mz_cloud_resources/crd/generated/cert_manager/
issuers.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10#![allow(rustdoc::all)]
11
12// WARNING: generated by kopium - manual changes will be overwritten
13// kopium command: kopium issuers.cert-manager.io --docs --smart-derive-elision --derive Default
14// kopium version: 0.21.1
15
16#[allow(unused_imports)]
17mod prelude {
18    pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
19    pub use kube::CustomResource;
20    pub use serde::{Deserialize, Serialize};
21    pub use std::collections::BTreeMap;
22}
23use self::prelude::*;
24
25/// Desired state of the Issuer resource.
26#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default)]
27#[kube(
28    group = "cert-manager.io",
29    version = "v1",
30    kind = "Issuer",
31    plural = "issuers"
32)]
33#[kube(namespaced)]
34#[kube(status = "IssuerStatus")]
35#[kube(schema = "disabled")]
36#[kube(derive = "Default")]
37pub struct IssuerSpec {
38    /// ACME configures this issuer to communicate with a RFC8555 (ACME) server
39    /// to obtain signed x509 certificates.
40    #[serde(default, skip_serializing_if = "Option::is_none")]
41    pub acme: Option<IssuerAcme>,
42    /// CA configures this issuer to sign certificates using a signing CA keypair
43    /// stored in a Secret resource.
44    /// This is used to build internal PKIs that are managed by cert-manager.
45    #[serde(default, skip_serializing_if = "Option::is_none")]
46    pub ca: Option<IssuerCa>,
47    /// SelfSigned configures this issuer to 'self sign' certificates using the
48    /// private key used to create the CertificateRequest object.
49    #[serde(
50        default,
51        skip_serializing_if = "Option::is_none",
52        rename = "selfSigned"
53    )]
54    pub self_signed: Option<IssuerSelfSigned>,
55    /// Vault configures this issuer to sign certificates using a HashiCorp Vault
56    /// PKI backend.
57    #[serde(default, skip_serializing_if = "Option::is_none")]
58    pub vault: Option<IssuerVault>,
59    /// Venafi configures this issuer to sign certificates using a Venafi TPP
60    /// or Venafi Cloud policy zone.
61    #[serde(default, skip_serializing_if = "Option::is_none")]
62    pub venafi: Option<IssuerVenafi>,
63}
64
65/// ACME configures this issuer to communicate with a RFC8555 (ACME) server
66/// to obtain signed x509 certificates.
67#[derive(Serialize, Deserialize, Clone, Debug, Default)]
68pub struct IssuerAcme {
69    /// Base64-encoded bundle of PEM CAs which can be used to validate the certificate
70    /// chain presented by the ACME server.
71    /// Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
72    /// kinds of security vulnerabilities.
73    /// If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
74    /// the container is used to validate the TLS connection.
75    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
76    pub ca_bundle: Option<String>,
77    /// Enables or disables generating a new ACME account key.
78    /// If true, the Issuer resource will *not* request a new account but will expect
79    /// the account key to be supplied via an existing secret.
80    /// If false, the cert-manager system will generate a new ACME account key
81    /// for the Issuer.
82    /// Defaults to false.
83    #[serde(
84        default,
85        skip_serializing_if = "Option::is_none",
86        rename = "disableAccountKeyGeneration"
87    )]
88    pub disable_account_key_generation: Option<bool>,
89    /// Email is the email address to be associated with the ACME account.
90    /// This field is optional, but it is strongly recommended to be set.
91    /// It will be used to contact you in case of issues with your account or
92    /// certificates, including expiry notification emails.
93    /// This field may be updated after the account is initially registered.
94    #[serde(default, skip_serializing_if = "Option::is_none")]
95    pub email: Option<String>,
96    /// Enables requesting a Not After date on certificates that matches the
97    /// duration of the certificate. This is not supported by all ACME servers
98    /// like Let's Encrypt. If set to true when the ACME server does not support
99    /// it, it will create an error on the Order.
100    /// Defaults to false.
101    #[serde(
102        default,
103        skip_serializing_if = "Option::is_none",
104        rename = "enableDurationFeature"
105    )]
106    pub enable_duration_feature: Option<bool>,
107    /// ExternalAccountBinding is a reference to a CA external account of the ACME
108    /// server.
109    /// If set, upon registration cert-manager will attempt to associate the given
110    /// external account credentials with the registered ACME account.
111    #[serde(
112        default,
113        skip_serializing_if = "Option::is_none",
114        rename = "externalAccountBinding"
115    )]
116    pub external_account_binding: Option<IssuerAcmeExternalAccountBinding>,
117    /// PreferredChain is the chain to use if the ACME server outputs multiple.
118    /// PreferredChain is no guarantee that this one gets delivered by the ACME
119    /// endpoint.
120    /// For example, for Let's Encrypt's DST crosssign you would use:
121    /// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
122    /// This value picks the first certificate bundle in the combined set of
123    /// ACME default and alternative chains that has a root-most certificate with
124    /// this value as its issuer's commonname.
125    #[serde(
126        default,
127        skip_serializing_if = "Option::is_none",
128        rename = "preferredChain"
129    )]
130    pub preferred_chain: Option<String>,
131    /// PrivateKey is the name of a Kubernetes Secret resource that will be used to
132    /// store the automatically generated ACME account private key.
133    /// Optionally, a `key` may be specified to select a specific entry within
134    /// the named Secret resource.
135    /// If `key` is not specified, a default of `tls.key` will be used.
136    #[serde(rename = "privateKeySecretRef")]
137    pub private_key_secret_ref: IssuerAcmePrivateKeySecretRef,
138    /// Server is the URL used to access the ACME server's 'directory' endpoint.
139    /// For example, for Let's Encrypt's staging endpoint, you would use:
140    /// "https://acme-staging-v02.api.letsencrypt.org/directory".
141    /// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
142    pub server: String,
143    /// INSECURE: Enables or disables validation of the ACME server TLS certificate.
144    /// If true, requests to the ACME server will not have the TLS certificate chain
145    /// validated.
146    /// Mutually exclusive with CABundle; prefer using CABundle to prevent various
147    /// kinds of security vulnerabilities.
148    /// Only enable this option in development environments.
149    /// If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
150    /// the container is used to validate the TLS connection.
151    /// Defaults to false.
152    #[serde(
153        default,
154        skip_serializing_if = "Option::is_none",
155        rename = "skipTLSVerify"
156    )]
157    pub skip_tls_verify: Option<bool>,
158    /// Solvers is a list of challenge solvers that will be used to solve
159    /// ACME challenges for the matching domains.
160    /// Solver configurations must be provided in order to obtain certificates
161    /// from an ACME server.
162    /// For more information, see: https://cert-manager.io/docs/configuration/acme/
163    #[serde(default, skip_serializing_if = "Option::is_none")]
164    pub solvers: Option<Vec<IssuerAcmeSolvers>>,
165}
166
167/// ExternalAccountBinding is a reference to a CA external account of the ACME
168/// server.
169/// If set, upon registration cert-manager will attempt to associate the given
170/// external account credentials with the registered ACME account.
171#[derive(Serialize, Deserialize, Clone, Debug, Default)]
172pub struct IssuerAcmeExternalAccountBinding {
173    /// Deprecated: keyAlgorithm field exists for historical compatibility
174    /// reasons and should not be used. The algorithm is now hardcoded to HS256
175    /// in golang/x/crypto/acme.
176    #[serde(
177        default,
178        skip_serializing_if = "Option::is_none",
179        rename = "keyAlgorithm"
180    )]
181    pub key_algorithm: Option<IssuerAcmeExternalAccountBindingKeyAlgorithm>,
182    /// keyID is the ID of the CA key that the External Account is bound to.
183    #[serde(rename = "keyID")]
184    pub key_id: String,
185    /// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
186    /// Secret which holds the symmetric MAC key of the External Account Binding.
187    /// The `key` is the index string that is paired with the key data in the
188    /// Secret and should not be confused with the key data itself, or indeed with
189    /// the External Account Binding keyID above.
190    /// The secret key stored in the Secret **must** be un-padded, base64 URL
191    /// encoded data.
192    #[serde(rename = "keySecretRef")]
193    pub key_secret_ref: IssuerAcmeExternalAccountBindingKeySecretRef,
194}
195
196/// ExternalAccountBinding is a reference to a CA external account of the ACME
197/// server.
198/// If set, upon registration cert-manager will attempt to associate the given
199/// external account credentials with the registered ACME account.
200#[derive(Serialize, Deserialize, Clone, Debug)]
201pub enum IssuerAcmeExternalAccountBindingKeyAlgorithm {
202    #[serde(rename = "HS256")]
203    Hs256,
204    #[serde(rename = "HS384")]
205    Hs384,
206    #[serde(rename = "HS512")]
207    Hs512,
208}
209
210/// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
211/// Secret which holds the symmetric MAC key of the External Account Binding.
212/// The `key` is the index string that is paired with the key data in the
213/// Secret and should not be confused with the key data itself, or indeed with
214/// the External Account Binding keyID above.
215/// The secret key stored in the Secret **must** be un-padded, base64 URL
216/// encoded data.
217#[derive(Serialize, Deserialize, Clone, Debug, Default)]
218pub struct IssuerAcmeExternalAccountBindingKeySecretRef {
219    /// The key of the entry in the Secret resource's `data` field to be used.
220    /// Some instances of this field may be defaulted, in others it may be
221    /// required.
222    #[serde(default, skip_serializing_if = "Option::is_none")]
223    pub key: Option<String>,
224    /// Name of the resource being referred to.
225    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
226    pub name: String,
227}
228
229/// PrivateKey is the name of a Kubernetes Secret resource that will be used to
230/// store the automatically generated ACME account private key.
231/// Optionally, a `key` may be specified to select a specific entry within
232/// the named Secret resource.
233/// If `key` is not specified, a default of `tls.key` will be used.
234#[derive(Serialize, Deserialize, Clone, Debug, Default)]
235pub struct IssuerAcmePrivateKeySecretRef {
236    /// The key of the entry in the Secret resource's `data` field to be used.
237    /// Some instances of this field may be defaulted, in others it may be
238    /// required.
239    #[serde(default, skip_serializing_if = "Option::is_none")]
240    pub key: Option<String>,
241    /// Name of the resource being referred to.
242    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
243    pub name: String,
244}
245
246/// An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
247/// A selector may be provided to use different solving strategies for different DNS names.
248/// Only one of HTTP01 or DNS01 must be provided.
249#[derive(Serialize, Deserialize, Clone, Debug, Default)]
250pub struct IssuerAcmeSolvers {
251    /// Configures cert-manager to attempt to complete authorizations by
252    /// performing the DNS01 challenge flow.
253    #[serde(default, skip_serializing_if = "Option::is_none")]
254    pub dns01: Option<IssuerAcmeSolversDns01>,
255    /// Configures cert-manager to attempt to complete authorizations by
256    /// performing the HTTP01 challenge flow.
257    /// It is not possible to obtain certificates for wildcard domain names
258    /// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
259    #[serde(default, skip_serializing_if = "Option::is_none")]
260    pub http01: Option<IssuerAcmeSolversHttp01>,
261    /// Selector selects a set of DNSNames on the Certificate resource that
262    /// should be solved using this challenge solver.
263    /// If not specified, the solver will be treated as the 'default' solver
264    /// with the lowest priority, i.e. if any other solver has a more specific
265    /// match, it will be used instead.
266    #[serde(default, skip_serializing_if = "Option::is_none")]
267    pub selector: Option<IssuerAcmeSolversSelector>,
268}
269
270/// Configures cert-manager to attempt to complete authorizations by
271/// performing the DNS01 challenge flow.
272#[derive(Serialize, Deserialize, Clone, Debug, Default)]
273pub struct IssuerAcmeSolversDns01 {
274    /// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
275    /// DNS01 challenge records.
276    #[serde(default, skip_serializing_if = "Option::is_none", rename = "acmeDNS")]
277    pub acme_dns: Option<IssuerAcmeSolversDns01AcmeDns>,
278    /// Use the Akamai DNS zone management API to manage DNS01 challenge records.
279    #[serde(default, skip_serializing_if = "Option::is_none")]
280    pub akamai: Option<IssuerAcmeSolversDns01Akamai>,
281    /// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
282    #[serde(default, skip_serializing_if = "Option::is_none", rename = "azureDNS")]
283    pub azure_dns: Option<IssuerAcmeSolversDns01AzureDns>,
284    /// Use the Google Cloud DNS API to manage DNS01 challenge records.
285    #[serde(default, skip_serializing_if = "Option::is_none", rename = "cloudDNS")]
286    pub cloud_dns: Option<IssuerAcmeSolversDns01CloudDns>,
287    /// Use the Cloudflare API to manage DNS01 challenge records.
288    #[serde(default, skip_serializing_if = "Option::is_none")]
289    pub cloudflare: Option<IssuerAcmeSolversDns01Cloudflare>,
290    /// CNAMEStrategy configures how the DNS01 provider should handle CNAME
291    /// records when found in DNS zones.
292    #[serde(
293        default,
294        skip_serializing_if = "Option::is_none",
295        rename = "cnameStrategy"
296    )]
297    pub cname_strategy: Option<IssuerAcmeSolversDns01CnameStrategy>,
298    /// Use the DigitalOcean DNS API to manage DNS01 challenge records.
299    #[serde(default, skip_serializing_if = "Option::is_none")]
300    pub digitalocean: Option<IssuerAcmeSolversDns01Digitalocean>,
301    /// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
302    /// to manage DNS01 challenge records.
303    #[serde(default, skip_serializing_if = "Option::is_none")]
304    pub rfc2136: Option<IssuerAcmeSolversDns01Rfc2136>,
305    /// Use the AWS Route53 API to manage DNS01 challenge records.
306    #[serde(default, skip_serializing_if = "Option::is_none")]
307    pub route53: Option<IssuerAcmeSolversDns01Route53>,
308    /// Configure an external webhook based DNS01 challenge solver to manage
309    /// DNS01 challenge records.
310    #[serde(default, skip_serializing_if = "Option::is_none")]
311    pub webhook: Option<IssuerAcmeSolversDns01Webhook>,
312}
313
314/// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
315/// DNS01 challenge records.
316#[derive(Serialize, Deserialize, Clone, Debug, Default)]
317pub struct IssuerAcmeSolversDns01AcmeDns {
318    /// A reference to a specific 'key' within a Secret resource.
319    /// In some instances, `key` is a required field.
320    #[serde(rename = "accountSecretRef")]
321    pub account_secret_ref: IssuerAcmeSolversDns01AcmeDnsAccountSecretRef,
322    pub host: String,
323}
324
325/// A reference to a specific 'key' within a Secret resource.
326/// In some instances, `key` is a required field.
327#[derive(Serialize, Deserialize, Clone, Debug, Default)]
328pub struct IssuerAcmeSolversDns01AcmeDnsAccountSecretRef {
329    /// The key of the entry in the Secret resource's `data` field to be used.
330    /// Some instances of this field may be defaulted, in others it may be
331    /// required.
332    #[serde(default, skip_serializing_if = "Option::is_none")]
333    pub key: Option<String>,
334    /// Name of the resource being referred to.
335    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
336    pub name: String,
337}
338
339/// Use the Akamai DNS zone management API to manage DNS01 challenge records.
340#[derive(Serialize, Deserialize, Clone, Debug, Default)]
341pub struct IssuerAcmeSolversDns01Akamai {
342    /// A reference to a specific 'key' within a Secret resource.
343    /// In some instances, `key` is a required field.
344    #[serde(rename = "accessTokenSecretRef")]
345    pub access_token_secret_ref: IssuerAcmeSolversDns01AkamaiAccessTokenSecretRef,
346    /// A reference to a specific 'key' within a Secret resource.
347    /// In some instances, `key` is a required field.
348    #[serde(rename = "clientSecretSecretRef")]
349    pub client_secret_secret_ref: IssuerAcmeSolversDns01AkamaiClientSecretSecretRef,
350    /// A reference to a specific 'key' within a Secret resource.
351    /// In some instances, `key` is a required field.
352    #[serde(rename = "clientTokenSecretRef")]
353    pub client_token_secret_ref: IssuerAcmeSolversDns01AkamaiClientTokenSecretRef,
354    #[serde(rename = "serviceConsumerDomain")]
355    pub service_consumer_domain: String,
356}
357
358/// A reference to a specific 'key' within a Secret resource.
359/// In some instances, `key` is a required field.
360#[derive(Serialize, Deserialize, Clone, Debug, Default)]
361pub struct IssuerAcmeSolversDns01AkamaiAccessTokenSecretRef {
362    /// The key of the entry in the Secret resource's `data` field to be used.
363    /// Some instances of this field may be defaulted, in others it may be
364    /// required.
365    #[serde(default, skip_serializing_if = "Option::is_none")]
366    pub key: Option<String>,
367    /// Name of the resource being referred to.
368    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
369    pub name: String,
370}
371
372/// A reference to a specific 'key' within a Secret resource.
373/// In some instances, `key` is a required field.
374#[derive(Serialize, Deserialize, Clone, Debug, Default)]
375pub struct IssuerAcmeSolversDns01AkamaiClientSecretSecretRef {
376    /// The key of the entry in the Secret resource's `data` field to be used.
377    /// Some instances of this field may be defaulted, in others it may be
378    /// required.
379    #[serde(default, skip_serializing_if = "Option::is_none")]
380    pub key: Option<String>,
381    /// Name of the resource being referred to.
382    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
383    pub name: String,
384}
385
386/// A reference to a specific 'key' within a Secret resource.
387/// In some instances, `key` is a required field.
388#[derive(Serialize, Deserialize, Clone, Debug, Default)]
389pub struct IssuerAcmeSolversDns01AkamaiClientTokenSecretRef {
390    /// The key of the entry in the Secret resource's `data` field to be used.
391    /// Some instances of this field may be defaulted, in others it may be
392    /// required.
393    #[serde(default, skip_serializing_if = "Option::is_none")]
394    pub key: Option<String>,
395    /// Name of the resource being referred to.
