pub name: String,
3424}
3425
3426/// TokenSecretRef authenticates with Vault by presenting a token.
3427#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3428pub struct IssuerVaultAuthTokenSecretRef {
3429 /// The key of the entry in the Secret resource's `data` field to be used.
3430 /// Some instances of this field may be defaulted, in others it may be
3431 /// required.
3432 #[serde(default, skip_serializing_if = "Option::is_none")]
3433 pub key: Option<String>,
3434 /// Name of the resource being referred to.
3435 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3436 pub name: String,
3437}
3438
3439/// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
3440/// verifying the certificate chain presented by Vault when using HTTPS.
3441/// Mutually exclusive with CABundle.
3442/// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
3443/// the cert-manager controller container is used to validate the TLS connection.
3444/// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
3445#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3446pub struct IssuerVaultCaBundleSecretRef {
3447 /// The key of the entry in the Secret resource's `data` field to be used.
3448 /// Some instances of this field may be defaulted, in others it may be
3449 /// required.
3450 #[serde(default, skip_serializing_if = "Option::is_none")]
3451 pub key: Option<String>,
3452 /// Name of the resource being referred to.
3453 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3454 pub name: String,
3455}
3456
3457/// Reference to a Secret containing a PEM-encoded Client Certificate to use when the
3458/// Vault server requires mTLS.
3459#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3460pub struct IssuerVaultClientCertSecretRef {
3461 /// The key of the entry in the Secret resource's `data` field to be used.
3462 /// Some instances of this field may be defaulted, in others it may be
3463 /// required.
3464 #[serde(default, skip_serializing_if = "Option::is_none")]
3465 pub key: Option<String>,
3466 /// Name of the resource being referred to.
3467 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3468 pub name: String,
3469}
3470
3471/// Reference to a Secret containing a PEM-encoded Client Private Key to use when the
3472/// Vault server requires mTLS.
3473#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3474pub struct IssuerVaultClientKeySecretRef {
3475 /// The key of the entry in the Secret resource's `data` field to be used.
3476 /// Some instances of this field may be defaulted, in others it may be
3477 /// required.
3478 #[serde(default, skip_serializing_if = "Option::is_none")]
3479 pub key: Option<String>,
3480 /// Name of the resource being referred to.
3481 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3482 pub name: String,
3483}
3484
3485/// Venafi configures this issuer to sign certificates using a Venafi TPP
3486/// or Venafi Cloud policy zone.
3487#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3488pub struct IssuerVenafi {
3489 /// Cloud specifies the Venafi cloud configuration settings.
3490 /// Only one of TPP or Cloud may be specified.
3491 #[serde(default, skip_serializing_if = "Option::is_none")]
3492 pub cloud: Option<IssuerVenafiCloud>,
3493 /// TPP specifies Trust Protection Platform configuration settings.
3494 /// Only one of TPP or Cloud may be specified.
3495 #[serde(default, skip_serializing_if = "Option::is_none")]
3496 pub tpp: Option<IssuerVenafiTpp>,
3497 /// Zone is the Venafi Policy Zone to use for this issuer.
3498 /// All requests made to the Venafi platform will be restricted by the named
3499 /// zone policy.
3500 /// This field is required.
3501 pub zone: String,
3502}
3503
3504/// Cloud specifies the Venafi cloud configuration settings.
3505/// Only one of TPP or Cloud may be specified.
3506#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3507pub struct IssuerVenafiCloud {
3508 /// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
3509 #[serde(rename = "apiTokenSecretRef")]
3510 pub api_token_secret_ref: IssuerVenafiCloudApiTokenSecretRef,
3511 /// URL is the base URL for Venafi Cloud.
3512 /// Defaults to "https://api.venafi.cloud/v1".
3513 #[serde(default, skip_serializing_if = "Option::is_none")]
3514 pub url: Option<String>,
3515}
3516
3517/// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
3518#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3519pub struct IssuerVenafiCloudApiTokenSecretRef {
3520 /// The key of the entry in the Secret resource's `data` field to be used.
3521 /// Some instances of this field may be defaulted, in others it may be
3522 /// required.
3523 #[serde(default, skip_serializing_if = "Option::is_none")]
3524 pub key: Option<String>,
3525 /// Name of the resource being referred to.