396    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
397    pub name: String,
398}
399
400/// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
401#[derive(Serialize, Deserialize, Clone, Debug, Default)]
402pub struct IssuerAcmeSolversDns01AzureDns {
403    /// Auth: Azure Service Principal:
404    /// The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
405    /// If set, ClientSecret and TenantID must also be set.
406    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientID")]
407    pub client_id: Option<String>,
408    /// Auth: Azure Service Principal:
409    /// A reference to a Secret containing the password associated with the Service Principal.
410    /// If set, ClientID and TenantID must also be set.
411    #[serde(
412        default,
413        skip_serializing_if = "Option::is_none",
414        rename = "clientSecretSecretRef"
415    )]
416    pub client_secret_secret_ref: Option<IssuerAcmeSolversDns01AzureDnsClientSecretSecretRef>,
417    /// name of the Azure environment (default AzurePublicCloud)
418    #[serde(default, skip_serializing_if = "Option::is_none")]
419    pub environment: Option<IssuerAcmeSolversDns01AzureDnsEnvironment>,
420    /// name of the DNS zone that should be used
421    #[serde(
422        default,
423        skip_serializing_if = "Option::is_none",
424        rename = "hostedZoneName"
425    )]
426    pub hosted_zone_name: Option<String>,
427    /// Auth: Azure Workload Identity or Azure Managed Service Identity:
428    /// Settings to enable Azure Workload Identity or Azure Managed Service Identity
429    /// If set, ClientID, ClientSecret and TenantID must not be set.
430    #[serde(
431        default,
432        skip_serializing_if = "Option::is_none",
433        rename = "managedIdentity"
434    )]
435    pub managed_identity: Option<IssuerAcmeSolversDns01AzureDnsManagedIdentity>,
436    /// resource group the DNS zone is located in
437    #[serde(rename = "resourceGroupName")]
438    pub resource_group_name: String,
439    /// ID of the Azure subscription
440    #[serde(rename = "subscriptionID")]
441    pub subscription_id: String,
442    /// Auth: Azure Service Principal:
443    /// The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
444    /// If set, ClientID and ClientSecret must also be set.
445    #[serde(default, skip_serializing_if = "Option::is_none", rename = "tenantID")]
446    pub tenant_id: Option<String>,
447}
448
449/// Auth: Azure Service Principal:
450/// A reference to a Secret containing the password associated with the Service Principal.
451/// If set, ClientID and TenantID must also be set.
452#[derive(Serialize, Deserialize, Clone, Debug, Default)]
453pub struct IssuerAcmeSolversDns01AzureDnsClientSecretSecretRef {
454    /// The key of the entry in the Secret resource's `data` field to be used.
455    /// Some instances of this field may be defaulted, in others it may be
456    /// required.
457    #[serde(default, skip_serializing_if = "Option::is_none")]
458    pub key: Option<String>,
459    /// Name of the resource being referred to.
460    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
461    pub name: String,
462}
463
464/// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
465#[derive(Serialize, Deserialize, Clone, Debug)]
466pub enum IssuerAcmeSolversDns01AzureDnsEnvironment {
467    AzurePublicCloud,
468    AzureChinaCloud,
469    AzureGermanCloud,
470    #[serde(rename = "AzureUSGovernmentCloud")]
471    AzureUsGovernmentCloud,
472}
473
474/// Auth: Azure Workload Identity or Azure Managed Service Identity:
475/// Settings to enable Azure Workload Identity or Azure Managed Service Identity
476/// If set, ClientID, ClientSecret and TenantID must not be set.
477#[derive(Serialize, Deserialize, Clone, Debug, Default)]
478pub struct IssuerAcmeSolversDns01AzureDnsManagedIdentity {
479    /// client ID of the managed identity, can not be used at the same time as resourceID
480    #[serde(default, skip_serializing_if = "Option::is_none", rename = "clientID")]
481    pub client_id: Option<String>,
482    /// resource ID of the managed identity, can not be used at the same time as clientID
483    /// Cannot be used for Azure Managed Service Identity
484    #[serde(
485        default,
486        skip_serializing_if = "Option::is_none",
487        rename = "resourceID"
488    )]
489    pub resource_id: Option<String>,
490}
491
492/// Use the Google Cloud DNS API to manage DNS01 challenge records.
493#[derive(Serialize, Deserialize, Clone, Debug, Default)]
494pub struct IssuerAcmeSolversDns01CloudDns {
495    /// HostedZoneName is an optional field that tells cert-manager in which
496    /// Cloud DNS zone the challenge record has to be created.
497    /// If left empty cert-manager will automatically choose a zone.
498    #[serde(
499        default,
500        skip_serializing_if = "Option::is_none",
501        rename = "hostedZoneName"
502    )]
503    pub hosted_zone_name: Option<String>,
504    pub project: String,
505    /// A reference to a specific 'key' within a Secret resource.
506    /// In some instances, `key` is a required field.
507    #[serde(
508        default,
509        skip_serializing_if = "Option::is_none",
510        rename = "serviceAccountSecretRef"
511    )]
512    pub service_account_secret_ref: Option<IssuerAcmeSolversDns01CloudDnsServiceAccountSecretRef>,
513}
514
515/// A reference to a specific 'key' within a Secret resource.
516/// In some instances, `key` is a required field.
517#[derive(Serialize, Deserialize, Clone, Debug, Default)]
518pub struct IssuerAcmeSolversDns01CloudDnsServiceAccountSecretRef {
519    /// The key of the entry in the Secret resource's `data` field to be used.
520    /// Some instances of this field may be defaulted, in others it may be
521    /// required.
522    #[serde(default, skip_serializing_if = "Option::is_none")]
523    pub key: Option<String>,
524    /// Name of the resource being referred to.
525    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
526    pub name: String,
527}
528
529/// Use the Cloudflare API to manage DNS01 challenge records.
530#[derive(Serialize, Deserialize, Clone, Debug, Default)]
531pub struct IssuerAcmeSolversDns01Cloudflare {
532    /// API key to use to authenticate with Cloudflare.
533    /// Note: using an API token to authenticate is now the recommended method
534    /// as it allows greater control of permissions.
535    #[serde(
536        default,
537        skip_serializing_if = "Option::is_none",
538        rename = "apiKeySecretRef"
539    )]
540    pub api_key_secret_ref: Option<IssuerAcmeSolversDns01CloudflareApiKeySecretRef>,
541    /// API token used to authenticate with Cloudflare.
542    #[serde(
543        default,
544        skip_serializing_if = "Option::is_none",
545        rename = "apiTokenSecretRef"
546    )]
547    pub api_token_secret_ref: Option<IssuerAcmeSolversDns01CloudflareApiTokenSecretRef>,
548    /// Email of the account, only required when using API key based authentication.
549    #[serde(default, skip_serializing_if = "Option::is_none")]
550    pub email: Option<String>,
551}
552
553/// API key to use to authenticate with Cloudflare.
554/// Note: using an API token to authenticate is now the recommended method
555/// as it allows greater control of permissions.
556#[derive(Serialize, Deserialize, Clone, Debug, Default)]
557pub struct IssuerAcmeSolversDns01CloudflareApiKeySecretRef {
558    /// The key of the entry in the Secret resource's `data` field to be used.
559    /// Some instances of this field may be defaulted, in others it may be
560    /// required.
561    #[serde(default, skip_serializing_if = "Option::is_none")]
562    pub key: Option<String>,
563    /// Name of the resource being referred to.
564    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
565    pub name: String,
566}
567
568/// API token used to authenticate with Cloudflare.
569#[derive(Serialize, Deserialize, Clone, Debug, Default)]
570pub struct IssuerAcmeSolversDns01CloudflareApiTokenSecretRef {
571    /// The key of the entry in the Secret resource's `data` field to be used.
572    /// Some instances of this field may be defaulted, in others it may be
573    /// required.
574    #[serde(default, skip_serializing_if = "Option::is_none")]
575    pub key: Option<String>,
576    /// Name of the resource being referred to.
577    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
578    pub name: String,
579}
580
581/// Configures cert-manager to attempt to complete authorizations by
582/// performing the DNS01 challenge flow.
583#[derive(Serialize, Deserialize, Clone, Debug)]
584pub enum IssuerAcmeSolversDns01CnameStrategy {
585    None,
586    Follow,
587}
588
589/// Use the DigitalOcean DNS API to manage DNS01 challenge records.
590#[derive(Serialize, Deserialize, Clone, Debug, Default)]
591pub struct IssuerAcmeSolversDns01Digitalocean {
592    /// A reference to a specific 'key' within a Secret resource.
593    /// In some instances, `key` is a required field.
594    #[serde(rename = "tokenSecretRef")]
595    pub token_secret_ref: IssuerAcmeSolversDns01DigitaloceanTokenSecretRef,
596}
597
598/// A reference to a specific 'key' within a Secret resource.
599/// In some instances, `key` is a required field.
600#[derive(Serialize, Deserialize, Clone, Debug, Default)]
601pub struct IssuerAcmeSolversDns01DigitaloceanTokenSecretRef {
602    /// The key of the entry in the Secret resource's `data` field to be used.
603    /// Some instances of this field may be defaulted, in others it may be
604    /// required.
605    #[serde(default, skip_serializing_if = "Option::is_none")]
606    pub key: Option<String>,
607    /// Name of the resource being referred to.
608    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
609    pub name: String,
610}
611
612/// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
613/// to manage DNS01 challenge records.
614#[derive(Serialize, Deserialize, Clone, Debug, Default)]
615pub struct IssuerAcmeSolversDns01Rfc2136 {
616    /// The IP address or hostname of an authoritative DNS server supporting
617    /// RFC2136 in the form host:port. If the host is an IPv6 address it must be
618    /// enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
619    /// This field is required.
620    pub nameserver: String,
621    /// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
622    /// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
623    /// Supported values are (case-insensitive): ``HMACMD5`` (default),
624    /// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
625    #[serde(
626        default,
627        skip_serializing_if = "Option::is_none",
628        rename = "tsigAlgorithm"
629    )]
630    pub tsig_algorithm: Option<String>,
631    /// The TSIG Key name configured in the DNS.
632    /// If ``tsigSecretSecretRef`` is defined, this field is required.
633    #[serde(
634        default,
635        skip_serializing_if = "Option::is_none",
636        rename = "tsigKeyName"
637    )]
638    pub tsig_key_name: Option<String>,
639    /// The name of the secret containing the TSIG value.
640    /// If ``tsigKeyName`` is defined, this field is required.
641    #[serde(
642        default,
643        skip_serializing_if = "Option::is_none",
644        rename = "tsigSecretSecretRef"
645    )]
646    pub tsig_secret_secret_ref: Option<IssuerAcmeSolversDns01Rfc2136TsigSecretSecretRef>,
647}
648
649/// The name of the secret containing the TSIG value.
650/// If ``tsigKeyName`` is defined, this field is required.
651#[derive(Serialize, Deserialize, Clone, Debug, Default)]
652pub struct IssuerAcmeSolversDns01Rfc2136TsigSecretSecretRef {
653    /// The key of the entry in the Secret resource's `data` field to be used.
654    /// Some instances of this field may be defaulted, in others it may be
655    /// required.
656    #[serde(default, skip_serializing_if = "Option::is_none")]
657    pub key: Option<String>,
658    /// Name of the resource being referred to.
659    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
660    pub name: String,
661}
662
663/// Use the AWS Route53 API to manage DNS01 challenge records.
664#[derive(Serialize, Deserialize, Clone, Debug, Default)]
665pub struct IssuerAcmeSolversDns01Route53 {
666    /// The AccessKeyID is used for authentication.
667    /// Cannot be set when SecretAccessKeyID is set.
668    /// If neither the Access Key nor Key ID are set, we fall-back to using env
669    /// vars, shared credentials file or AWS Instance metadata,
670    /// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
671    #[serde(
672        default,
673        skip_serializing_if = "Option::is_none",
674        rename = "accessKeyID"
675    )]
676    pub access_key_id: Option<String>,
677    /// The SecretAccessKey is used for authentication. If set, pull the AWS
678    /// access key ID from a key within a Kubernetes Secret.
679    /// Cannot be set when AccessKeyID is set.
680    /// If neither the Access Key nor Key ID are set, we fall-back to using env
681    /// vars, shared credentials file or AWS Instance metadata,
682    /// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
683    #[serde(
684        default,
685        skip_serializing_if = "Option::is_none",
686        rename = "accessKeyIDSecretRef"
687    )]
688    pub access_key_id_secret_ref: Option<IssuerAcmeSolversDns01Route53AccessKeyIdSecretRef>,
689    /// Auth configures how cert-manager authenticates.
690    #[serde(default, skip_serializing_if = "Option::is_none")]
691    pub auth: Option<IssuerAcmeSolversDns01Route53Auth>,
692    /// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
693    #[serde(
694        default,
695        skip_serializing_if = "Option::is_none",
696        rename = "hostedZoneID"
697    )]
698    pub hosted_zone_id: Option<String>,
699    /// Override the AWS region.
700    ///
701    /// Route53 is a global service and does not have regional endpoints but the
702    /// region specified here (or via environment variables) is used as a hint to
703    /// help compute the correct AWS credential scope and partition when it
704    /// connects to Route53. See:
705    /// - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
706    /// - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
707    ///
708    /// If you omit this region field, cert-manager will use the region from
709    /// AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
710    /// in the cert-manager controller Pod.
711    ///
712    /// The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
713    /// Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
714    /// [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
715    /// In this case this `region` field value is ignored.
716    ///
717    /// The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
718    /// Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
719    /// [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
720    /// In this case this `region` field value is ignored.
721    #[serde(default, skip_serializing_if = "Option::is_none")]
722    pub region: Option<String>,
723    /// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
724    /// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
725    #[serde(default, skip_serializing_if = "Option::is_none")]
726    pub role: Option<String>,
727    /// The SecretAccessKey is used for authentication.
728    /// If neither the Access Key nor Key ID are set, we fall-back to using env
729    /// vars, shared credentials file or AWS Instance metadata,
730    /// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
731    #[serde(
732        default,
733        skip_serializing_if = "Option::is_none",
734        rename = "secretAccessKeySecretRef"
735    )]
736    pub secret_access_key_secret_ref: Option<IssuerAcmeSolversDns01Route53SecretAccessKeySecretRef>,
737}
738
739/// The SecretAccessKey is used for authentication. If set, pull the AWS
740/// access key ID from a key within a Kubernetes Secret.
741/// Cannot be set when AccessKeyID is set.
742/// If neither the Access Key nor Key ID are set, we fall-back to using env
743/// vars, shared credentials file or AWS Instance metadata,
744/// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
745#[derive(Serialize, Deserialize, Clone, Debug, Default)]
746pub struct IssuerAcmeSolversDns01Route53AccessKeyIdSecretRef {
747    /// The key of the entry in the Secret resource's `data` field to be used.
748    /// Some instances of this field may be defaulted, in others it may be
749    /// required.
750    #[serde(default, skip_serializing_if = "Option::is_none")]
751    pub key: Option<String>,
752    /// Name of the resource being referred to.
753    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
754    pub name: String,
755}
756
757/// Auth configures how cert-manager authenticates.
758#[derive(Serialize, Deserialize, Clone, Debug, Default)]
759pub struct IssuerAcmeSolversDns01Route53Auth {
760    /// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
761    /// by passing a bound ServiceAccount token.
762    pub kubernetes: IssuerAcmeSolversDns01Route53AuthKubernetes,
763}
764
765/// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
766/// by passing a bound ServiceAccount token.
767#[derive(Serialize, Deserialize, Clone, Debug, Default)]
768pub struct IssuerAcmeSolversDns01Route53AuthKubernetes {
769    /// A reference to a service account that will be used to request a bound
770    /// token (also known as "projected token"). To use this field, you must
771    /// configure an RBAC rule to let cert-manager request a token.
772    #[serde(rename = "serviceAccountRef")]
773    pub service_account_ref: IssuerAcmeSolversDns01Route53AuthKubernetesServiceAccountRef,
774}
775
776/// A reference to a service account that will be used to request a bound
777/// token (also known as "projected token"). To use this field, you must
778/// configure an RBAC rule to let cert-manager request a token.
779#[derive(Serialize, Deserialize, Clone, Debug, Default)]
780pub struct IssuerAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
781    /// TokenAudiences is an optional list of audiences to include in the
782    /// token passed to AWS. The default token consisting of the issuer's namespace
783    /// and name is always included.
784    /// If unset the audience defaults to `sts.amazonaws.com`.
785    #[serde(default, skip_serializing_if = "Option::is_none")]
786    pub audiences: Option<Vec<String>>,
787    /// Name of the ServiceAccount used to request a token.
788    pub name: String,
789}
790
791/// The SecretAccessKey is used for authentication.
792/// If neither the Access Key nor Key ID are set, we fall-back to using env
793/// vars, shared credentials file or AWS Instance metadata,
794/// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
795#[derive(Serialize, Deserialize, Clone, Debug, Default)]
796pub struct IssuerAcmeSolversDns01Route53SecretAccessKeySecretRef {
797    /// The key of the entry in the Secret resource's `data` field to be used.
798    /// Some instances of this field may be defaulted, in others it may be
799    /// required.
800    #[serde(default, skip_serializing_if = "Option::is_none")]
801    pub key: Option<String>,
802    /// Name of the resource being referred to.
803    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
804    pub name: String,
805}
806
807/// Configure an external webhook based DNS01 challenge solver to manage
808/// DNS01 challenge records.
809#[derive(Serialize, Deserialize, Clone, Debug, Default)]
810pub struct IssuerAcmeSolversDns01Webhook {
811    /// Additional configuration that should be passed to the webhook apiserver
812    /// when challenges are processed.
813    /// This can contain arbitrary JSON data.
814    /// Secret values should not be specified in this stanza.
815    /// If secret values are needed (e.g. credentials for a DNS service), you
816    /// should use a SecretKeySelector to reference a Secret resource.
817    /// For details on the schema of this field, consult the webhook provider
818    /// implementation's documentation.
819    #[serde(default, skip_serializing_if = "Option::is_none")]
820    pub config: Option<serde_json::Value>,
821    /// The API group name that should be used when POSTing ChallengePayload
822    /// resources to the webhook apiserver.
823    /// This should be the same as the GroupName specified in the webhook
824    /// provider implementation.
825    #[serde(rename = "groupName")]
826    pub group_name: String,
827    /// The name of the solver to use, as defined in the webhook provider
828    /// implementation.
829    /// This will typically be the name of the provider, e.g. 'cloudflare'.
830    #[serde(rename = "solverName")]
831    pub solver_name: String,
832}
833
834/// Configures cert-manager to attempt to complete authorizations by
835/// performing the HTTP01 challenge flow.
836/// It is not possible to obtain certificates for wildcard domain names
837/// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
838#[derive(Serialize, Deserialize, Clone, Debug, Default)]
839pub struct IssuerAcmeSolversHttp01 {
840    /// The Gateway API is a sig-network community API that models service networking
841    /// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
842    /// create HTTPRoutes with the specified labels in the same namespace as the challenge.
843    /// This solver is experimental, and fields / behaviour may change in the future.
844    #[serde(
845        default,
846        skip_serializing_if = "Option::is_none",
847        rename = "gatewayHTTPRoute"
848    )]
849    pub gateway_http_route: Option<IssuerAcmeSolversHttp01GatewayHttpRoute>,
850    /// The ingress based HTTP01 challenge solver will solve challenges by
851    /// creating or modifying Ingress resources in order to route requests for
852    /// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
853    /// provisioned by cert-manager for each Challenge to be completed.
854    #[serde(default, skip_serializing_if = "Option::is_none")]
855    pub ingress: Option<IssuerAcmeSolversHttp01Ingress>,
856}
857
858/// The Gateway API is a sig-network community API that models service networking
859/// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
860/// create HTTPRoutes with the specified labels in the same namespace as the challenge.
861/// This solver is experimental, and fields / behaviour may change in the future.
862#[derive(Serialize, Deserialize, Clone, Debug, Default)]
863pub struct IssuerAcmeSolversHttp01GatewayHttpRoute {
864    /// Custom labels that will be applied to HTTPRoutes created by cert-manager
865    /// while solving HTTP-01 challenges.
866    #[serde(default, skip_serializing_if = "Option::is_none")]
867    pub labels: Option<BTreeMap<String, String>>,
868    /// When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
869    /// cert-manager needs to know which parentRefs should be used when creating
870    /// the HTTPRoute. Usually, the parentRef references a Gateway. See:
871    /// https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
872    #[serde(
873        default,
874        skip_serializing_if = "Option::is_none",
875        rename = "parentRefs"
876    )]
877    pub parent_refs: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRouteParentRefs>>,
878    /// Optional pod template used to configure the ACME challenge solver pods
879    /// used for HTTP01 challenges.
880    #[serde(
881        default,
882        skip_serializing_if = "Option::is_none",
883        rename = "podTemplate"
884    )]
885    pub pod_template: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplate>,
886    /// Optional service type for Kubernetes solver service. Supported values
887    /// are NodePort or ClusterIP. If unset, defaults to NodePort.
888    #[serde(
889        default,
890        skip_serializing_if = "Option::is_none",
891        rename = "serviceType"
892    )]
893    pub service_type: Option<String>,
894}
895
896/// ParentReference identifies an API object (usually a Gateway) that can be considered
897/// a parent of this resource (usually a route). There are two kinds of parent resources
898/// with "Core" support:
899///
900/// * Gateway (Gateway conformance profile)
901/// * Service (Mesh conformance profile, ClusterIP Services only)
902///
903/// This API may be extended in the future to support additional kinds of parent
904/// resources.
905///
906/// The API object must be valid in the cluster; the Group and Kind must
907/// be registered in the cluster for this reference to be valid.
908#[derive(Serialize, Deserialize, Clone, Debug, Default)]
909pub struct IssuerAcmeSolversHttp01GatewayHttpRouteParentRefs {
910    /// Group is the group of the referent.
911    /// When unspecified, "gateway.networking.k8s.io" is inferred.
912    /// To set the core API group (such as for a "Service" kind referent),
913    /// Group must be explicitly set to "" (empty string).
914    ///
915    /// Support: Core
916    #[serde(default, skip_serializing_if = "Option::is_none")]
917    pub group: Option<String>,
918    /// Kind is kind of the referent.
919    ///
920    /// There are two kinds of parent resources with "Core" support:
921    ///
922    /// * Gateway (Gateway conformance profile)
923    /// * Service (Mesh conformance profile, ClusterIP Services only)
924    ///
925    /// Support for other resources is Implementation-Specific.
926    #[serde(default, skip_serializing_if = "Option::is_none")]
927    pub kind: Option<String>,
928    /// Name is the name of the referent.
929    ///
930    /// Support: Core
931    pub name: String,
932    /// Namespace is the namespace of the referent. When unspecified, this refers
933    /// to the local namespace of the Route.
934    ///
935    /// Note that there are specific rules for ParentRefs which cross namespace
936    /// boundaries. Cross-namespace references are only valid if they are explicitly
937    /// allowed by something in the namespace they are referring to. For example:
938    /// Gateway has the AllowedRoutes field, and ReferenceGrant provides a
939    /// generic way to enable any other kind of cross-namespace reference.
940    ///
941    /// <gateway:experimental:description>
942    /// ParentRefs from a Route to a Service in the same namespace are "producer"
943    /// routes, which apply default routing rules to inbound connections from
944    /// any namespace to the Service.
945    ///
946    /// ParentRefs from a Route to a Service in a different namespace are
947    /// "consumer" routes, and these routing rules are only applied to outbound
948    /// connections originating from the same namespace as the Route, for which
949    /// the intended destination of the connections are a Service targeted as a
950    /// ParentRef of the Route.
951    /// </gateway:experimental:description>
952    ///
953    /// Support: Core
954    #[serde(default, skip_serializing_if = "Option::is_none")]
955    pub namespace: Option<String>,
956    /// Port is the network port this Route targets. It can be interpreted
957    /// differently based on the type of parent resource.
958    ///
959    /// When the parent resource is a Gateway, this targets all listeners
960    /// listening on the specified port that also support this kind of Route(and
961    /// select this Route). It's not recommended to set `Port` unless the
962    /// networking behaviors specified in a Route must apply to a specific port
963    /// as opposed to a listener(s) whose port(s) may be changed. When both Port
964    /// and SectionName are specified, the name and port of the selected listener
965    /// must match both specified values.
966    ///
967    /// <gateway:experimental:description>
968    /// When the parent resource is a Service, this targets a specific port in the
969    /// Service spec. When both Port (experimental) and SectionName are specified,
970    /// the name and port of the selected port must match both specified values.
971    /// </gateway:experimental:description>
972    ///
973    /// Implementations MAY choose to support other parent resources.
974    /// Implementations supporting other types of parent resources MUST clearly
975    /// document how/if Port is interpreted.
976    ///
977    /// For the purpose of status, an attachment is considered successful as
978    /// long as the parent resource accepts it partially. For example, Gateway
979    /// listeners can restrict which Routes can attach to them by Route kind,
980    /// namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
981    /// from the referencing Route, the Route MUST be considered successfully
982    /// attached. If no Gateway listeners accept attachment from this Route,
983    /// the Route MUST be considered detached from the Gateway.
984    ///
985    /// Support: Extended
986    #[serde(default, skip_serializing_if = "Option::is_none")]
987    pub port: Option<i32>,
988    /// SectionName is the name of a section within the target resource. In the
989    /// following resources, SectionName is interpreted as the following:
990    ///
991    /// * Gateway: Listener name. When both Port (experimental) and SectionName
992    /// are specified, the name and port of the selected listener must match
993    /// both specified values.
994    /// * Service: Port name. When both Port (experimental) and SectionName
995    /// are specified, the name and port of the selected listener must match
996    /// both specified values.
997    ///
998    /// Implementations MAY choose to support attaching Routes to other resources.
999    /// If that is the case, they MUST clearly document how SectionName is
1000    /// interpreted.
1001    ///
1002    /// When unspecified (empty string), this will reference the entire resource.
1003    /// For the purpose of status, an attachment is considered successful if at
1004    /// least one section in the parent resource accepts it. For example, Gateway
1005    /// listeners can restrict which Routes can attach to them by Route kind,
1006    /// namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
1007    /// the referencing Route, the Route MUST be considered successfully
1008    /// attached. If no Gateway listeners accept attachment from this Route, the
1009    /// Route MUST be considered detached from the Gateway.
1010    ///
1011    /// Support: Core
1012    #[serde(
1013        default,
1014        skip_serializing_if = "Option::is_none",
1015        rename = "sectionName"
1016    )]
1017    pub section_name: Option<String>,
1018}
1019
1020/// Optional pod template used to configure the ACME challenge solver pods
1021/// used for HTTP01 challenges.
1022#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1023pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplate {
1024    /// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
1025    /// Only the 'labels' and 'annotations' fields may be set.
1026    /// If labels or annotations overlap with in-built values, the values here
1027    /// will override the in-built values.
1028    #[serde(default, skip_serializing_if = "Option::is_none")]
1029    pub metadata: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateMetadata>,
1030    /// PodSpec defines overrides for the HTTP01 challenge solver pod.
1031    /// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
1032    /// All other fields will be ignored.
1033    #[serde(default, skip_serializing_if = "Option::is_none")]
1034    pub spec: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpec>,
1035}
1036
1037/// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
1038/// Only the 'labels' and 'annotations' fields may be set.
1039/// If labels or annotations overlap with in-built values, the values here
1040/// will override the in-built values.
1041#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1042pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateMetadata {
1043    /// Annotations that should be added to the created ACME HTTP01 solver pods.
1044    #[serde(default, skip_serializing_if = "Option::is_none")]
1045    pub annotations: Option<BTreeMap<String, String>>,
1046    /// Labels that should be added to the created ACME HTTP01 solver pods.
1047    #[serde(default, skip_serializing_if = "Option::is_none")]
1048    pub labels: Option<BTreeMap<String, String>>,
1049}
1050
1051/// PodSpec defines overrides for the HTTP01 challenge solver pod.
1052/// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
1053/// All other fields will be ignored.
1054#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1055pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpec {
1056    /// If specified, the pod's scheduling constraints
1057    #[serde(default, skip_serializing_if = "Option::is_none")]
1058    pub affinity: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinity>,
1059    /// If specified, the pod's imagePullSecrets
1060    #[serde(
1061        default,
1062        skip_serializing_if = "Option::is_none",
1063        rename = "imagePullSecrets"
1064    )]
1065    pub image_pull_secrets:
1066        Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecImagePullSecrets>>,
1067    /// NodeSelector is a selector which must be true for the pod to fit on a node.
1068    /// Selector which must match a node's labels for the pod to be scheduled on that node.
1069    /// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
1070    #[serde(
1071        default,
1072        skip_serializing_if = "Option::is_none",
1073        rename = "nodeSelector"
1074    )]
1075    pub node_selector: Option<BTreeMap<String, String>>,
1076    /// If specified, the pod's priorityClassName.
1077    #[serde(
1078        default,
1079        skip_serializing_if = "Option::is_none",
1080        rename = "priorityClassName"
1081    )]
1082    pub priority_class_name: Option<String>,
1083    /// If specified, the pod's security context
1084    #[serde(
1085        default,
1086        skip_serializing_if = "Option::is_none",
1087        rename = "securityContext"
1088    )]
1089    pub security_context:
1090        Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContext>,
1091    /// If specified, the pod's service account
1092    #[serde(
1093        default,
1094        skip_serializing_if = "Option::is_none",
1095        rename = "serviceAccountName"
1096    )]
1097    pub service_account_name: Option<String>,
1098    /// If specified, the pod's tolerations.
1099    #[serde(default, skip_serializing_if = "Option::is_none")]
1100    pub tolerations: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecTolerations>>,
1101}
1102
1103/// If specified, the pod's scheduling constraints
1104#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1105pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinity {
1106    /// Describes node affinity scheduling rules for the pod.
1107    #[serde(
1108        default,
1109        skip_serializing_if = "Option::is_none",
1110        rename = "nodeAffinity"
1111    )]
1112    pub node_affinity:
1113        Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinity>,
1114    /// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1115    #[serde(
1116        default,
1117        skip_serializing_if = "Option::is_none",
1118        rename = "podAffinity"
1119    )]
1120    pub pod_affinity:
1121        Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinity>,
1122    /// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1123    #[serde(
1124        default,
1125        skip_serializing_if = "Option::is_none",
1126        rename = "podAntiAffinity"
1127    )]
1128    pub pod_anti_affinity:
1129        Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinity>,
1130}
1131
1132/// Describes node affinity scheduling rules for the pod.
1133#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1134pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinity {
1135    /// The scheduler will prefer to schedule pods to nodes that satisfy
1136    /// the affinity expressions specified by this field, but it may choose
1137    /// a node that violates one or more of the expressions. The node that is
1138    /// most preferred is the one with the greatest sum of weights, i.e.
1139    /// for each node that meets all of the scheduling requirements (resource
1140    /// request, requiredDuringScheduling affinity expressions, etc.),
1141    /// compute a sum by iterating through the elements of this field and adding
1142    /// "weight" to the sum if the node matches the corresponding matchExpressions; the
1143    /// node(s) with the highest sum are the most preferred.
1144    #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
1145    pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
1146    /// If the affinity requirements specified by this field are not met at
1147    /// scheduling time, the pod will not be scheduled onto the node.
1148    /// If the affinity requirements specified by this field cease to be met
1149    /// at some point during pod execution (e.g. due to an update), the system
1150    /// may or may not try to eventually evict the pod from its node.
1151    #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
1152    pub required_during_scheduling_ignored_during_execution: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>,
1153}
1154
1155/// An empty preferred scheduling term matches all objects with implicit weight 0
1156/// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
1157#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1158pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
1159    /// A node selector term, associated with the corresponding weight.
1160    pub preference: IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference,
1161    /// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
1162    pub weight: i32,
1163}
1164
1165/// A node selector term, associated with the corresponding weight.
1166#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1167pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
1168    /// A list of node selector requirements by node's labels.
1169    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1170    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>>,
1171    /// A list of node selector requirements by node's fields.
1172    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
1173    pub match_fields: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>>,
1174}
1175
1176/// A node selector requirement is a selector that contains values, a key, and an operator
1177/// that relates the key and values.
1178#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1179pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions
1180{
1181    /// The label key that the selector applies to.
1182    pub key: String,
1183    /// Represents a key's relationship to a set of values.
1184    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1185    pub operator: String,
1186    /// An array of string values. If the operator is In or NotIn,
1187    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1188    /// the values array must be empty. If the operator is Gt or Lt, the values
1189    /// array must have a single element, which will be interpreted as an integer.
1190    /// This array is replaced during a strategic merge patch.
1191    #[serde(default, skip_serializing_if = "Option::is_none")]
1192    pub values: Option<Vec<String>>,
1193}
1194
1195/// A node selector requirement is a selector that contains values, a key, and an operator
1196/// that relates the key and values.
1197#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1198pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields
1199{
1200    /// The label key that the selector applies to.
1201    pub key: String,
1202    /// Represents a key's relationship to a set of values.
1203    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1204    pub operator: String,
1205    /// An array of string values. If the operator is In or NotIn,
1206    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1207    /// the values array must be empty. If the operator is Gt or Lt, the values
1208    /// array must have a single element, which will be interpreted as an integer.
1209    /// This array is replaced during a strategic merge patch.
1210    #[serde(default, skip_serializing_if = "Option::is_none")]
1211    pub values: Option<Vec<String>>,
1212}
1213
1214/// If the affinity requirements specified by this field are not met at
1215/// scheduling time, the pod will not be scheduled onto the node.
1216/// If the affinity requirements specified by this field cease to be met
1217/// at some point during pod execution (e.g. due to an update), the system
1218/// may or may not try to eventually evict the pod from its node.
1219#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1220pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
1221    /// Required. A list of node selector terms. The terms are ORed.
1222    #[serde(rename = "nodeSelectorTerms")]
1223    pub node_selector_terms: Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>,
1224}
1225
1226/// A null or empty node selector term matches no objects. The requirements of
1227/// them are ANDed.
1228/// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
1229#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1230pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
1231    /// A list of node selector requirements by node's labels.
1232    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1233    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>>,
1234    /// A list of node selector requirements by node's fields.
1235    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
1236    pub match_fields: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>>,
1237}
1238
1239/// A node selector requirement is a selector that contains values, a key, and an operator
1240/// that relates the key and values.
1241#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1242pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions
1243{
1244    /// The label key that the selector applies to.
1245    pub key: String,
1246    /// Represents a key's relationship to a set of values.
1247    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1248    pub operator: String,
1249    /// An array of string values. If the operator is In or NotIn,
1250    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1251    /// the values array must be empty. If the operator is Gt or Lt, the values
1252    /// array must have a single element, which will be interpreted as an integer.
1253    /// This array is replaced during a strategic merge patch.
1254    #[serde(default, skip_serializing_if = "Option::is_none")]
1255    pub values: Option<Vec<String>>,
1256}
1257
1258/// A node selector requirement is a selector that contains values, a key, and an operator
1259/// that relates the key and values.
1260#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1261pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields
1262{
1263    /// The label key that the selector applies to.
1264    pub key: String,
1265    /// Represents a key's relationship to a set of values.
1266    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
1267    pub operator: String,
1268    /// An array of string values. If the operator is In or NotIn,
1269    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1270    /// the values array must be empty. If the operator is Gt or Lt, the values
1271    /// array must have a single element, which will be interpreted as an integer.
1272    /// This array is replaced during a strategic merge patch.
1273    #[serde(default, skip_serializing_if = "Option::is_none")]
1274    pub values: Option<Vec<String>>,
1275}
1276
1277/// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
1278#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1279pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinity {
1280    /// The scheduler will prefer to schedule pods to nodes that satisfy
1281    /// the affinity expressions specified by this field, but it may choose
1282    /// a node that violates one or more of the expressions. The node that is
1283    /// most preferred is the one with the greatest sum of weights, i.e.
1284    /// for each node that meets all of the scheduling requirements (resource
1285    /// request, requiredDuringScheduling affinity expressions, etc.),
1286    /// compute a sum by iterating through the elements of this field and adding
1287    /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
1288    /// node(s) with the highest sum are the most preferred.