3526 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3527 pub name: String,
3528}
3529
3530/// TPP specifies Trust Protection Platform configuration settings.
3531/// Only one of TPP or Cloud may be specified.
3532#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3533pub struct IssuerVenafiTpp {
3534 /// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
3535 /// chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
3536 /// If undefined, the certificate bundle in the cert-manager controller container
3537 /// is used to validate the chain.
3538 #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
3539 pub ca_bundle: Option<String>,
3540 /// Reference to a Secret containing a base64-encoded bundle of PEM CAs
3541 /// which will be used to validate the certificate chain presented by the TPP server.
3542 /// Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
3543 /// If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
3544 /// the cert-manager controller container is used to validate the TLS connection.
3545 #[serde(
3546 default,
3547 skip_serializing_if = "Option::is_none",
3548 rename = "caBundleSecretRef"
3549 )]
3550 pub ca_bundle_secret_ref: Option<IssuerVenafiTppCaBundleSecretRef>,
3551 /// CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
3552 /// The secret must contain the key 'access-token' for the Access Token Authentication,
3553 /// or two keys, 'username' and 'password' for the API Keys Authentication.
3554 #[serde(rename = "credentialsRef")]
3555 pub credentials_ref: IssuerVenafiTppCredentialsRef,
3556 /// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
3557 /// for example: "https://tpp.example.com/vedsdk".
3558 pub url: String,
3559}
3560
3561/// Reference to a Secret containing a base64-encoded bundle of PEM CAs
3562/// which will be used to validate the certificate chain presented by the TPP server.
3563/// Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
3564/// If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
3565/// the cert-manager controller container is used to validate the TLS connection.
3566#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3567pub struct IssuerVenafiTppCaBundleSecretRef {
3568 /// The key of the entry in the Secret resource's `data` field to be used.
3569 /// Some instances of this field may be defaulted, in others it may be
3570 /// required.
3571 #[serde(default, skip_serializing_if = "Option::is_none")]
3572 pub key: Option<String>,
3573 /// Name of the resource being referred to.
3574 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3575 pub name: String,
3576}
3577
3578/// CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
3579/// The secret must contain the key 'access-token' for the Access Token Authentication,
3580/// or two keys, 'username' and 'password' for the API Keys Authentication.
3581#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3582pub struct IssuerVenafiTppCredentialsRef {
3583 /// Name of the resource being referred to.
3584 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3585 pub name: String,
3586}
3587
3588/// Status of the Issuer. This is set and managed automatically.
3589#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3590pub struct IssuerStatus {
3591 /// ACME specific status options.
3592 /// This field should only be set if the Issuer is configured to use an ACME
3593 /// server to issue certificates.
3594 #[serde(default, skip_serializing_if = "Option::is_none")]
3595 pub acme: Option<IssuerStatusAcme>,
3596 /// List of status conditions to indicate the status of a CertificateRequest.
3597 /// Known condition types are `Ready`.
3598 #[serde(default, skip_serializing_if = "Option::is_none")]
3599 pub conditions: Option<Vec<Condition>>,
3600}
3601
3602/// ACME specific status options.
3603/// This field should only be set if the Issuer is configured to use an ACME
3604/// server to issue certificates.
3605#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3606pub struct IssuerStatusAcme {
3607 /// LastPrivateKeyHash is a hash of the private key associated with the latest
3608 /// registered ACME account, in order to track changes made to registered account
3609 /// associated with the Issuer
3610 #[serde(
3611 default,
3612 skip_serializing_if = "Option::is_none",
3613 rename = "lastPrivateKeyHash"
3614 )]
3615 pub last_private_key_hash: Option<String>,
3616 /// LastRegisteredEmail is the email associated with the latest registered
3617 /// ACME account, in order to track changes made to registered account
3618 /// associated with the Issuer
3619 #[serde(
3620 default,
3621 skip_serializing_if = "Option::is_none",
3622 rename = "lastRegisteredEmail"
3623 )]
3624 pub last_registered_email: Option<String>,
3625 /// URI is the unique account identifier, which can also be used to retrieve
3626 /// account details from the CA
3627 #[serde(default, skip_serializing_if = "Option::is_none")]
3628 pub uri: Option<String>,
3629}