1289    #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
1290    pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
1291    /// If the affinity requirements specified by this field are not met at
1292    /// scheduling time, the pod will not be scheduled onto the node.
1293    /// If the affinity requirements specified by this field cease to be met
1294    /// at some point during pod execution (e.g. due to a pod label update), the
1295    /// system may or may not try to eventually evict the pod from its node.
1296    /// When there are multiple elements, the lists of nodes corresponding to each
1297    /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
1298    #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
1299    pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
1300}
1301
1302/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1303#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1304pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
1305    /// Required. A pod affinity term, associated with the corresponding weight.
1306    #[serde(rename = "podAffinityTerm")]
1307    pub pod_affinity_term: IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
1308    /// weight associated with matching the corresponding podAffinityTerm,
1309    /// in the range 1-100.
1310    pub weight: i32,
1311}
1312
1313/// Required. A pod affinity term, associated with the corresponding weight.
1314#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1315pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
1316    /// A label query over a set of resources, in this case pods.
1317    /// If it's null, this PodAffinityTerm matches with no Pods.
1318    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1319    pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
1320    /// MatchLabelKeys is a set of pod label keys to select which pods will
1321    /// be taken into consideration. The keys are used to lookup values from the
1322    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1323    /// to select the group of existing pods which pods will be taken into consideration
1324    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1325    /// pod labels will be ignored. The default value is empty.
1326    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1327    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1328    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1329    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1330    pub match_label_keys: Option<Vec<String>>,
1331    /// MismatchLabelKeys is a set of pod label keys to select which pods will
1332    /// be taken into consideration. The keys are used to lookup values from the
1333    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1334    /// to select the group of existing pods which pods will be taken into consideration
1335    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1336    /// pod labels will be ignored. The default value is empty.
1337    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1338    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1339    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1340    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1341    pub mismatch_label_keys: Option<Vec<String>>,
1342    /// A label query over the set of namespaces that the term applies to.
1343    /// The term is applied to the union of the namespaces selected by this field
1344    /// and the ones listed in the namespaces field.
1345    /// null selector and null or empty namespaces list means "this pod's namespace".
1346    /// An empty selector ({}) matches all namespaces.
1347    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1348    pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
1349    /// namespaces specifies a static list of namespace names that the term applies to.
1350    /// The term is applied to the union of the namespaces listed in this field
1351    /// and the ones selected by namespaceSelector.
1352    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1353    #[serde(default, skip_serializing_if = "Option::is_none")]
1354    pub namespaces: Option<Vec<String>>,
1355    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1356    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1357    /// whose value of the label with key topologyKey matches that of any node on which any of the
1358    /// selected pods is running.
1359    /// Empty topologyKey is not allowed.
1360    #[serde(rename = "topologyKey")]
1361    pub topology_key: String,
1362}
1363
1364/// A label query over a set of resources, in this case pods.
1365/// If it's null, this PodAffinityTerm matches with no Pods.
1366#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1367pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
1368    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1369    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1370    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
1371    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1372    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1373    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1374    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1375    pub match_labels: Option<BTreeMap<String, String>>,
1376}
1377
1378/// A label selector requirement is a selector that contains values, a key, and an operator that
1379/// relates the key and values.
1380#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1381pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
1382{
1383    /// key is the label key that the selector applies to.
1384    pub key: String,
1385    /// operator represents a key's relationship to a set of values.
1386    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1387    pub operator: String,
1388    /// values is an array of string values. If the operator is In or NotIn,
1389    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1390    /// the values array must be empty. This array is replaced during a strategic
1391    /// merge patch.
1392    #[serde(default, skip_serializing_if = "Option::is_none")]
1393    pub values: Option<Vec<String>>,
1394}
1395
1396/// A label query over the set of namespaces that the term applies to.
1397/// The term is applied to the union of the namespaces selected by this field
1398/// and the ones listed in the namespaces field.
1399/// null selector and null or empty namespaces list means "this pod's namespace".
1400/// An empty selector ({}) matches all namespaces.
1401#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1402pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
1403    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1404    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1405    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
1406    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1407    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1408    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1409    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1410    pub match_labels: Option<BTreeMap<String, String>>,
1411}
1412
1413/// A label selector requirement is a selector that contains values, a key, and an operator that
1414/// relates the key and values.
1415#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1416pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
1417{
1418    /// key is the label key that the selector applies to.
1419    pub key: String,
1420    /// operator represents a key's relationship to a set of values.
1421    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1422    pub operator: String,
1423    /// values is an array of string values. If the operator is In or NotIn,
1424    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1425    /// the values array must be empty. This array is replaced during a strategic
1426    /// merge patch.
1427    #[serde(default, skip_serializing_if = "Option::is_none")]
1428    pub values: Option<Vec<String>>,
1429}
1430
1431/// Defines a set of pods (namely those matching the labelSelector
1432/// relative to the given namespace(s)) that this pod should be
1433/// co-located (affinity) or not co-located (anti-affinity) with,
1434/// where co-located is defined as running on a node whose value of
1435/// the label with key <topologyKey> matches that of any node on which
1436/// a pod of the set of pods is running
1437#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1438pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
1439    /// A label query over a set of resources, in this case pods.
1440    /// If it's null, this PodAffinityTerm matches with no Pods.
1441    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1442    pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
1443    /// MatchLabelKeys is a set of pod label keys to select which pods will
1444    /// be taken into consideration. The keys are used to lookup values from the
1445    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1446    /// to select the group of existing pods which pods will be taken into consideration
1447    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1448    /// pod labels will be ignored. The default value is empty.
1449    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1450    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1451    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1452    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1453    pub match_label_keys: Option<Vec<String>>,
1454    /// MismatchLabelKeys is a set of pod label keys to select which pods will
1455    /// be taken into consideration. The keys are used to lookup values from the
1456    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1457    /// to select the group of existing pods which pods will be taken into consideration
1458    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1459    /// pod labels will be ignored. The default value is empty.
1460    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1461    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1462    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1463    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1464    pub mismatch_label_keys: Option<Vec<String>>,
1465    /// A label query over the set of namespaces that the term applies to.
1466    /// The term is applied to the union of the namespaces selected by this field
1467    /// and the ones listed in the namespaces field.
1468    /// null selector and null or empty namespaces list means "this pod's namespace".
1469    /// An empty selector ({}) matches all namespaces.
1470    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1471    pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
1472    /// namespaces specifies a static list of namespace names that the term applies to.
1473    /// The term is applied to the union of the namespaces listed in this field
1474    /// and the ones selected by namespaceSelector.
1475    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1476    #[serde(default, skip_serializing_if = "Option::is_none")]
1477    pub namespaces: Option<Vec<String>>,
1478    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1479    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1480    /// whose value of the label with key topologyKey matches that of any node on which any of the
1481    /// selected pods is running.
1482    /// Empty topologyKey is not allowed.
1483    #[serde(rename = "topologyKey")]
1484    pub topology_key: String,
1485}
1486
1487/// A label query over a set of resources, in this case pods.
1488/// If it's null, this PodAffinityTerm matches with no Pods.
1489#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1490pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
1491    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1492    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1493    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
1494    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1495    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1496    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1497    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1498    pub match_labels: Option<BTreeMap<String, String>>,
1499}
1500
1501/// A label selector requirement is a selector that contains values, a key, and an operator that
1502/// relates the key and values.
1503#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1504pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
1505{
1506    /// key is the label key that the selector applies to.
1507    pub key: String,
1508    /// operator represents a key's relationship to a set of values.
1509    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1510    pub operator: String,
1511    /// values is an array of string values. If the operator is In or NotIn,
1512    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1513    /// the values array must be empty. This array is replaced during a strategic
1514    /// merge patch.
1515    #[serde(default, skip_serializing_if = "Option::is_none")]
1516    pub values: Option<Vec<String>>,
1517}
1518
1519/// A label query over the set of namespaces that the term applies to.
1520/// The term is applied to the union of the namespaces selected by this field
1521/// and the ones listed in the namespaces field.
1522/// null selector and null or empty namespaces list means "this pod's namespace".
1523/// An empty selector ({}) matches all namespaces.
1524#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1525pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
1526    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1527    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1528    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
1529    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1530    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1531    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1532    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1533    pub match_labels: Option<BTreeMap<String, String>>,
1534}
1535
1536/// A label selector requirement is a selector that contains values, a key, and an operator that
1537/// relates the key and values.
1538#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1539pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
1540{
1541    /// key is the label key that the selector applies to.
1542    pub key: String,
1543    /// operator represents a key's relationship to a set of values.
1544    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1545    pub operator: String,
1546    /// values is an array of string values. If the operator is In or NotIn,
1547    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1548    /// the values array must be empty. This array is replaced during a strategic
1549    /// merge patch.
1550    #[serde(default, skip_serializing_if = "Option::is_none")]
1551    pub values: Option<Vec<String>>,
1552}
1553
1554/// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
1555#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1556pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinity {
1557    /// The scheduler will prefer to schedule pods to nodes that satisfy
1558    /// the anti-affinity expressions specified by this field, but it may choose
1559    /// a node that violates one or more of the expressions. The node that is
1560    /// most preferred is the one with the greatest sum of weights, i.e.
1561    /// for each node that meets all of the scheduling requirements (resource
1562    /// request, requiredDuringScheduling anti-affinity expressions, etc.),
1563    /// compute a sum by iterating through the elements of this field and adding
1564    /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
1565    /// node(s) with the highest sum are the most preferred.
1566    #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
1567    pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
1568    /// If the anti-affinity requirements specified by this field are not met at
1569    /// scheduling time, the pod will not be scheduled onto the node.
1570    /// If the anti-affinity requirements specified by this field cease to be met
1571    /// at some point during pod execution (e.g. due to a pod label update), the
1572    /// system may or may not try to eventually evict the pod from its node.
1573    /// When there are multiple elements, the lists of nodes corresponding to each
1574    /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
1575    #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
1576    pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
1577}
1578
1579/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
1580#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1581pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
1582    /// Required. A pod affinity term, associated with the corresponding weight.
1583    #[serde(rename = "podAffinityTerm")]
1584    pub pod_affinity_term: IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
1585    /// weight associated with matching the corresponding podAffinityTerm,
1586    /// in the range 1-100.
1587    pub weight: i32,
1588}
1589
1590/// Required. A pod affinity term, associated with the corresponding weight.
1591#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1592pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
1593    /// A label query over a set of resources, in this case pods.
1594    /// If it's null, this PodAffinityTerm matches with no Pods.
1595    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1596    pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
1597    /// MatchLabelKeys is a set of pod label keys to select which pods will
1598    /// be taken into consideration. The keys are used to lookup values from the
1599    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1600    /// to select the group of existing pods which pods will be taken into consideration
1601    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1602    /// pod labels will be ignored. The default value is empty.
1603    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1604    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1605    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1606    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1607    pub match_label_keys: Option<Vec<String>>,
1608    /// MismatchLabelKeys is a set of pod label keys to select which pods will
1609    /// be taken into consideration. The keys are used to lookup values from the
1610    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1611    /// to select the group of existing pods which pods will be taken into consideration
1612    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1613    /// pod labels will be ignored. The default value is empty.
1614    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1615    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1616    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1617    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1618    pub mismatch_label_keys: Option<Vec<String>>,
1619    /// A label query over the set of namespaces that the term applies to.
1620    /// The term is applied to the union of the namespaces selected by this field
1621    /// and the ones listed in the namespaces field.
1622    /// null selector and null or empty namespaces list means "this pod's namespace".
1623    /// An empty selector ({}) matches all namespaces.
1624    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1625    pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
1626    /// namespaces specifies a static list of namespace names that the term applies to.
1627    /// The term is applied to the union of the namespaces listed in this field
1628    /// and the ones selected by namespaceSelector.
1629    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1630    #[serde(default, skip_serializing_if = "Option::is_none")]
1631    pub namespaces: Option<Vec<String>>,
1632    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1633    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1634    /// whose value of the label with key topologyKey matches that of any node on which any of the
1635    /// selected pods is running.
1636    /// Empty topologyKey is not allowed.
1637    #[serde(rename = "topologyKey")]
1638    pub topology_key: String,
1639}
1640
1641/// A label query over a set of resources, in this case pods.
1642/// If it's null, this PodAffinityTerm matches with no Pods.
1643#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1644pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
1645    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1646    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1647    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
1648    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1649    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1650    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1651    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1652    pub match_labels: Option<BTreeMap<String, String>>,
1653}
1654
1655/// A label selector requirement is a selector that contains values, a key, and an operator that
1656/// relates the key and values.
1657#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1658pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
1659{
1660    /// key is the label key that the selector applies to.
1661    pub key: String,
1662    /// operator represents a key's relationship to a set of values.
1663    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1664    pub operator: String,
1665    /// values is an array of string values. If the operator is In or NotIn,
1666    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1667    /// the values array must be empty. This array is replaced during a strategic
1668    /// merge patch.
1669    #[serde(default, skip_serializing_if = "Option::is_none")]
1670    pub values: Option<Vec<String>>,
1671}
1672
1673/// A label query over the set of namespaces that the term applies to.
1674/// The term is applied to the union of the namespaces selected by this field
1675/// and the ones listed in the namespaces field.
1676/// null selector and null or empty namespaces list means "this pod's namespace".
1677/// An empty selector ({}) matches all namespaces.
1678#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1679pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
1680    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1681    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1682    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
1683    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1684    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1685    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1686    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1687    pub match_labels: Option<BTreeMap<String, String>>,
1688}
1689
1690/// A label selector requirement is a selector that contains values, a key, and an operator that
1691/// relates the key and values.
1692#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1693pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
1694{
1695    /// key is the label key that the selector applies to.
1696    pub key: String,
1697    /// operator represents a key's relationship to a set of values.
1698    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1699    pub operator: String,
1700    /// values is an array of string values. If the operator is In or NotIn,
1701    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1702    /// the values array must be empty. This array is replaced during a strategic
1703    /// merge patch.
1704    #[serde(default, skip_serializing_if = "Option::is_none")]
1705    pub values: Option<Vec<String>>,
1706}
1707
1708/// Defines a set of pods (namely those matching the labelSelector
1709/// relative to the given namespace(s)) that this pod should be
1710/// co-located (affinity) or not co-located (anti-affinity) with,
1711/// where co-located is defined as running on a node whose value of
1712/// the label with key <topologyKey> matches that of any node on which
1713/// a pod of the set of pods is running
1714#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1715pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
1716    /// A label query over a set of resources, in this case pods.
1717    /// If it's null, this PodAffinityTerm matches with no Pods.
1718    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
1719    pub label_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
1720    /// MatchLabelKeys is a set of pod label keys to select which pods will
1721    /// be taken into consideration. The keys are used to lookup values from the
1722    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
1723    /// to select the group of existing pods which pods will be taken into consideration
1724    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1725    /// pod labels will be ignored. The default value is empty.
1726    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
1727    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
1728    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1729    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
1730    pub match_label_keys: Option<Vec<String>>,
1731    /// MismatchLabelKeys is a set of pod label keys to select which pods will
1732    /// be taken into consideration. The keys are used to lookup values from the
1733    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
1734    /// to select the group of existing pods which pods will be taken into consideration
1735    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
1736    /// pod labels will be ignored. The default value is empty.
1737    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
1738    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
1739    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
1740    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
1741    pub mismatch_label_keys: Option<Vec<String>>,
1742    /// A label query over the set of namespaces that the term applies to.
1743    /// The term is applied to the union of the namespaces selected by this field
1744    /// and the ones listed in the namespaces field.
1745    /// null selector and null or empty namespaces list means "this pod's namespace".
1746    /// An empty selector ({}) matches all namespaces.
1747    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
1748    pub namespace_selector: Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
1749    /// namespaces specifies a static list of namespace names that the term applies to.
1750    /// The term is applied to the union of the namespaces listed in this field
1751    /// and the ones selected by namespaceSelector.
1752    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
1753    #[serde(default, skip_serializing_if = "Option::is_none")]
1754    pub namespaces: Option<Vec<String>>,
1755    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
1756    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
1757    /// whose value of the label with key topologyKey matches that of any node on which any of the
1758    /// selected pods is running.
1759    /// Empty topologyKey is not allowed.
1760    #[serde(rename = "topologyKey")]
1761    pub topology_key: String,
1762}
1763
1764/// A label query over a set of resources, in this case pods.
1765/// If it's null, this PodAffinityTerm matches with no Pods.
1766#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1767pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
1768    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1769    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1770    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
1771    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1772    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1773    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1774    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1775    pub match_labels: Option<BTreeMap<String, String>>,
1776}
1777
1778/// A label selector requirement is a selector that contains values, a key, and an operator that
1779/// relates the key and values.
1780#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1781pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
1782{
1783    /// key is the label key that the selector applies to.
1784    pub key: String,
1785    /// operator represents a key's relationship to a set of values.
1786    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1787    pub operator: String,
1788    /// values is an array of string values. If the operator is In or NotIn,
1789    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1790    /// the values array must be empty. This array is replaced during a strategic
1791    /// merge patch.
1792    #[serde(default, skip_serializing_if = "Option::is_none")]
1793    pub values: Option<Vec<String>>,
1794}
1795
1796/// A label query over the set of namespaces that the term applies to.
1797/// The term is applied to the union of the namespaces selected by this field
1798/// and the ones listed in the namespaces field.
1799/// null selector and null or empty namespaces list means "this pod's namespace".
1800/// An empty selector ({}) matches all namespaces.
1801#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1802pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
1803    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
1804    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
1805    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
1806    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
1807    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
1808    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
1809    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
1810    pub match_labels: Option<BTreeMap<String, String>>,
1811}
1812
1813/// A label selector requirement is a selector that contains values, a key, and an operator that
1814/// relates the key and values.
1815#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1816pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
1817{
1818    /// key is the label key that the selector applies to.
1819    pub key: String,
1820    /// operator represents a key's relationship to a set of values.
1821    /// Valid operators are In, NotIn, Exists and DoesNotExist.
1822    pub operator: String,
1823    /// values is an array of string values. If the operator is In or NotIn,
1824    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
1825    /// the values array must be empty. This array is replaced during a strategic
1826    /// merge patch.
1827    #[serde(default, skip_serializing_if = "Option::is_none")]
1828    pub values: Option<Vec<String>>,
1829}
1830
1831/// LocalObjectReference contains enough information to let you locate the
1832/// referenced object inside the same namespace.
1833#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1834pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecImagePullSecrets {
1835    /// Name of the referent.
1836    /// This field is effectively required, but due to backwards compatibility is
1837    /// allowed to be empty. Instances of this type with an empty value here are
1838    /// almost certainly wrong.
1839    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
1840    #[serde(default, skip_serializing_if = "Option::is_none")]
1841    pub name: Option<String>,
1842}
1843
1844/// If specified, the pod's security context
1845#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1846pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContext {
1847    /// A special supplemental group that applies to all containers in a pod.
1848    /// Some volume types allow the Kubelet to change the ownership of that volume
1849    /// to be owned by the pod:
1850    ///
1851    /// 1. The owning GID will be the FSGroup
1852    /// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
1853    /// 3. The permission bits are OR'd with rw-rw----
1854    ///
1855    /// If unset, the Kubelet will not modify the ownership and permissions of any volume.
1856    /// Note that this field cannot be set when spec.os.name is windows.
1857    #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsGroup")]
1858    pub fs_group: Option<i64>,
1859    /// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
1860    /// before being exposed inside Pod. This field will only apply to
1861    /// volume types which support fsGroup based ownership(and permissions).
1862    /// It will have no effect on ephemeral volume types such as: secret, configmaps
1863    /// and emptydir.
1864    /// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
1865    /// Note that this field cannot be set when spec.os.name is windows.
1866    #[serde(
1867        default,
1868        skip_serializing_if = "Option::is_none",
1869        rename = "fsGroupChangePolicy"
1870    )]
1871    pub fs_group_change_policy: Option<String>,
1872    /// The GID to run the entrypoint of the container process.
1873    /// Uses runtime default if unset.
1874    /// May also be set in SecurityContext.  If set in both SecurityContext and
1875    /// PodSecurityContext, the value specified in SecurityContext takes precedence
1876    /// for that container.
1877    /// Note that this field cannot be set when spec.os.name is windows.
1878    #[serde(
1879        default,
1880        skip_serializing_if = "Option::is_none",
1881        rename = "runAsGroup"
1882    )]
1883    pub run_as_group: Option<i64>,
1884    /// Indicates that the container must run as a non-root user.
1885    /// If true, the Kubelet will validate the image at runtime to ensure that it
1886    /// does not run as UID 0 (root) and fail to start the container if it does.
1887    /// If unset or false, no such validation will be performed.
1888    /// May also be set in SecurityContext.  If set in both SecurityContext and
1889    /// PodSecurityContext, the value specified in SecurityContext takes precedence.
1890    #[serde(
1891        default,
1892        skip_serializing_if = "Option::is_none",
1893        rename = "runAsNonRoot"
1894    )]
1895    pub run_as_non_root: Option<bool>,
1896    /// The UID to run the entrypoint of the container process.
1897    /// Defaults to user specified in image metadata if unspecified.
1898    /// May also be set in SecurityContext.  If set in both SecurityContext and
1899    /// PodSecurityContext, the value specified in SecurityContext takes precedence
1900    /// for that container.
1901    /// Note that this field cannot be set when spec.os.name is windows.
1902    #[serde(default, skip_serializing_if = "Option::is_none", rename = "runAsUser")]
1903    pub run_as_user: Option<i64>,
1904    /// The SELinux context to be applied to all containers.
1905    /// If unspecified, the container runtime will allocate a random SELinux context for each
1906    /// container.  May also be set in SecurityContext.  If set in
1907    /// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
1908    /// takes precedence for that container.
1909    /// Note that this field cannot be set when spec.os.name is windows.
1910    #[serde(
1911        default,
1912        skip_serializing_if = "Option::is_none",
1913        rename = "seLinuxOptions"
1914    )]
1915    pub se_linux_options:
1916        Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeLinuxOptions>,
1917    /// The seccomp options to use by the containers in this pod.
1918    /// Note that this field cannot be set when spec.os.name is windows.
1919    #[serde(
1920        default,
1921        skip_serializing_if = "Option::is_none",
1922        rename = "seccompProfile"
1923    )]
1924    pub seccomp_profile:
1925        Option<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeccompProfile>,
1926    /// A list of groups applied to the first process run in each container, in addition
1927    /// to the container's primary GID, the fsGroup (if specified), and group memberships
1928    /// defined in the container image for the uid of the container process. If unspecified,
1929    /// no additional groups are added to any container. Note that group memberships
1930    /// defined in the container image for the uid of the container process are still effective,
1931    /// even if they are not included in this list.
1932    /// Note that this field cannot be set when spec.os.name is windows.
1933    #[serde(
1934        default,
1935        skip_serializing_if = "Option::is_none",
1936        rename = "supplementalGroups"
1937    )]
1938    pub supplemental_groups: Option<Vec<i64>>,
1939    /// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
1940    /// sysctls (by the container runtime) might fail to launch.
1941    /// Note that this field cannot be set when spec.os.name is windows.
1942    #[serde(default, skip_serializing_if = "Option::is_none")]
1943    pub sysctls:
1944        Option<Vec<IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSysctls>>,
1945}
1946
1947/// The SELinux context to be applied to all containers.
1948/// If unspecified, the container runtime will allocate a random SELinux context for each
1949/// container.  May also be set in SecurityContext.  If set in
1950/// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
1951/// takes precedence for that container.
1952/// Note that this field cannot be set when spec.os.name is windows.
1953#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1954pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeLinuxOptions {
1955    /// Level is SELinux level label that applies to the container.
1956    #[serde(default, skip_serializing_if = "Option::is_none")]
1957    pub level: Option<String>,
1958    /// Role is a SELinux role label that applies to the container.
1959    #[serde(default, skip_serializing_if = "Option::is_none")]
1960    pub role: Option<String>,
1961    /// Type is a SELinux type label that applies to the container.
1962    #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
1963    pub r#type: Option<String>,
1964    /// User is a SELinux user label that applies to the container.
1965    #[serde(default, skip_serializing_if = "Option::is_none")]
1966    pub user: Option<String>,
1967}
1968
1969/// The seccomp options to use by the containers in this pod.
1970/// Note that this field cannot be set when spec.os.name is windows.
1971#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1972pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSeccompProfile {
1973    /// localhostProfile indicates a profile defined in a file on the node should be used.
1974    /// The profile must be preconfigured on the node to work.
1975    /// Must be a descending path, relative to the kubelet's configured seccomp profile location.
1976    /// Must be set if type is "Localhost". Must NOT be set for any other type.
1977    #[serde(
1978        default,
1979        skip_serializing_if = "Option::is_none",
1980        rename = "localhostProfile"
1981    )]
1982    pub localhost_profile: Option<String>,
1983    /// type indicates which kind of seccomp profile will be applied.
1984    /// Valid options are:
1985    ///
1986    /// Localhost - a profile defined in a file on the node should be used.
1987    /// RuntimeDefault - the container runtime default profile should be used.
1988    /// Unconfined - no profile should be applied.
1989    #[serde(rename = "type")]
1990    pub r#type: String,
1991}
1992
1993/// Sysctl defines a kernel parameter to be set
1994#[derive(Serialize, Deserialize, Clone, Debug, Default)]
1995pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecSecurityContextSysctls {
1996    /// Name of a property to set
1997    pub name: String,
1998    /// Value of a property to set
1999    pub value: String,
2000}
2001
2002/// The pod this Toleration is attached to tolerates any taint that matches
2003/// the triple <key,value,effect> using the matching operator <operator>.
2004#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2005pub struct IssuerAcmeSolversHttp01GatewayHttpRoutePodTemplateSpecTolerations {
2006    /// Effect indicates the taint effect to match. Empty means match all taint effects.
2007    /// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
2008    #[serde(default, skip_serializing_if = "Option::is_none")]
2009    pub effect: Option<String>,
2010    /// Key is the taint key that the toleration applies to. Empty means match all taint keys.
2011    /// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
2012    #[serde(default, skip_serializing_if = "Option::is_none")]
2013    pub key: Option<String>,
2014    /// Operator represents a key's relationship to the value.
2015    /// Valid operators are Exists and Equal. Defaults to Equal.
2016    /// Exists is equivalent to wildcard for value, so that a pod can
2017    /// tolerate all taints of a particular category.
2018    #[serde(default, skip_serializing_if = "Option::is_none")]
2019    pub operator: Option<String>,
2020    /// TolerationSeconds represents the period of time the toleration (which must be
2021    /// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
2022    /// it is not set, which means tolerate the taint forever (do not evict). Zero and
2023    /// negative values will be treated as 0 (evict immediately) by the system.
2024    #[serde(
2025        default,
2026        skip_serializing_if = "Option::is_none",
2027        rename = "tolerationSeconds"
2028    )]
2029    pub toleration_seconds: Option<i64>,
2030    /// Value is the taint value the toleration matches to.
2031    /// If the operator is Exists, the value should be empty, otherwise just a regular string.
2032    #[serde(default, skip_serializing_if = "Option::is_none")]
2033    pub value: Option<String>,
2034}
2035
2036/// The ingress based HTTP01 challenge solver will solve challenges by
2037/// creating or modifying Ingress resources in order to route requests for
2038/// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
2039/// provisioned by cert-manager for each Challenge to be completed.
2040#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2041pub struct IssuerAcmeSolversHttp01Ingress {
2042    /// This field configures the annotation `kubernetes.io/ingress.class` when
2043    /// creating Ingress resources to solve ACME challenges that use this
2044    /// challenge solver. Only one of `class`, `name` or `ingressClassName` may
2045    /// be specified.
2046    #[serde(default, skip_serializing_if = "Option::is_none")]
2047    pub class: Option<String>,
2048    /// This field configures the field `ingressClassName` on the created Ingress
2049    /// resources used to solve ACME challenges that use this challenge solver.
2050    /// This is the recommended way of configuring the ingress class. Only one of
2051    /// `class`, `name` or `ingressClassName` may be specified.
2052    #[serde(
2053        default,
2054        skip_serializing_if = "Option::is_none",
2055        rename = "ingressClassName"
2056    )]
2057    pub ingress_class_name: Option<String>,
2058    /// Optional ingress template used to configure the ACME challenge solver
2059    /// ingress used for HTTP01 challenges.
2060    #[serde(
2061        default,
2062        skip_serializing_if = "Option::is_none",
2063        rename = "ingressTemplate"
2064    )]
2065    pub ingress_template: Option<IssuerAcmeSolversHttp01IngressIngressTemplate>,
2066    /// The name of the ingress resource that should have ACME challenge solving
2067    /// routes inserted into it in order to solve HTTP01 challenges.
2068    /// This is typically used in conjunction with ingress controllers like
2069    /// ingress-gce, which maintains a 1:1 mapping between external IPs and
2070    /// ingress resources. Only one of `class`, `name` or `ingressClassName` may
2071    /// be specified.
2072    #[serde(default, skip_serializing_if = "Option::is_none")]
2073    pub name: Option<String>,
2074    /// Optional pod template used to configure the ACME challenge solver pods
2075    /// used for HTTP01 challenges.
2076    #[serde(
2077        default,
2078        skip_serializing_if = "Option::is_none",
2079        rename = "podTemplate"
2080    )]
2081    pub pod_template: Option<IssuerAcmeSolversHttp01IngressPodTemplate>,
2082    /// Optional service type for Kubernetes solver service. Supported values
2083    /// are NodePort or ClusterIP. If unset, defaults to NodePort.
2084    #[serde(
2085        default,
2086        skip_serializing_if = "Option::is_none",
2087        rename = "serviceType"
2088    )]
2089    pub service_type: Option<String>,
2090}
2091
2092/// Optional ingress template used to configure the ACME challenge solver
2093/// ingress used for HTTP01 challenges.
2094#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2095pub struct IssuerAcmeSolversHttp01IngressIngressTemplate {
2096    /// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
2097    /// Only the 'labels' and 'annotations' fields may be set.
2098    /// If labels or annotations overlap with in-built values, the values here
2099    /// will override the in-built values.
2100    #[serde(default, skip_serializing_if = "Option::is_none")]
2101    pub metadata: Option<IssuerAcmeSolversHttp01IngressIngressTemplateMetadata>,
2102}
2103
2104/// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
2105/// Only the 'labels' and 'annotations' fields may be set.
2106/// If labels or annotations overlap with in-built values, the values here
2107/// will override the in-built values.
2108#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2109pub struct IssuerAcmeSolversHttp01IngressIngressTemplateMetadata {
2110    /// Annotations that should be added to the created ACME HTTP01 solver ingress.
2111    #[serde(default, skip_serializing_if = "Option::is_none")]
2112    pub annotations: Option<BTreeMap<String, String>>,
2113    /// Labels that should be added to the created ACME HTTP01 solver ingress.
2114    #[serde(default, skip_serializing_if = "Option::is_none")]
2115    pub labels: Option<BTreeMap<String, String>>,
2116}
2117
2118/// Optional pod template used to configure the ACME challenge solver pods
2119/// used for HTTP01 challenges.
2120#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2121pub struct IssuerAcmeSolversHttp01IngressPodTemplate {
2122    /// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
2123    /// Only the 'labels' and 'annotations' fields may be set.
2124    /// If labels or annotations overlap with in-built values, the values here
2125    /// will override the in-built values.
2126    #[serde(default, skip_serializing_if = "Option::is_none")]
2127    pub metadata: Option<IssuerAcmeSolversHttp01IngressPodTemplateMetadata>,
2128    /// PodSpec defines overrides for the HTTP01 challenge solver pod.
2129    /// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
2130    /// All other fields will be ignored.
2131    #[serde(default, skip_serializing_if = "Option::is_none")]
2132    pub spec: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpec>,
2133}
2134
2135/// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
2136/// Only the 'labels' and 'annotations' fields may be set.
2137/// If labels or annotations overlap with in-built values, the values here
2138/// will override the in-built values.
2139#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2140pub struct IssuerAcmeSolversHttp01IngressPodTemplateMetadata {
2141    /// Annotations that should be added to the created ACME HTTP01 solver pods.
2142    #[serde(default, skip_serializing_if = "Option::is_none")]
2143    pub annotations: Option<BTreeMap<String, String>>,
2144    /// Labels that should be added to the created ACME HTTP01 solver pods.
2145    #[serde(default, skip_serializing_if = "Option::is_none")]
2146    pub labels: Option<BTreeMap<String, String>>,
2147}
2148
2149/// PodSpec defines overrides for the HTTP01 challenge solver pod.
2150/// Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
2151/// All other fields will be ignored.
2152#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2153pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpec {
2154    /// If specified, the pod's scheduling constraints
2155    #[serde(default, skip_serializing_if = "Option::is_none")]
2156    pub affinity: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinity>,
2157    /// If specified, the pod's imagePullSecrets
2158    #[serde(
2159        default,
2160        skip_serializing_if = "Option::is_none",
2161        rename = "imagePullSecrets"
2162    )]
2163    pub image_pull_secrets:
2164        Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets>>,
2165    /// NodeSelector is a selector which must be true for the pod to fit on a node.
2166    /// Selector which must match a node's labels for the pod to be scheduled on that node.
2167    /// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
2168    #[serde(
2169        default,
2170        skip_serializing_if = "Option::is_none",
2171        rename = "nodeSelector"
2172    )]
2173    pub node_selector: Option<BTreeMap<String, String>>,
2174    /// If specified, the pod's priorityClassName.
2175    #[serde(
2176        default,
2177        skip_serializing_if = "Option::is_none",
2178        rename = "priorityClassName"
2179    )]
2180    pub priority_class_name: Option<String>,
2181    /// If specified, the pod's security context
2182    #[serde(
2183        default,
2184        skip_serializing_if = "Option::is_none",
2185        rename = "securityContext"
2186    )]
2187    pub security_context: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContext>,
2188    /// If specified, the pod's service account
2189    #[serde(
2190        default,
2191        skip_serializing_if = "Option::is_none",
2192        rename = "serviceAccountName"
2193    )]
2194    pub service_account_name: Option<String>,
2195    /// If specified, the pod's tolerations.
2196    #[serde(default, skip_serializing_if = "Option::is_none")]
2197    pub tolerations: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecTolerations>>,
2198}
2199
2200/// If specified, the pod's scheduling constraints
2201#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2202pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinity {
2203    /// Describes node affinity scheduling rules for the pod.
2204    #[serde(
2205        default,
2206        skip_serializing_if = "Option::is_none",
2207        rename = "nodeAffinity"
2208    )]
2209    pub node_affinity: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity>,
2210    /// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2211    #[serde(
2212        default,
2213        skip_serializing_if = "Option::is_none",
2214        rename = "podAffinity"
2215    )]
2216    pub pod_affinity: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity>,
2217    /// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2218    #[serde(
2219        default,
2220        skip_serializing_if = "Option::is_none",
2221        rename = "podAntiAffinity"
2222    )]
2223    pub pod_anti_affinity:
2224        Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>,
2225}
2226
2227/// Describes node affinity scheduling rules for the pod.
2228#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2229pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
2230    /// The scheduler will prefer to schedule pods to nodes that satisfy
2231    /// the affinity expressions specified by this field, but it may choose
2232    /// a node that violates one or more of the expressions. The node that is
2233    /// most preferred is the one with the greatest sum of weights, i.e.
2234    /// for each node that meets all of the scheduling requirements (resource
2235    /// request, requiredDuringScheduling affinity expressions, etc.),
2236    /// compute a sum by iterating through the elements of this field and adding
2237    /// "weight" to the sum if the node matches the corresponding matchExpressions; the
2238    /// node(s) with the highest sum are the most preferred.
2239    #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
2240    pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
2241    /// If the affinity requirements specified by this field are not met at
2242    /// scheduling time, the pod will not be scheduled onto the node.
2243    /// If the affinity requirements specified by this field cease to be met
2244    /// at some point during pod execution (e.g. due to an update), the system
2245    /// may or may not try to eventually evict the pod from its node.
2246    #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
2247    pub required_during_scheduling_ignored_during_execution: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>,
2248}
2249
2250/// An empty preferred scheduling term matches all objects with implicit weight 0
2251/// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
2252#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2253pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
2254    /// A node selector term, associated with the corresponding weight.
2255    pub preference: IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference,
2256    /// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
2257    pub weight: i32,
2258}
2259
2260/// A node selector term, associated with the corresponding weight.
2261#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2262pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
2263    /// A list of node selector requirements by node's labels.
2264    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2265    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>>,
2266    /// A list of node selector requirements by node's fields.
2267    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
2268    pub match_fields: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>>,
2269}
2270
2271/// A node selector requirement is a selector that contains values, a key, and an operator
2272/// that relates the key and values.
2273#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2274pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions
2275{
2276    /// The label key that the selector applies to.
2277    pub key: String,
2278    /// Represents a key's relationship to a set of values.
2279    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2280    pub operator: String,
2281    /// An array of string values. If the operator is In or NotIn,
2282    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2283    /// the values array must be empty. If the operator is Gt or Lt, the values
2284    /// array must have a single element, which will be interpreted as an integer.
2285    /// This array is replaced during a strategic merge patch.
2286    #[serde(default, skip_serializing_if = "Option::is_none")]
2287    pub values: Option<Vec<String>>,
2288}
2289
2290/// A node selector requirement is a selector that contains values, a key, and an operator
2291/// that relates the key and values.
2292#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2293pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields
2294{
2295    /// The label key that the selector applies to.
2296    pub key: String,
2297    /// Represents a key's relationship to a set of values.
2298    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2299    pub operator: String,
2300    /// An array of string values. If the operator is In or NotIn,
2301    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2302    /// the values array must be empty. If the operator is Gt or Lt, the values
2303    /// array must have a single element, which will be interpreted as an integer.
2304    /// This array is replaced during a strategic merge patch.
2305    #[serde(default, skip_serializing_if = "Option::is_none")]
2306    pub values: Option<Vec<String>>,
2307}
2308
2309/// If the affinity requirements specified by this field are not met at
2310/// scheduling time, the pod will not be scheduled onto the node.
2311/// If the affinity requirements specified by this field cease to be met
2312/// at some point during pod execution (e.g. due to an update), the system
2313/// may or may not try to eventually evict the pod from its node.
2314#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2315pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
2316    /// Required. A list of node selector terms. The terms are ORed.
2317    #[serde(rename = "nodeSelectorTerms")]
2318    pub node_selector_terms: Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>,
2319}
2320
2321/// A null or empty node selector term matches no objects. The requirements of
2322/// them are ANDed.
2323/// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
2324#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2325pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
2326    /// A list of node selector requirements by node's labels.
2327    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2328    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>>,
2329    /// A list of node selector requirements by node's fields.
2330    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchFields")]
2331    pub match_fields: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>>,
2332}
2333
2334/// A node selector requirement is a selector that contains values, a key, and an operator
2335/// that relates the key and values.
2336#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2337pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions
2338{
2339    /// The label key that the selector applies to.
2340    pub key: String,
2341    /// Represents a key's relationship to a set of values.
2342    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2343    pub operator: String,
2344    /// An array of string values. If the operator is In or NotIn,
2345    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2346    /// the values array must be empty. If the operator is Gt or Lt, the values
2347    /// array must have a single element, which will be interpreted as an integer.
2348    /// This array is replaced during a strategic merge patch.
2349    #[serde(default, skip_serializing_if = "Option::is_none")]
2350    pub values: Option<Vec<String>>,
2351}
2352
2353/// A node selector requirement is a selector that contains values, a key, and an operator
2354/// that relates the key and values.
2355#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2356pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields
2357{
2358    /// The label key that the selector applies to.
2359    pub key: String,
2360    /// Represents a key's relationship to a set of values.
2361    /// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
2362    pub operator: String,
2363    /// An array of string values. If the operator is In or NotIn,
2364    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2365    /// the values array must be empty. If the operator is Gt or Lt, the values
2366    /// array must have a single element, which will be interpreted as an integer.
2367    /// This array is replaced during a strategic merge patch.
2368    #[serde(default, skip_serializing_if = "Option::is_none")]
2369    pub values: Option<Vec<String>>,
2370}
2371
2372/// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
2373#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2374pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
2375    /// The scheduler will prefer to schedule pods to nodes that satisfy
2376    /// the affinity expressions specified by this field, but it may choose
2377    /// a node that violates one or more of the expressions. The node that is
2378    /// most preferred is the one with the greatest sum of weights, i.e.
2379    /// for each node that meets all of the scheduling requirements (resource
2380    /// request, requiredDuringScheduling affinity expressions, etc.),
2381    /// compute a sum by iterating through the elements of this field and adding
2382    /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
2383    /// node(s) with the highest sum are the most preferred.
2384    #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
2385    pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
2386    /// If the affinity requirements specified by this field are not met at
2387    /// scheduling time, the pod will not be scheduled onto the node.
2388    /// If the affinity requirements specified by this field cease to be met
2389    /// at some point during pod execution (e.g. due to a pod label update), the
2390    /// system may or may not try to eventually evict the pod from its node.
2391    /// When there are multiple elements, the lists of nodes corresponding to each
2392    /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
2393    #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
2394    pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
2395}
2396
2397/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2398#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2399pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
2400    /// Required. A pod affinity term, associated with the corresponding weight.
2401    #[serde(rename = "podAffinityTerm")]
2402    pub pod_affinity_term: IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
2403    /// weight associated with matching the corresponding podAffinityTerm,
2404    /// in the range 1-100.
2405    pub weight: i32,
2406}
2407
2408/// Required. A pod affinity term, associated with the corresponding weight.
2409#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2410pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
2411    /// A label query over a set of resources, in this case pods.
2412    /// If it's null, this PodAffinityTerm matches with no Pods.
2413    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2414    pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
2415    /// MatchLabelKeys is a set of pod label keys to select which pods will
2416    /// be taken into consideration. The keys are used to lookup values from the
2417    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2418    /// to select the group of existing pods which pods will be taken into consideration
2419    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2420    /// pod labels will be ignored. The default value is empty.
2421    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2422    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2423    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2424    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2425    pub match_label_keys: Option<Vec<String>>,
2426    /// MismatchLabelKeys is a set of pod label keys to select which pods will
2427    /// be taken into consideration. The keys are used to lookup values from the
2428    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2429    /// to select the group of existing pods which pods will be taken into consideration
2430    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2431    /// pod labels will be ignored. The default value is empty.
2432    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2433    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2434    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2435    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2436    pub mismatch_label_keys: Option<Vec<String>>,
2437    /// A label query over the set of namespaces that the term applies to.
2438    /// The term is applied to the union of the namespaces selected by this field
2439    /// and the ones listed in the namespaces field.
2440    /// null selector and null or empty namespaces list means "this pod's namespace".
2441    /// An empty selector ({}) matches all namespaces.
2442    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2443    pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
2444    /// namespaces specifies a static list of namespace names that the term applies to.
2445    /// The term is applied to the union of the namespaces listed in this field
2446    /// and the ones selected by namespaceSelector.
2447    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2448    #[serde(default, skip_serializing_if = "Option::is_none")]
2449    pub namespaces: Option<Vec<String>>,
2450    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2451    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2452    /// whose value of the label with key topologyKey matches that of any node on which any of the
2453    /// selected pods is running.
2454    /// Empty topologyKey is not allowed.
2455    #[serde(rename = "topologyKey")]
2456    pub topology_key: String,
2457}
2458
2459/// A label query over a set of resources, in this case pods.
2460/// If it's null, this PodAffinityTerm matches with no Pods.
2461#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2462pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
2463    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2464    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2465    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
2466    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2467    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2468    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2469    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2470    pub match_labels: Option<BTreeMap<String, String>>,
2471}
2472
2473/// A label selector requirement is a selector that contains values, a key, and an operator that
2474/// relates the key and values.
2475#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2476pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
2477{
2478    /// key is the label key that the selector applies to.
2479    pub key: String,
2480    /// operator represents a key's relationship to a set of values.
2481    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2482    pub operator: String,
2483    /// values is an array of string values. If the operator is In or NotIn,
2484    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2485    /// the values array must be empty. This array is replaced during a strategic
2486    /// merge patch.
2487    #[serde(default, skip_serializing_if = "Option::is_none")]
2488    pub values: Option<Vec<String>>,
2489}
2490
2491/// A label query over the set of namespaces that the term applies to.
2492/// The term is applied to the union of the namespaces selected by this field
2493/// and the ones listed in the namespaces field.
2494/// null selector and null or empty namespaces list means "this pod's namespace".
2495/// An empty selector ({}) matches all namespaces.
2496#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2497pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
2498    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2499    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2500    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
2501    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2502    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2503    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2504    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2505    pub match_labels: Option<BTreeMap<String, String>>,
2506}
2507
2508/// A label selector requirement is a selector that contains values, a key, and an operator that
2509/// relates the key and values.
2510#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2511pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
2512{
2513    /// key is the label key that the selector applies to.
2514    pub key: String,
2515    /// operator represents a key's relationship to a set of values.
2516    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2517    pub operator: String,
2518    /// values is an array of string values. If the operator is In or NotIn,
2519    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2520    /// the values array must be empty. This array is replaced during a strategic
2521    /// merge patch.
2522    #[serde(default, skip_serializing_if = "Option::is_none")]
2523    pub values: Option<Vec<String>>,
2524}
2525
2526/// Defines a set of pods (namely those matching the labelSelector
2527/// relative to the given namespace(s)) that this pod should be
2528/// co-located (affinity) or not co-located (anti-affinity) with,
2529/// where co-located is defined as running on a node whose value of
2530/// the label with key <topologyKey> matches that of any node on which
2531/// a pod of the set of pods is running
2532#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2533pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
2534    /// A label query over a set of resources, in this case pods.
2535    /// If it's null, this PodAffinityTerm matches with no Pods.
2536    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2537    pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
2538    /// MatchLabelKeys is a set of pod label keys to select which pods will
2539    /// be taken into consideration. The keys are used to lookup values from the
2540    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2541    /// to select the group of existing pods which pods will be taken into consideration
2542    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2543    /// pod labels will be ignored. The default value is empty.
2544    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2545    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2546    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2547    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2548    pub match_label_keys: Option<Vec<String>>,
2549    /// MismatchLabelKeys is a set of pod label keys to select which pods will
2550    /// be taken into consideration. The keys are used to lookup values from the
2551    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2552    /// to select the group of existing pods which pods will be taken into consideration
2553    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2554    /// pod labels will be ignored. The default value is empty.
2555    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2556    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2557    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2558    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2559    pub mismatch_label_keys: Option<Vec<String>>,
2560    /// A label query over the set of namespaces that the term applies to.
2561    /// The term is applied to the union of the namespaces selected by this field
2562    /// and the ones listed in the namespaces field.
2563    /// null selector and null or empty namespaces list means "this pod's namespace".
2564    /// An empty selector ({}) matches all namespaces.
2565    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2566    pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
2567    /// namespaces specifies a static list of namespace names that the term applies to.
2568    /// The term is applied to the union of the namespaces listed in this field
2569    /// and the ones selected by namespaceSelector.
2570    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2571    #[serde(default, skip_serializing_if = "Option::is_none")]
2572    pub namespaces: Option<Vec<String>>,
2573    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2574    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2575    /// whose value of the label with key topologyKey matches that of any node on which any of the
2576    /// selected pods is running.
2577    /// Empty topologyKey is not allowed.
2578    #[serde(rename = "topologyKey")]
2579    pub topology_key: String,
2580}
2581
2582/// A label query over a set of resources, in this case pods.
2583/// If it's null, this PodAffinityTerm matches with no Pods.
2584#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2585pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
2586    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2587    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2588    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
2589    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2590    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2591    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2592    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2593    pub match_labels: Option<BTreeMap<String, String>>,
2594}
2595
2596/// A label selector requirement is a selector that contains values, a key, and an operator that
2597/// relates the key and values.
2598#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2599pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
2600{
2601    /// key is the label key that the selector applies to.
2602    pub key: String,
2603    /// operator represents a key's relationship to a set of values.
2604    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2605    pub operator: String,
2606    /// values is an array of string values. If the operator is In or NotIn,
2607    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2608    /// the values array must be empty. This array is replaced during a strategic
2609    /// merge patch.
2610    #[serde(default, skip_serializing_if = "Option::is_none")]
2611    pub values: Option<Vec<String>>,
2612}
2613
2614/// A label query over the set of namespaces that the term applies to.
2615/// The term is applied to the union of the namespaces selected by this field
2616/// and the ones listed in the namespaces field.
2617/// null selector and null or empty namespaces list means "this pod's namespace".
2618/// An empty selector ({}) matches all namespaces.
2619#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2620pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
2621    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2622    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2623    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
2624    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2625    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2626    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2627    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2628    pub match_labels: Option<BTreeMap<String, String>>,
2629}
2630
2631/// A label selector requirement is a selector that contains values, a key, and an operator that
2632/// relates the key and values.
2633#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2634pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
2635{
2636    /// key is the label key that the selector applies to.
2637    pub key: String,
2638    /// operator represents a key's relationship to a set of values.
2639    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2640    pub operator: String,
2641    /// values is an array of string values. If the operator is In or NotIn,
2642    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2643    /// the values array must be empty. This array is replaced during a strategic
2644    /// merge patch.
2645    #[serde(default, skip_serializing_if = "Option::is_none")]
2646    pub values: Option<Vec<String>>,
2647}
2648
2649/// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
2650#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2651pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
2652    /// The scheduler will prefer to schedule pods to nodes that satisfy
2653    /// the anti-affinity expressions specified by this field, but it may choose
2654    /// a node that violates one or more of the expressions. The node that is
2655    /// most preferred is the one with the greatest sum of weights, i.e.
2656    /// for each node that meets all of the scheduling requirements (resource
2657    /// request, requiredDuringScheduling anti-affinity expressions, etc.),
2658    /// compute a sum by iterating through the elements of this field and adding
2659    /// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
2660    /// node(s) with the highest sum are the most preferred.
2661    #[serde(default, skip_serializing_if = "Option::is_none", rename = "preferredDuringSchedulingIgnoredDuringExecution")]
2662    pub preferred_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>>,
2663    /// If the anti-affinity requirements specified by this field are not met at
2664    /// scheduling time, the pod will not be scheduled onto the node.
2665    /// If the anti-affinity requirements specified by this field cease to be met
2666    /// at some point during pod execution (e.g. due to a pod label update), the
2667    /// system may or may not try to eventually evict the pod from its node.
2668    /// When there are multiple elements, the lists of nodes corresponding to each
2669    /// podAffinityTerm are intersected, i.e. all terms must be satisfied.
2670    #[serde(default, skip_serializing_if = "Option::is_none", rename = "requiredDuringSchedulingIgnoredDuringExecution")]
2671    pub required_during_scheduling_ignored_during_execution: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>>,
2672}
2673
2674/// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
2675#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2676pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
2677    /// Required. A pod affinity term, associated with the corresponding weight.
2678    #[serde(rename = "podAffinityTerm")]
2679    pub pod_affinity_term: IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm,
2680    /// weight associated with matching the corresponding podAffinityTerm,
2681    /// in the range 1-100.
2682    pub weight: i32,
2683}
2684
2685/// Required. A pod affinity term, associated with the corresponding weight.
2686#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2687pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
2688    /// A label query over a set of resources, in this case pods.
2689    /// If it's null, this PodAffinityTerm matches with no Pods.
2690    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2691    pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>,
2692    /// MatchLabelKeys is a set of pod label keys to select which pods will
2693    /// be taken into consideration. The keys are used to lookup values from the
2694    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2695    /// to select the group of existing pods which pods will be taken into consideration
2696    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2697    /// pod labels will be ignored. The default value is empty.
2698    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2699    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2700    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2701    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2702    pub match_label_keys: Option<Vec<String>>,
2703    /// MismatchLabelKeys is a set of pod label keys to select which pods will
2704    /// be taken into consideration. The keys are used to lookup values from the
2705    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2706    /// to select the group of existing pods which pods will be taken into consideration
2707    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2708    /// pod labels will be ignored. The default value is empty.
2709    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2710    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2711    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2712    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2713    pub mismatch_label_keys: Option<Vec<String>>,
2714    /// A label query over the set of namespaces that the term applies to.
2715    /// The term is applied to the union of the namespaces selected by this field
2716    /// and the ones listed in the namespaces field.
2717    /// null selector and null or empty namespaces list means "this pod's namespace".
2718    /// An empty selector ({}) matches all namespaces.
2719    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2720    pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>,
2721    /// namespaces specifies a static list of namespace names that the term applies to.
2722    /// The term is applied to the union of the namespaces listed in this field
2723    /// and the ones selected by namespaceSelector.
2724    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2725    #[serde(default, skip_serializing_if = "Option::is_none")]
2726    pub namespaces: Option<Vec<String>>,
2727    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2728    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2729    /// whose value of the label with key topologyKey matches that of any node on which any of the
2730    /// selected pods is running.
2731    /// Empty topologyKey is not allowed.
2732    #[serde(rename = "topologyKey")]
2733    pub topology_key: String,
2734}
2735
2736/// A label query over a set of resources, in this case pods.
2737/// If it's null, this PodAffinityTerm matches with no Pods.
2738#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2739pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
2740    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2741    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2742    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>>,
2743    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2744    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2745    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2746    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2747    pub match_labels: Option<BTreeMap<String, String>>,
2748}
2749
2750/// A label selector requirement is a selector that contains values, a key, and an operator that
2751/// relates the key and values.
2752#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2753pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions
2754{
2755    /// key is the label key that the selector applies to.
2756    pub key: String,
2757    /// operator represents a key's relationship to a set of values.
2758    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2759    pub operator: String,
2760    /// values is an array of string values. If the operator is In or NotIn,
2761    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2762    /// the values array must be empty. This array is replaced during a strategic
2763    /// merge patch.
2764    #[serde(default, skip_serializing_if = "Option::is_none")]
2765    pub values: Option<Vec<String>>,
2766}
2767
2768/// A label query over the set of namespaces that the term applies to.
2769/// The term is applied to the union of the namespaces selected by this field
2770/// and the ones listed in the namespaces field.
2771/// null selector and null or empty namespaces list means "this pod's namespace".
2772/// An empty selector ({}) matches all namespaces.
2773#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2774pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
2775    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2776    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2777    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>>,
2778    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2779    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2780    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2781    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2782    pub match_labels: Option<BTreeMap<String, String>>,
2783}
2784
2785/// A label selector requirement is a selector that contains values, a key, and an operator that
2786/// relates the key and values.
2787#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2788pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions
2789{
2790    /// key is the label key that the selector applies to.
2791    pub key: String,
2792    /// operator represents a key's relationship to a set of values.
2793    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2794    pub operator: String,
2795    /// values is an array of string values. If the operator is In or NotIn,
2796    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2797    /// the values array must be empty. This array is replaced during a strategic
2798    /// merge patch.
2799    #[serde(default, skip_serializing_if = "Option::is_none")]
2800    pub values: Option<Vec<String>>,
2801}
2802
2803/// Defines a set of pods (namely those matching the labelSelector
2804/// relative to the given namespace(s)) that this pod should be
2805/// co-located (affinity) or not co-located (anti-affinity) with,
2806/// where co-located is defined as running on a node whose value of
2807/// the label with key <topologyKey> matches that of any node on which
2808/// a pod of the set of pods is running
2809#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2810pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
2811    /// A label query over a set of resources, in this case pods.
2812    /// If it's null, this PodAffinityTerm matches with no Pods.
2813    #[serde(default, skip_serializing_if = "Option::is_none", rename = "labelSelector")]
2814    pub label_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>,
2815    /// MatchLabelKeys is a set of pod label keys to select which pods will
2816    /// be taken into consideration. The keys are used to lookup values from the
2817    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
2818    /// to select the group of existing pods which pods will be taken into consideration
2819    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2820    /// pod labels will be ignored. The default value is empty.
2821    /// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
2822    /// Also, matchLabelKeys cannot be set when labelSelector isn't set.
2823    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2824    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabelKeys")]
2825    pub match_label_keys: Option<Vec<String>>,
2826    /// MismatchLabelKeys is a set of pod label keys to select which pods will
2827    /// be taken into consideration. The keys are used to lookup values from the
2828    /// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
2829    /// to select the group of existing pods which pods will be taken into consideration
2830    /// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
2831    /// pod labels will be ignored. The default value is empty.
2832    /// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
2833    /// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
2834    /// This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
2835    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mismatchLabelKeys")]
2836    pub mismatch_label_keys: Option<Vec<String>>,
2837    /// A label query over the set of namespaces that the term applies to.
2838    /// The term is applied to the union of the namespaces selected by this field
2839    /// and the ones listed in the namespaces field.
2840    /// null selector and null or empty namespaces list means "this pod's namespace".
2841    /// An empty selector ({}) matches all namespaces.
2842    #[serde(default, skip_serializing_if = "Option::is_none", rename = "namespaceSelector")]
2843    pub namespace_selector: Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>,
2844    /// namespaces specifies a static list of namespace names that the term applies to.
2845    /// The term is applied to the union of the namespaces listed in this field
2846    /// and the ones selected by namespaceSelector.
2847    /// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
2848    #[serde(default, skip_serializing_if = "Option::is_none")]
2849    pub namespaces: Option<Vec<String>>,
2850    /// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
2851    /// the labelSelector in the specified namespaces, where co-located is defined as running on a node
2852    /// whose value of the label with key topologyKey matches that of any node on which any of the
2853    /// selected pods is running.
2854    /// Empty topologyKey is not allowed.
2855    #[serde(rename = "topologyKey")]
2856    pub topology_key: String,
2857}
2858
2859/// A label query over a set of resources, in this case pods.
2860/// If it's null, this PodAffinityTerm matches with no Pods.
2861#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2862pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
2863    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2864    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2865    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>>,
2866    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2867    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2868    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2869    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2870    pub match_labels: Option<BTreeMap<String, String>>,
2871}
2872
2873/// A label selector requirement is a selector that contains values, a key, and an operator that
2874/// relates the key and values.
2875#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2876pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions
2877{
2878    /// key is the label key that the selector applies to.
2879    pub key: String,
2880    /// operator represents a key's relationship to a set of values.
2881    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2882    pub operator: String,
2883    /// values is an array of string values. If the operator is In or NotIn,
2884    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2885    /// the values array must be empty. This array is replaced during a strategic
2886    /// merge patch.
2887    #[serde(default, skip_serializing_if = "Option::is_none")]
2888    pub values: Option<Vec<String>>,
2889}
2890
2891/// A label query over the set of namespaces that the term applies to.
2892/// The term is applied to the union of the namespaces selected by this field
2893/// and the ones listed in the namespaces field.
2894/// null selector and null or empty namespaces list means "this pod's namespace".
2895/// An empty selector ({}) matches all namespaces.
2896#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2897pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
2898    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
2899    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchExpressions")]
2900    pub match_expressions: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>>,
2901    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
2902    /// map is equivalent to an element of matchExpressions, whose key field is "key", the
2903    /// operator is "In", and the values array contains only "value". The requirements are ANDed.
2904    #[serde(default, skip_serializing_if = "Option::is_none", rename = "matchLabels")]
2905    pub match_labels: Option<BTreeMap<String, String>>,
2906}
2907
2908/// A label selector requirement is a selector that contains values, a key, and an operator that
2909/// relates the key and values.
2910#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2911pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions
2912{
2913    /// key is the label key that the selector applies to.
2914    pub key: String,
2915    /// operator represents a key's relationship to a set of values.
2916    /// Valid operators are In, NotIn, Exists and DoesNotExist.
2917    pub operator: String,
2918    /// values is an array of string values. If the operator is In or NotIn,
2919    /// the values array must be non-empty. If the operator is Exists or DoesNotExist,
2920    /// the values array must be empty. This array is replaced during a strategic
2921    /// merge patch.
2922    #[serde(default, skip_serializing_if = "Option::is_none")]
2923    pub values: Option<Vec<String>>,
2924}
2925
2926/// LocalObjectReference contains enough information to let you locate the
2927/// referenced object inside the same namespace.
2928#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2929pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
2930    /// Name of the referent.
2931    /// This field is effectively required, but due to backwards compatibility is
2932    /// allowed to be empty. Instances of this type with an empty value here are
2933    /// almost certainly wrong.
2934    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
2935    #[serde(default, skip_serializing_if = "Option::is_none")]
2936    pub name: Option<String>,
2937}
2938
2939/// If specified, the pod's security context
2940#[derive(Serialize, Deserialize, Clone, Debug, Default)]
2941pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
2942    /// A special supplemental group that applies to all containers in a pod.
2943    /// Some volume types allow the Kubelet to change the ownership of that volume
2944    /// to be owned by the pod:
2945    ///
2946    /// 1. The owning GID will be the FSGroup
2947    /// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
2948    /// 3. The permission bits are OR'd with rw-rw----
2949    ///
2950    /// If unset, the Kubelet will not modify the ownership and permissions of any volume.
2951    /// Note that this field cannot be set when spec.os.name is windows.
2952    #[serde(default, skip_serializing_if = "Option::is_none", rename = "fsGroup")]
2953    pub fs_group: Option<i64>,
2954    /// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
2955    /// before being exposed inside Pod. This field will only apply to
2956    /// volume types which support fsGroup based ownership(and permissions).
2957    /// It will have no effect on ephemeral volume types such as: secret, configmaps
2958    /// and emptydir.
2959    /// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
2960    /// Note that this field cannot be set when spec.os.name is windows.
2961    #[serde(
2962        default,
2963        skip_serializing_if = "Option::is_none",
2964        rename = "fsGroupChangePolicy"
2965    )]
2966    pub fs_group_change_policy: Option<String>,
2967    /// The GID to run the entrypoint of the container process.
2968    /// Uses runtime default if unset.
2969    /// May also be set in SecurityContext.  If set in both SecurityContext and
2970    /// PodSecurityContext, the value specified in SecurityContext takes precedence
2971    /// for that container.
2972    /// Note that this field cannot be set when spec.os.name is windows.
2973    #[serde(
2974        default,
2975        skip_serializing_if = "Option::is_none",
2976        rename = "runAsGroup"
2977    )]
2978    pub run_as_group: Option<i64>,
2979    /// Indicates that the container must run as a non-root user.
2980    /// If true, the Kubelet will validate the image at runtime to ensure that it
2981    /// does not run as UID 0 (root) and fail to start the container if it does.
2982    /// If unset or false, no such validation will be performed.
2983    /// May also be set in SecurityContext.  If set in both SecurityContext and
2984    /// PodSecurityContext, the value specified in SecurityContext takes precedence.
2985    #[serde(
2986        default,
2987        skip_serializing_if = "Option::is_none",
2988        rename = "runAsNonRoot"
2989    )]
2990    pub run_as_non_root: Option<bool>,
2991    /// The UID to run the entrypoint of the container process.
2992    /// Defaults to user specified in image metadata if unspecified.
2993    /// May also be set in SecurityContext.  If set in both SecurityContext and
2994    /// PodSecurityContext, the value specified in SecurityContext takes precedence
2995    /// for that container.
2996    /// Note that this field cannot be set when spec.os.name is windows.
2997    #[serde(default, skip_serializing_if = "Option::is_none", rename = "runAsUser")]
2998    pub run_as_user: Option<i64>,
2999    /// The SELinux context to be applied to all containers.
3000    /// If unspecified, the container runtime will allocate a random SELinux context for each
3001    /// container.  May also be set in SecurityContext.  If set in
3002    /// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
3003    /// takes precedence for that container.
3004    /// Note that this field cannot be set when spec.os.name is windows.
3005    #[serde(
3006        default,
3007        skip_serializing_if = "Option::is_none",
3008        rename = "seLinuxOptions"
3009    )]
3010    pub se_linux_options:
3011        Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>,
3012    /// The seccomp options to use by the containers in this pod.
3013    /// Note that this field cannot be set when spec.os.name is windows.
3014    #[serde(
3015        default,
3016        skip_serializing_if = "Option::is_none",
3017        rename = "seccompProfile"
3018    )]
3019    pub seccomp_profile:
3020        Option<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>,
3021    /// A list of groups applied to the first process run in each container, in addition
3022    /// to the container's primary GID, the fsGroup (if specified), and group memberships
3023    /// defined in the container image for the uid of the container process. If unspecified,
3024    /// no additional groups are added to any container. Note that group memberships
3025    /// defined in the container image for the uid of the container process are still effective,
3026    /// even if they are not included in this list.
3027    /// Note that this field cannot be set when spec.os.name is windows.
3028    #[serde(
3029        default,
3030        skip_serializing_if = "Option::is_none",
3031        rename = "supplementalGroups"
3032    )]
3033    pub supplemental_groups: Option<Vec<i64>>,
3034    /// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
3035    /// sysctls (by the container runtime) might fail to launch.
3036    /// Note that this field cannot be set when spec.os.name is windows.
3037    #[serde(default, skip_serializing_if = "Option::is_none")]
3038    pub sysctls: Option<Vec<IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls>>,
3039}
3040
3041/// The SELinux context to be applied to all containers.
3042/// If unspecified, the container runtime will allocate a random SELinux context for each
3043/// container.  May also be set in SecurityContext.  If set in
3044/// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
3045/// takes precedence for that container.
3046/// Note that this field cannot be set when spec.os.name is windows.
3047#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3048pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
3049    /// Level is SELinux level label that applies to the container.
3050    #[serde(default, skip_serializing_if = "Option::is_none")]
3051    pub level: Option<String>,
3052    /// Role is a SELinux role label that applies to the container.
3053    #[serde(default, skip_serializing_if = "Option::is_none")]
3054    pub role: Option<String>,
3055    /// Type is a SELinux type label that applies to the container.
3056    #[serde(default, skip_serializing_if = "Option::is_none", rename = "type")]
3057    pub r#type: Option<String>,
3058    /// User is a SELinux user label that applies to the container.
3059    #[serde(default, skip_serializing_if = "Option::is_none")]
3060    pub user: Option<String>,
3061}
3062
3063/// The seccomp options to use by the containers in this pod.
3064/// Note that this field cannot be set when spec.os.name is windows.
3065#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3066pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
3067    /// localhostProfile indicates a profile defined in a file on the node should be used.
3068    /// The profile must be preconfigured on the node to work.
3069    /// Must be a descending path, relative to the kubelet's configured seccomp profile location.
3070    /// Must be set if type is "Localhost". Must NOT be set for any other type.
3071    #[serde(
3072        default,
3073        skip_serializing_if = "Option::is_none",
3074        rename = "localhostProfile"
3075    )]
3076    pub localhost_profile: Option<String>,
3077    /// type indicates which kind of seccomp profile will be applied.
3078    /// Valid options are:
3079    ///
3080    /// Localhost - a profile defined in a file on the node should be used.
3081    /// RuntimeDefault - the container runtime default profile should be used.
3082    /// Unconfined - no profile should be applied.
3083    #[serde(rename = "type")]
3084    pub r#type: String,
3085}
3086
3087/// Sysctl defines a kernel parameter to be set
3088#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3089pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
3090    /// Name of a property to set
3091    pub name: String,
3092    /// Value of a property to set
3093    pub value: String,
3094}
3095
3096/// The pod this Toleration is attached to tolerates any taint that matches
3097/// the triple <key,value,effect> using the matching operator <operator>.
3098#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3099pub struct IssuerAcmeSolversHttp01IngressPodTemplateSpecTolerations {
3100    /// Effect indicates the taint effect to match. Empty means match all taint effects.
3101    /// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
3102    #[serde(default, skip_serializing_if = "Option::is_none")]
3103    pub effect: Option<String>,
3104    /// Key is the taint key that the toleration applies to. Empty means match all taint keys.
3105    /// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
3106    #[serde(default, skip_serializing_if = "Option::is_none")]
3107    pub key: Option<String>,
3108    /// Operator represents a key's relationship to the value.
3109    /// Valid operators are Exists and Equal. Defaults to Equal.
3110    /// Exists is equivalent to wildcard for value, so that a pod can
3111    /// tolerate all taints of a particular category.
3112    #[serde(default, skip_serializing_if = "Option::is_none")]
3113    pub operator: Option<String>,
3114    /// TolerationSeconds represents the period of time the toleration (which must be
3115    /// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
3116    /// it is not set, which means tolerate the taint forever (do not evict). Zero and
3117    /// negative values will be treated as 0 (evict immediately) by the system.
3118    #[serde(
3119        default,
3120        skip_serializing_if = "Option::is_none",
3121        rename = "tolerationSeconds"
3122    )]
3123    pub toleration_seconds: Option<i64>,
3124    /// Value is the taint value the toleration matches to.
3125    /// If the operator is Exists, the value should be empty, otherwise just a regular string.
3126    #[serde(default, skip_serializing_if = "Option::is_none")]
3127    pub value: Option<String>,
3128}
3129
3130/// Selector selects a set of DNSNames on the Certificate resource that
3131/// should be solved using this challenge solver.
3132/// If not specified, the solver will be treated as the 'default' solver
3133/// with the lowest priority, i.e. if any other solver has a more specific
3134/// match, it will be used instead.
3135#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3136pub struct IssuerAcmeSolversSelector {
3137    /// List of DNSNames that this solver will be used to solve.
3138    /// If specified and a match is found, a dnsNames selector will take
3139    /// precedence over a dnsZones selector.
3140    /// If multiple solvers match with the same dnsNames value, the solver
3141    /// with the most matching labels in matchLabels will be selected.
3142    /// If neither has more matches, the solver defined earlier in the list
3143    /// will be selected.
3144    #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsNames")]
3145    pub dns_names: Option<Vec<String>>,
3146    /// List of DNSZones that this solver will be used to solve.
3147    /// The most specific DNS zone match specified here will take precedence
3148    /// over other DNS zone matches, so a solver specifying sys.example.com
3149    /// will be selected over one specifying example.com for the domain
3150    /// www.sys.example.com.
3151    /// If multiple solvers match with the same dnsZones value, the solver
3152    /// with the most matching labels in matchLabels will be selected.
3153    /// If neither has more matches, the solver defined earlier in the list
3154    /// will be selected.
3155    #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsZones")]
3156    pub dns_zones: Option<Vec<String>>,
3157    /// A label selector that is used to refine the set of certificate's that
3158    /// this challenge solver will apply to.
3159    #[serde(
3160        default,
3161        skip_serializing_if = "Option::is_none",
3162        rename = "matchLabels"
3163    )]
3164    pub match_labels: Option<BTreeMap<String, String>>,
3165}
3166
3167/// CA configures this issuer to sign certificates using a signing CA keypair
3168/// stored in a Secret resource.
3169/// This is used to build internal PKIs that are managed by cert-manager.
3170#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3171pub struct IssuerCa {
3172    /// The CRL distribution points is an X.509 v3 certificate extension which identifies
3173    /// the location of the CRL from which the revocation of this certificate can be checked.
3174    /// If not set, certificates will be issued without distribution points set.
3175    #[serde(
3176        default,
3177        skip_serializing_if = "Option::is_none",
3178        rename = "crlDistributionPoints"
3179    )]
3180    pub crl_distribution_points: Option<Vec<String>>,
3181    /// IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
3182    /// it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
3183    /// As an example, such a URL might be "http://ca.domain.com/ca.crt".
3184    #[serde(
3185        default,
3186        skip_serializing_if = "Option::is_none",
3187        rename = "issuingCertificateURLs"
3188    )]
3189    pub issuing_certificate_ur_ls: Option<Vec<String>>,
3190    /// The OCSP server list is an X.509 v3 extension that defines a list of
3191    /// URLs of OCSP responders. The OCSP responders can be queried for the
3192    /// revocation status of an issued certificate. If not set, the
3193    /// certificate will be issued with no OCSP servers set. For example, an
3194    /// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
3195    #[serde(
3196        default,
3197        skip_serializing_if = "Option::is_none",
3198        rename = "ocspServers"
3199    )]
3200    pub ocsp_servers: Option<Vec<String>>,
3201    /// SecretName is the name of the secret used to sign Certificates issued
3202    /// by this Issuer.
3203    #[serde(rename = "secretName")]
3204    pub secret_name: String,
3205}
3206
3207/// SelfSigned configures this issuer to 'self sign' certificates using the
3208/// private key used to create the CertificateRequest object.
3209#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3210pub struct IssuerSelfSigned {
3211    /// The CRL distribution points is an X.509 v3 certificate extension which identifies
3212    /// the location of the CRL from which the revocation of this certificate can be checked.
3213    /// If not set certificate will be issued without CDP. Values are strings.
3214    #[serde(
3215        default,
3216        skip_serializing_if = "Option::is_none",
3217        rename = "crlDistributionPoints"
3218    )]
3219    pub crl_distribution_points: Option<Vec<String>>,
3220}
3221
3222/// Vault configures this issuer to sign certificates using a HashiCorp Vault
3223/// PKI backend.
3224#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3225pub struct IssuerVault {
3226    /// Auth configures how cert-manager authenticates with the Vault server.
3227    pub auth: IssuerVaultAuth,
3228    /// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
3229    /// chain presented by Vault. Only used if using HTTPS to connect to Vault and
3230    /// ignored for HTTP connections.
3231    /// Mutually exclusive with CABundleSecretRef.
3232    /// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
3233    /// the cert-manager controller container is used to validate the TLS connection.
3234    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
3235    pub ca_bundle: Option<String>,
3236    /// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
3237    /// verifying the certificate chain presented by Vault when using HTTPS.
3238    /// Mutually exclusive with CABundle.
3239    /// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
3240    /// the cert-manager controller container is used to validate the TLS connection.
3241    /// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
3242    #[serde(
3243        default,
3244        skip_serializing_if = "Option::is_none",
3245        rename = "caBundleSecretRef"
3246    )]
3247    pub ca_bundle_secret_ref: Option<IssuerVaultCaBundleSecretRef>,
3248    /// Reference to a Secret containing a PEM-encoded Client Certificate to use when the
3249    /// Vault server requires mTLS.
3250    #[serde(
3251        default,
3252        skip_serializing_if = "Option::is_none",
3253        rename = "clientCertSecretRef"
3254    )]
3255    pub client_cert_secret_ref: Option<IssuerVaultClientCertSecretRef>,
3256    /// Reference to a Secret containing a PEM-encoded Client Private Key to use when the
3257    /// Vault server requires mTLS.
3258    #[serde(
3259        default,
3260        skip_serializing_if = "Option::is_none",
3261        rename = "clientKeySecretRef"
3262    )]
3263    pub client_key_secret_ref: Option<IssuerVaultClientKeySecretRef>,
3264    /// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
3265    /// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
3266    #[serde(default, skip_serializing_if = "Option::is_none")]
3267    pub namespace: Option<String>,
3268    /// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
3269    /// "my_pki_mount/sign/my-role-name".
3270    pub path: String,
3271    /// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
3272    pub server: String,
3273}
3274
3275/// Auth configures how cert-manager authenticates with the Vault server.
3276#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3277pub struct IssuerVaultAuth {
3278    /// AppRole authenticates with Vault using the App Role auth mechanism,
3279    /// with the role and secret stored in a Kubernetes Secret resource.
3280    #[serde(default, skip_serializing_if = "Option::is_none", rename = "appRole")]
3281    pub app_role: Option<IssuerVaultAuthAppRole>,
3282    /// ClientCertificate authenticates with Vault by presenting a client
3283    /// certificate during the request's TLS handshake.
3284    /// Works only when using HTTPS protocol.
3285    #[serde(
3286        default,
3287        skip_serializing_if = "Option::is_none",
3288        rename = "clientCertificate"
3289    )]
3290    pub client_certificate: Option<IssuerVaultAuthClientCertificate>,
3291    /// Kubernetes authenticates with Vault by passing the ServiceAccount
3292    /// token stored in the named Secret resource to the Vault server.
3293    #[serde(default, skip_serializing_if = "Option::is_none")]
3294    pub kubernetes: Option<IssuerVaultAuthKubernetes>,
3295    /// TokenSecretRef authenticates with Vault by presenting a token.
3296    #[serde(
3297        default,
3298        skip_serializing_if = "Option::is_none",
3299        rename = "tokenSecretRef"
3300    )]
3301    pub token_secret_ref: Option<IssuerVaultAuthTokenSecretRef>,
3302}
3303
3304/// AppRole authenticates with Vault using the App Role auth mechanism,
3305/// with the role and secret stored in a Kubernetes Secret resource.
3306#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3307pub struct IssuerVaultAuthAppRole {
3308    /// Path where the App Role authentication backend is mounted in Vault, e.g:
3309    /// "approle"
3310    pub path: String,
3311    /// RoleID configured in the App Role authentication backend when setting
3312    /// up the authentication backend in Vault.
3313    #[serde(rename = "roleId")]
3314    pub role_id: String,
3315    /// Reference to a key in a Secret that contains the App Role secret used
3316    /// to authenticate with Vault.
3317    /// The `key` field must be specified and denotes which entry within the Secret
3318    /// resource is used as the app role secret.
3319    #[serde(rename = "secretRef")]
3320    pub secret_ref: IssuerVaultAuthAppRoleSecretRef,
3321}
3322
3323/// Reference to a key in a Secret that contains the App Role secret used
3324/// to authenticate with Vault.
3325/// The `key` field must be specified and denotes which entry within the Secret
3326/// resource is used as the app role secret.
3327#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3328pub struct IssuerVaultAuthAppRoleSecretRef {
3329    /// The key of the entry in the Secret resource's `data` field to be used.
3330    /// Some instances of this field may be defaulted, in others it may be
3331    /// required.
3332    #[serde(default, skip_serializing_if = "Option::is_none")]
3333    pub key: Option<String>,
3334    /// Name of the resource being referred to.
3335    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3336    pub name: String,
3337}
3338
3339/// ClientCertificate authenticates with Vault by presenting a client
3340/// certificate during the request's TLS handshake.
3341/// Works only when using HTTPS protocol.
3342#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3343pub struct IssuerVaultAuthClientCertificate {
3344    /// The Vault mountPath here is the mount path to use when authenticating with
3345    /// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
3346    /// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
3347    /// default value "/v1/auth/cert" will be used.
3348    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mountPath")]
3349    pub mount_path: Option<String>,
3350    /// Name of the certificate role to authenticate against.
3351    /// If not set, matching any certificate role, if available.
3352    #[serde(default, skip_serializing_if = "Option::is_none")]
3353    pub name: Option<String>,
3354    /// Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
3355    /// tls.crt and tls.key) used to authenticate to Vault using TLS client
3356    /// authentication.
3357    #[serde(
3358        default,
3359        skip_serializing_if = "Option::is_none",
3360        rename = "secretName"
3361    )]
3362    pub secret_name: Option<String>,
3363}
3364
3365/// Kubernetes authenticates with Vault by passing the ServiceAccount
3366/// token stored in the named Secret resource to the Vault server.
3367#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3368pub struct IssuerVaultAuthKubernetes {
3369    /// The Vault mountPath here is the mount path to use when authenticating with
3370    /// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
3371    /// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
3372    /// default value "/v1/auth/kubernetes" will be used.
3373    #[serde(default, skip_serializing_if = "Option::is_none", rename = "mountPath")]
3374    pub mount_path: Option<String>,
3375    /// A required field containing the Vault Role to assume. A Role binds a
3376    /// Kubernetes ServiceAccount with a set of Vault policies.
3377    pub role: String,
3378    /// The required Secret field containing a Kubernetes ServiceAccount JWT used
3379    /// for authenticating with Vault. Use of 'ambient credentials' is not
3380    /// supported.
3381    #[serde(default, skip_serializing_if = "Option::is_none", rename = "secretRef")]
3382    pub secret_ref: Option<IssuerVaultAuthKubernetesSecretRef>,
3383    /// A reference to a service account that will be used to request a bound
3384    /// token (also known as "projected token"). Compared to using "secretRef",
3385    /// using this field means that you don't rely on statically bound tokens. To
3386    /// use this field, you must configure an RBAC rule to let cert-manager
3387    /// request a token.
3388    #[serde(
3389        default,
3390        skip_serializing_if = "Option::is_none",
3391        rename = "serviceAccountRef"
3392    )]
3393    pub service_account_ref: Option<IssuerVaultAuthKubernetesServiceAccountRef>,
3394}
3395
3396/// The required Secret field containing a Kubernetes ServiceAccount JWT used
3397/// for authenticating with Vault. Use of 'ambient credentials' is not
3398/// supported.
3399#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3400pub struct IssuerVaultAuthKubernetesSecretRef {
3401    /// The key of the entry in the Secret resource's `data` field to be used.
3402    /// Some instances of this field may be defaulted, in others it may be
3403    /// required.
3404    #[serde(default, skip_serializing_if = "Option::is_none")]
3405    pub key: Option<String>,
3406    /// Name of the resource being referred to.
3407    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3408    pub name: String,
3409}
3410
3411/// A reference to a service account that will be used to request a bound
3412/// token (also known as "projected token"). Compared to using "secretRef",
3413/// using this field means that you don't rely on statically bound tokens. To
3414/// use this field, you must configure an RBAC rule to let cert-manager
3415/// request a token.
3416#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3417pub struct IssuerVaultAuthKubernetesServiceAccountRef {
3418    /// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
3419    /// consisting of the issuer's namespace and name is always included.
3420    #[serde(default, skip_serializing_if = "Option::is_none")]
3421    pub audiences: Option<Vec<String>>,
3422    /// Name of the ServiceAccount used to request a token.
3423    pub name: String,
3424}
3425
3426/// TokenSecretRef authenticates with Vault by presenting a token.
3427#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3428pub struct IssuerVaultAuthTokenSecretRef {
3429    /// The key of the entry in the Secret resource's `data` field to be used.
3430    /// Some instances of this field may be defaulted, in others it may be
3431    /// required.
3432    #[serde(default, skip_serializing_if = "Option::is_none")]
3433    pub key: Option<String>,
3434    /// Name of the resource being referred to.
3435    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3436    pub name: String,
3437}
3438
3439/// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
3440/// verifying the certificate chain presented by Vault when using HTTPS.
3441/// Mutually exclusive with CABundle.
3442/// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
3443/// the cert-manager controller container is used to validate the TLS connection.
3444/// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
3445#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3446pub struct IssuerVaultCaBundleSecretRef {
3447    /// The key of the entry in the Secret resource's `data` field to be used.
3448    /// Some instances of this field may be defaulted, in others it may be
3449    /// required.
3450    #[serde(default, skip_serializing_if = "Option::is_none")]
3451    pub key: Option<String>,
3452    /// Name of the resource being referred to.
3453    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3454    pub name: String,
3455}
3456
3457/// Reference to a Secret containing a PEM-encoded Client Certificate to use when the
3458/// Vault server requires mTLS.
3459#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3460pub struct IssuerVaultClientCertSecretRef {
3461    /// The key of the entry in the Secret resource's `data` field to be used.
3462    /// Some instances of this field may be defaulted, in others it may be
3463    /// required.
3464    #[serde(default, skip_serializing_if = "Option::is_none")]
3465    pub key: Option<String>,
3466    /// Name of the resource being referred to.
3467    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3468    pub name: String,
3469}
3470
3471/// Reference to a Secret containing a PEM-encoded Client Private Key to use when the
3472/// Vault server requires mTLS.
3473#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3474pub struct IssuerVaultClientKeySecretRef {
3475    /// The key of the entry in the Secret resource's `data` field to be used.
3476    /// Some instances of this field may be defaulted, in others it may be
3477    /// required.
3478    #[serde(default, skip_serializing_if = "Option::is_none")]
3479    pub key: Option<String>,
3480    /// Name of the resource being referred to.
3481    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3482    pub name: String,
3483}
3484
3485/// Venafi configures this issuer to sign certificates using a Venafi TPP
3486/// or Venafi Cloud policy zone.
3487#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3488pub struct IssuerVenafi {
3489    /// Cloud specifies the Venafi cloud configuration settings.
3490    /// Only one of TPP or Cloud may be specified.
3491    #[serde(default, skip_serializing_if = "Option::is_none")]
3492    pub cloud: Option<IssuerVenafiCloud>,
3493    /// TPP specifies Trust Protection Platform configuration settings.
3494    /// Only one of TPP or Cloud may be specified.
3495    #[serde(default, skip_serializing_if = "Option::is_none")]
3496    pub tpp: Option<IssuerVenafiTpp>,
3497    /// Zone is the Venafi Policy Zone to use for this issuer.
3498    /// All requests made to the Venafi platform will be restricted by the named
3499    /// zone policy.
3500    /// This field is required.
3501    pub zone: String,
3502}
3503
3504/// Cloud specifies the Venafi cloud configuration settings.
3505/// Only one of TPP or Cloud may be specified.
3506#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3507pub struct IssuerVenafiCloud {
3508    /// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
3509    #[serde(rename = "apiTokenSecretRef")]
3510    pub api_token_secret_ref: IssuerVenafiCloudApiTokenSecretRef,
3511    /// URL is the base URL for Venafi Cloud.
3512    /// Defaults to "https://api.venafi.cloud/v1".
3513    #[serde(default, skip_serializing_if = "Option::is_none")]
3514    pub url: Option<String>,
3515}
3516
3517/// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
3518#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3519pub struct IssuerVenafiCloudApiTokenSecretRef {
3520    /// The key of the entry in the Secret resource's `data` field to be used.
3521    /// Some instances of this field may be defaulted, in others it may be
3522    /// required.
3523    #[serde(default, skip_serializing_if = "Option::is_none")]
3524    pub key: Option<String>,
3525    /// Name of the resource being referred to.
3526    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3527    pub name: String,
3528}
3529
3530/// TPP specifies Trust Protection Platform configuration settings.
3531/// Only one of TPP or Cloud may be specified.
3532#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3533pub struct IssuerVenafiTpp {
3534    /// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
3535    /// chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
3536    /// If undefined, the certificate bundle in the cert-manager controller container
3537    /// is used to validate the chain.
3538    #[serde(default, skip_serializing_if = "Option::is_none", rename = "caBundle")]
3539    pub ca_bundle: Option<String>,
3540    /// Reference to a Secret containing a base64-encoded bundle of PEM CAs
3541    /// which will be used to validate the certificate chain presented by the TPP server.
3542    /// Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
3543    /// If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
3544    /// the cert-manager controller container is used to validate the TLS connection.
3545    #[serde(
3546        default,
3547        skip_serializing_if = "Option::is_none",
3548        rename = "caBundleSecretRef"
3549    )]
3550    pub ca_bundle_secret_ref: Option<IssuerVenafiTppCaBundleSecretRef>,
3551    /// CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
3552    /// The secret must contain the key 'access-token' for the Access Token Authentication,
3553    /// or two keys, 'username' and 'password' for the API Keys Authentication.
3554    #[serde(rename = "credentialsRef")]
3555    pub credentials_ref: IssuerVenafiTppCredentialsRef,
3556    /// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
3557    /// for example: "https://tpp.example.com/vedsdk".
3558    pub url: String,
3559}
3560
3561/// Reference to a Secret containing a base64-encoded bundle of PEM CAs
3562/// which will be used to validate the certificate chain presented by the TPP server.
3563/// Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
3564/// If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
3565/// the cert-manager controller container is used to validate the TLS connection.
3566#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3567pub struct IssuerVenafiTppCaBundleSecretRef {
3568    /// The key of the entry in the Secret resource's `data` field to be used.
3569    /// Some instances of this field may be defaulted, in others it may be
3570    /// required.
3571    #[serde(default, skip_serializing_if = "Option::is_none")]
3572    pub key: Option<String>,
3573    /// Name of the resource being referred to.
3574    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3575    pub name: String,
3576}
3577
3578/// CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
3579/// The secret must contain the key 'access-token' for the Access Token Authentication,
3580/// or two keys, 'username' and 'password' for the API Keys Authentication.
3581#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3582pub struct IssuerVenafiTppCredentialsRef {
3583    /// Name of the resource being referred to.
3584    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
3585    pub name: String,
3586}
3587
3588/// Status of the Issuer. This is set and managed automatically.
3589#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3590pub struct IssuerStatus {
3591    /// ACME specific status options.
3592    /// This field should only be set if the Issuer is configured to use an ACME
3593    /// server to issue certificates.
3594    #[serde(default, skip_serializing_if = "Option::is_none")]
3595    pub acme: Option<IssuerStatusAcme>,
3596    /// List of status conditions to indicate the status of a CertificateRequest.
3597    /// Known condition types are `Ready`.
3598    #[serde(default, skip_serializing_if = "Option::is_none")]
3599    pub conditions: Option<Vec<Condition>>,
3600}
3601
3602/// ACME specific status options.
3603/// This field should only be set if the Issuer is configured to use an ACME
3604/// server to issue certificates.
3605#[derive(Serialize, Deserialize, Clone, Debug, Default)]
3606pub struct IssuerStatusAcme {
3607    /// LastPrivateKeyHash is a hash of the private key associated with the latest
3608    /// registered ACME account, in order to track changes made to registered account
3609    /// associated with the Issuer
3610    #[serde(
3611        default,
3612        skip_serializing_if = "Option::is_none",
3613        rename = "lastPrivateKeyHash"
3614    )]
3615    pub last_private_key_hash: Option<String>,
3616    /// LastRegisteredEmail is the email associated with the latest registered
3617    /// ACME account, in order to track changes made to registered account
3618    /// associated with the  Issuer
3619    #[serde(
3620        default,
3621        skip_serializing_if = "Option::is_none",
3622        rename = "lastRegisteredEmail"
3623    )]
3624    pub last_registered_email: Option<String>,
3625    /// URI is the unique account identifier, which can also be used to retrieve
3626    /// account details from the CA
3627    #[serde(default, skip_serializing_if = "Option::is_none")]
3628    pub uri: Option<String>,
3629}